why am I getting errors and dropped packets??

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.9.0.1  netmask 255.255.255.0  destination 10.9.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 539  bytes 97208 (97.2 KB)
        RX errors 9  dropped 84  overruns 0  frame 9
        TX packets 564  bytes 258916 (258.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Would it be possible to have a selection option with:

1. New installation (override all existing data)
2. Check version (Installed version is the same as on the server) with update function if different
3. Add new client
4. Regenerate QR code for existing configuration
   5...

Thanks

I edited the portion of the code to give me 53 for a random lookup so my final config has port 53 in it:

function get_free_udp_port { local port=$(shuf -i 053-053 -n 1) ss -lau | grep $port > /dev/null if [[ $? == 1 ]] ; then echo "$port"

also tried

function get_free_udp_port { local port=$(shuf -i 053-053 -n 1) ss -lau | grep $port > /dev/null if [[ $? == 1 ]] ; then echo "53"

And none of this works. In the end, I end up with this:

Try `iptables -h' or 'iptables --help' for more information.
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected].
Job for [email protected] failed because the control process exited with error code.
See "systemctl status [email protected]" and "journalctl -xe" for details.
Client config --> /root/client-wg0.conf
Now reboot the server and enjoy your fresh VPN installation! :^)

Can someone help so I can install wireguard to Port 53? Seems like if I replace it with a 3 digit number, it works (053 doesn't work I tried)

Hello,

How do I remove all clients, without uninstalling the script so that I can just add more again?

If I have to do it by manually deleting files from a folder or editing a file, that's fine just LMK.

I will make a scrip that does it.

Best,
Nick

for example, I tried on GCP. It showing some error.

root@gcp:~# wget https://raw.githubusercontent.com/l-n-s/wireguard-install/master/wireguard-install.sh -O wireguard-install.sh
--2019-11-11 08:17:41--  https://raw.githubusercontent.com/l-n-s/wireguard-install/master/wireguard-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.128.133, 151.101.64.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7427 (7.3K) [text/plain]
Saving to: ‘wireguard-install.sh’

wireguard-install.sh         100%[=============================================>]   7.25K  --.-KB/s    in 0s      

2019-11-11 08:17:42 (53.9 MB/s) - ‘wireguard-install.sh’ saved [7427/7427]

root@gcp:~# bash wireguard-install.sh
Servers public IP address is 10.XXX.0.6. Is that correct? [y/n]: n
Aborted. Use environment variable SERVER_HOST to set the correct public IP address
root@gcp:~# 

The client didn't had an dns server set. IMO the script should ask on first setup which dns server to use and put it in DNS = at the client configs.

Using: almost clear Ubuntu 18 on AWS
User: newbie in Linux =)

Here's a log what I do:

https://pastebin.com/rwiWquMU

Hey,

I can't fix this error.

modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.9.0-6-amd64

4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux

Updated kernel and headers.

modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.9.0-11-amd64
linux-headers-4.9.0-11-amd64 is already the newest version (4.9.189-3).

Any idea?

Thanks!

like https://github.com/angristan/local-dns-resolver

If you try to run this script on a vanilla Debian or Ubuntu machine, you'll get errors that wg service is not found. Just run the following before you run the script and you will not face any issues running later:

sudo apt-get install libmnl-dev libelf-dev linux-headers-$(uname -r) build-essential pkg-config lsb-release iptables libmnl-dev libelf-dev linux-headers-$(uname -r) build-essential pkg-config libmnl-dev libelf-dev linux-headers-$(uname -r) build-essential pkg-config -y

First off, great script and thanks so much for putting this together.

Can you remove clients with the script? When I manually remove a client with "wg set wg0 peer 'pubkey' remove" I notice that the script does not realize I have removed the client. The IP does not get reused. Whatever client I add next gets an incremental IP, but only if available.

I tried to install it on two KVM machines with CentOs 7. Both installation run thru. But didn't work. Can you check?

