#!/bin/bash # ============================================================================= # Wireguard VPS Proxy Setup # ============================================================================= # # This script automates the setup of a WireGuard VPN server on a remote VPS # for StartOS Clearnet functionality. It handles: # # 1. SSH key-based authentication setup # 2. Root access configuration (if needed) # 3. WireGuard server installation # 4. Configuration file generation and import # # Usage: # wireguard-vps-proxy-setup [-h] [-i IP] [-u USERNAME] [-p PORT] [-k SSH_KEY] # # Options: # -h Show help message # -i VPS IP address # -u SSH username (default: root) # -p SSH port (default: 22) # -k Path to custom SSH private key # # Example: # wireguard-vps-proxy-setup -i 110.18.1.1 -u debian # # Note: This script requires root privileges and will auto-elevate if needed. # ============================================================================= # Colors for better output RED='\033[0;31m' GREEN='\033[0;32m' BLUE='\033[1;34m' YELLOW='\033[1;33m' NC='\033[0;37m' # No Color # --- Constants --- readonly WIREGUARD_INSTALL_URL="https://raw.githubusercontent.com/start9labs/wireguard-vps-proxy-setup/master/wireguard-install.sh" readonly SSH_KEY_DIR="/home/start9/.ssh" readonly SSH_KEY_NAME="id_ed25519" readonly SSH_PRIVATE_KEY="$SSH_KEY_DIR/$SSH_KEY_NAME" readonly SSH_PUBLIC_KEY="$SSH_PRIVATE_KEY.pub" # Store original arguments SCRIPT_ARGS=("$@") # --- Functions --- # Function to ensure script runs with root privileges by auto-elevating if needed check_root() { if [[ "$EUID" -ne 0 ]]; then exec sudo "$0" "${SCRIPT_ARGS[@]}" fi sudo chown -R start9:startos "$SSH_KEY_DIR" } # Function to print banner print_banner() { echo -e "${BLUE}" echo "================================================" echo -e " ${NC}Wireguard VPS Proxy Setup${BLUE} " echo "================================================" echo -e "${NC}" } # Function to print usage print_usage() { echo -e "Usage: $0 [-h] [-i IP] [-u USERNAME] [-p PORT] [-k SSH_KEY]" echo "Options:" echo " -h Show this help message" echo " -i VPS IP address" echo " -u SSH username (default: root)" echo " -p SSH port (default: 22)" echo " -k Path to the custom SSH private key (optional)" echo " If no key is provided, the default key '$SSH_PRIVATE_KEY' will be used." } # Function to display end message display_end_message() { echo -e "\n${BLUE}------------------------------------------------------------------${NC}" echo -e "${GREEN}Wireguard VPS Proxy server setup complete!${NC}" echo -e "${BLUE}------------------------------------------------------------------${NC}" echo -e "\n${GREEN}Clearnet functionality has been enabled via VPS (${VPS_IP})${NC}" echo -e "\n${YELLOW}Next steps:${NC}" echo -e "Visit https://docs.start9.com to complete the Clearnet setup" echo -e "\n${BLUE}------------------------------------------------------------------${NC}" } # Function to validate IP address validate_ip() { local ip=$1 # IPv4 validation if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then # Additional IPv4 validation to ensure each octet is <= 255 local IFS='.' read -ra ADDR <<< "$ip" for i in "${ADDR[@]}"; do if [ "$i" -gt 255 ]; then return 1 fi done return 0 # IPv6 validation elif [[ $ip =~ ^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){6}:[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){5}(:[0-9a-fA-F]{1,4}){1,2}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){4}(:[0-9a-fA-F]{1,4}){1,3}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){3}(:[0-9a-fA-F]{1,4}){1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){2}(:[0-9a-fA-F]{1,4}){1,5}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1}(:[0-9a-fA-F]{1,4}){1,6}$ ]] || \ [[ $ip =~ ^::([0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^[0-9a-fA-F]{1,4}::([0-9a-fA-F]{1,4}:){0,5}[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,3}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,2}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,1}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,7}:$ ]] || \ [[ $ip =~ ^::([0-9a-fA-F]{1,4}:){0,7}[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^[0-9a-fA-F]{1,4}::([0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,6}(:[0-9a-fA-F]{1,4}){1,1}$ ]] || \ [[ $ip =~ ^([0-9a-fA-F]{1,4}:){1,7}:$ ]] || \ [[ $ip =~ ^::$ ]]; then return 0 else return 1 fi } # Function for configuring SSH key authentication on remote server configure_ssh_key_auth() { echo -e "${BLUE}Configuring SSH key authentication on remote server...