This commit contains a lightly modified version of your script with your name removed. Since this repository is MIT licensed, that could be a copyright violation. The link to this repo has also been removed in a later commit.

wireguard-install.sh: line 183: -4: substring expression < 0

Hi,

I have use your install script but i have Error (VM on Xen server) :

net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected].
Job for [email protected] failed because the control process exited with error code.
See "systemctl status [email protected]" and "journalctl -xe" for details.
Client config --> /root/client-wg0.conf
Now reboot the server and enjoy your fresh VPN installation! :^)

root@wireguard:~# systemctl status [email protected]
● [email protected] - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-05-08 10:54:22 CDT; 1min 57s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
           https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
  Process: 5821 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
 Main PID: 5821 (code=exited, status=1/FAILURE)

May 08 10:54:22 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
May 08 10:54:22 wireguard wg-quick[5821]: [#] ip link add wg0 type wireguard
May 08 10:54:22 wireguard wg-quick[5821]: RTNETLINK answers: Operation not supported
May 08 10:54:22 wireguard wg-quick[5821]: Unable to access interface: Protocol not supported
May 08 10:54:22 wireguard wg-quick[5821]: [#] ip link delete dev wg0
May 08 10:54:22 wireguard wg-quick[5821]: Cannot find device "wg0"
May 08 10:54:22 wireguard systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
May 08 10:54:22 wireguard systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
May 08 10:54:22 wireguard systemd[1]: [email protected]: Unit entered failed state.
May 08 10:54:22 wireguard systemd[1]: [email protected]: Failed with result 'exit-code'.

Hello,

I have test to reinstall your script in debian 9, but no work. At the top of line : lsb release, command not found.

I'am on debian. I will ajust the script with DISTRO="Debian" .

Hello, I'm guy from China.
Before long Im using v2ray.But that make me ip dead.
the internet showed that wireguard can save the banned ip.
I'm sure my IP is already dead in China.
not only the SSH is,but also cannot open my blog without VPN like lantern.
In fact,I have set up a wireguard which is teached by the document.But I can't use it.Im not sure if I make some mistake on it!
I surely want to know: "if my IP banned from great fire wall,can I setup wireguard to use?
I feel sorry with my Poor English.
老哥们，我IP给墙了还能用这个救吗？
我根据逗比的文档搭了一个没成功，呜呜呜，机器已被墙，用蓝灯上的ssh

Hi,

I'm using Leaseweb VPS(KVM) running Centos 7. I reinstall Centos 7(completely a fresh OS) and then installed Wireguard and I didn't reboot vps so everything works as expected.
But after rebooting vps, wireguard connects but no data received, nothing!!

Also there is no firewall set manually by me and I'm sure that leaseweb firewall is off.

What should I do?

On my Ubuntu 16 server install the line:

SERVER_HOST=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | grep -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | head -1)

was producing my server's lan IP and I was unable to connect to websites on iOS

Changing that line to:

SERVER_HOST="$(dig +short myip.opendns.com @resolver1.opendns.com)"

found my WAN IP and I was able to connect

I didn't do a pull request because I don't know if that would break other distros

# apt install linux-headers-$(uname -r) 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package linux-headers-4.9.0-6-amd64
E: Couldn't find any package by glob 'linux-headers-4.9.0-6-amd64'
E: Couldn't find any package by regex 'linux-headers-4.9.0-6-amd64'
# lsb_release -a | grep Desc
No LSB modules are available.
Description:	Debian GNU/Linux 9.4 (stretch)

You need to update kernel first before installing headers

would you please advise me how could I uninstall in debian 9 ?

It works perfect out of the box, but when the client has been connected for some seconds it appears to lose connection and then connects again.

Some configurantion needed in the server to fix this?

I see that there are a bunch of iptable commands in the script. What is it doing exactly? I'm worried that it might messup my existing iptables setup. Is it just adding in new rules ONLY for wireguard ports and not touching anything else? Reason why I ask is because I have a custom ssh port of 3333 and don't want that overwritten. thanks!

I guess, this should also be included into the script, otherwise, wireshark install fails, but script says all good.

Getting this error as soon as I give the client name.
wireguard-install.sh: line 178: -4: substring expression < 0

https://tunsafe.com/user-guide/tcp

A little bit of code to add to the script..

	echo ""
	echo "What port do you want WireGuard to listen to?"
	echo "   1) Default: 51820"
	echo "   2) Custom"
	echo "   3) Random [1-65535]"
	until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
		read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
	done
	case $PORT_CHOICE in
		1)
			PORT="51820"
		;;
		2)
			until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
				read -rp "Custom port [1-65535]: " -e -i 51820 PORT
			done
		;;
		3)
			# Generate random number within private ports range
			PORT=$(shuf -i0-65535 -n1)
			echo "Random Port: $PORT"
		;;
	esac
	echo ""
	echo "What protocol do you want WireGuard to use?"
	echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
	echo "   1) UDP"
	echo "   2) TCP"
	until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
		read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
	done
	case $PROTOCOL_CHOICE in
		1)
			PROTOCOL="udp"
		;;
		2)
			PROTOCOL="tcp"
		;;
	esac

Is there a way to configure this script to allow access to local LAN addresses (RFC 1918)? e.g. 192.168.x.x?

Not sure if that is the scope of this script or not. It seems to be able to forward Internet traffic fine, but not able to access anything on my LAN.

I am trying to use my local router's DNS server, so I can resolve local host names, and be able to access devices on my network.

Hi,

I used your script on a VPS with CentOS 7. The installation runs smooth. I also can connect from the Wireguard iOS App. But I can't connect to any webpage. By manually starting up Wireguard I run into the following problem:

root@GuBo ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0

Can you help?
Thanks

when i run bash wireguard-install.sh,it show

Tell me a name for the client config file. Use one word only, no special characters.
Client name: client
wireguard-install.sh: line 183: -4: substring expression < 0

then exit .

vps：vultr centos 7 x64

Maybe this is just my server configuration but the last rule on my iptables list is reject so when you append to the end it gets rejected before it sees this rule. I dont see why you cant just insert it into position 1. Should be easy enough change. Any feedback on that thought?

Tell me a name for the client config file. Use one word only, no special characters. (No Spaces)

Client Name: dfsf
/etc/unbound/root.hints: No such file or directory
224
Failed to enable unit: File unbound.service: No such file or directory
Failed to restart unbound.service: Unit unbound.service not found.
wireguard-server.sh: line 588: wg: command not found
wireguard-server.sh: line 589: wg: command not found
wireguard-server.sh: line 590: wg: command not found
wireguard-server.sh: line 591: wg: command not found
wireguard-server.sh: line 594: wg: command not found
wireguard-server.sh: line 627: qrencode: command not found
Client Config --> /etc/wireguard/clients/dfsf-wg0.conf
224
Failed to enable unit: File [email protected]: No such file or directory
Failed to restart [email protected]: Unit [email protected] not found.
wireguard-server.sh: line 641: ntpdate: command not found

One one of my two KVM with Ubuntu 18.04 the installation stopped with an error:wireguard-install.sh: line 152: /etc/iptables/rules.v4: No such file or directory
Failed to enable unit: Unit file [email protected] does not exist.
Failed to start [email protected]: Unit [email protected] not found.

After installing UFW, I encounter a problem

root@debian:~# sudo ufw disable && sudo ufw enable
Firewall stopped and disabled on system startup
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
ip6tables-restore: line 2 failed

I want to block ICMP traffic

add to /etc/ufw/before.rules

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

or

#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

someone take some time and check this...
https://github.com/LiveChief/wireguard-install/pull/9

/usr/bin/wg-quick: line 31: resolvconf: command not found

add this to your install dependencies

Tried to install WG with the script. After I enter the name of the client, I get this error message:

wireguard-install.sh: Zeile 170: -4: Teilstring-Ausdruck < 0

This happens regardless what I enter as the client name.
Server is a Linux box with Debian 9.

Is there anything I can do here?

Hi.
first of all, amazing script. thank you.

I've manually configured my server with a /64 subnet routed and it's working. but each time that I create a new peer [by relaunching your script] it only adds the peer's assigned ipv4 to the wg0.conf, is it possible to assign an ipv6 each time as well?

I know that it may not be useful for "everyone" so if you could just tell me how to manually edit your script to make it work it'd be really appreciated.

Hello,

Any plan for updating wireguard script to support Centos 8?

Thank you

Hi,

Since I noticed your commit for the ipv6 client side change earlier today. Can you have it handle the server side ipv6 config as well, so we can run it once on a server and it pulls in the local ipv4/ipv6 addresses and will connect on either... as well as setting up a private ipv6 network?

Might also be worth adding a bit of randomization for the ipv6 subnet vs hard coding one, as this site does: https://simpledns.com/private-ipv6

Thanks!