${NC}" ssh -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" ' # Check if PubkeyAuthentication is commented out if grep -q "^#PubkeyAuthentication" /etc/ssh/sshd_config; then sed -i "s/^#PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config # Check if PubkeyAuthentication exists but is not enabled elif grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config # Add PubkeyAuthentication if it doesnt exist else echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config fi # Enable root login if grep -q "^#PermitRootLogin" /etc/ssh/sshd_config; then sed -i "s/^#PermitRootLogin.*/PermitRootLogin yes/" /etc/ssh/sshd_config elif grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then sed -i "s/^PermitRootLogin.*/PermitRootLogin yes/" /etc/ssh/sshd_config else echo "PermitRootLogin yes" >> /etc/ssh/sshd_config fi # Configure AuthorizedKeysFile if needed if grep -q "^#AuthorizedKeysFile" /etc/ssh/sshd_config; then sed -i "s/^#AuthorizedKeysFile.*/AuthorizedKeysFile .ssh\/authorized_keys .ssh\/authorized_keys2/" /etc/ssh/sshd_config elif ! grep -q "^AuthorizedKeysFile" /etc/ssh/sshd_config; then echo "AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2" >> /etc/ssh/sshd_config fi # Reload SSH service systemctl reload sshd ' } # Function to handle StartOS connection (download only) handle_startos_connection() { echo -e "${BLUE}Fetching the WireGuard configuration file...${NC}" # Fetch the client configuration file config_file=$(ssh -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" 'ls -t ~/*.conf 2>/dev/null | head -n 1') if [ -z "$config_file" ]; then echo -e "${RED}Error: No WireGuard configuration file found on the remote server.${NC}" return 1 # Exit with error fi CONFIG_NAME=$(basename "$config_file") # Download the configuration file if ! scp -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -P "$SSH_PORT" "$SSH_USER@$VPS_IP":~/"$CONFIG_NAME" ./; then echo -e "${RED}Error: Failed to download the WireGuard configuration file.${NC}" return 1 # Exit with error fi echo -e "${GREEN}WireGuard configuration file '$CONFIG_NAME' downloaded successfully.${NC}" return 0 } # Function to import WireGuard configuration import_wireguard_config() { local config_name="$1" if [ -z "$config_name" ]; then echo -e "${RED}Error: Configuration file name is missing.${NC}" return 1 fi local connection_name=$(basename "$config_name" .conf) #Extract base name without extension # Check if the connection with same name already exists if nmcli connection show --active | grep -q "^${connection_name}\s"; then read -r -p "A connection with the name '$connection_name' already exists. Do you want to override it? (y/N): " answer if [[ "$answer" =~ ^[Yy]$ ]]; then nmcli connection delete "$connection_name" if [ $? -ne 0 ]; then echo -e "${RED}Error: Failed to delete existing connection '$connection_name'.${NC}" return 1 fi # Import if user chose to override or if connection did not exist if ! nmcli connection import type wireguard file "$config_name"; then echo -e "${RED}Error: Failed to import the WireGuard configuration using NetworkManager.${NC}" rm -f "$config_name" return 1 fi echo -e "${GREEN}WireGuard configuration '$config_name' has been imported to NetworkManager.${NC}" rm -f "$config_name" display_end_message else echo -e "${BLUE}Skipping import of the WireGuard configuration.${NC}" rm -f "$config_name" return 0 fi else # Import if connection did not exist if command -v nmcli &>/dev/null; then if ! nmcli connection import type wireguard file "$config_name"; then echo -e "${RED}Error: Failed to import the WireGuard configuration using NetworkManager.${NC}" rm -f "$config_name" return 1 fi echo -e "${GREEN}WireGuard configuration '$config_name' has been imported to NetworkManager.${NC}" rm -f "$config_name" display_end_message else echo -e "${YELLOW}Warning: NetworkManager 'nmcli' not found. Configuration file '$config_name' saved in current directory.${NC}" echo -e "${YELLOW}Import the configuration to your StartOS manually by going to NetworkManager or using wg-quick up command${NC}" fi fi return 0 } # Function to download the install script download_install_script() { echo -e "${BLUE}Downloading latest WireGuard install script...${NC}" # Download the script if ! curl -sSf "$WIREGUARD_INSTALL_URL" -o wireguard-install.sh; then echo -e "${RED}Failed to download WireGuard installation script.${NC}" return 1 fi chmod +x wireguard-install.sh if [ $? -ne 0 ]; then echo -e "${RED}Failed to chmod +x wireguard install script.${NC}" return 1 fi echo -e "${GREEN}WireGuard install script downloaded successfully!${NC}" return 0 } # Function to install WireGuard install_wireguard() { echo -e "\n${BLUE}Installing WireGuard...${NC}" # Check if install script exist if [ ! -f "wireguard-install.sh" ]; then echo -e "${RED}WireGuard install script is missing. Did it failed to download?${NC}" return 1 fi # Run the remote install script and let it complete if ! ssh -o ConnectTimeout=60 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" -t "$SSH_USER@$VPS_IP" "bash -c 'export TERM=xterm-256color; export STARTOS_HOSTNAME=clearnet; bash ~/wireguard-install.sh'"; then echo -e "${RED}WireGuard installation failed on remote server.${NC}" return 1 fi # Test if wireguard installed if ! ssh -q -o BatchMode=yes -o ConnectTimeout=5 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" "test -f /etc/wireguard/wg0.conf"; then echo -e "\n${RED}WireGuard installation failed because /etc/wireguard/wg0.conf is missing, which means the script removed it.${NC}" return 1 fi echo -e "\n${GREEN}WireGuard installation completed successfully!${NC}" return 0 } # Function to enable root login via SSH enable_root_login() { echo -e "${BLUE}Checking and configuring root SSH access...${NC}" # Try to modify sshd config using sudo if ! ssh -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" ' # Check if we can use sudo without password if ! sudo -n true 2>/dev/null; then echo -e "\033[1;33mNOTE: You may be prompted for your sudo password.\033[0m" fi # Check if user is in sudo group if ! groups | grep -q sudo; then echo -e "\033[1;31mError: Your user is not in the sudo group. Root access cannot be configured.\033[0m" exit 1 fi # Backup sshd config sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak # Enable root login with SSH keys only if sudo grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then sudo sed -i "s/^PermitRootLogin.*/PermitRootLogin prohibit-password/" /etc/ssh/sshd_config else echo "PermitRootLogin prohibit-password" | sudo tee -a /etc/ssh/sshd_config fi # Ensure password authentication is disabled if sudo grep -q "^PasswordAuthentication" /etc/ssh/sshd_config; then sudo sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config else echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config fi # Set up root SSH directory and keys echo -e "\033[1;33mSetting up root SSH access...\033[0m" sudo mkdir -p /root/.ssh sudo cp ~/.ssh/authorized_keys /root/.ssh/ sudo chown -R root:root /root/.ssh sudo chmod 700 /root/.ssh sudo chmod 600 /root/.ssh/authorized_keys # Reload SSH service sudo systemctl reload sshd # Verify the changes if ! sudo grep -q "^PermitRootLogin prohibit-password" /etc/ssh/sshd_config; then echo -e "\033[1;31mError: Failed to verify root login configuration.\033[0m" exit 1 fi # Test root SSH access if ! sudo -n true 2>/dev/null; then echo -e "\033[1;33mNOTE: Please try to log in as root now using your SSH key.\033[0m" echo -e "\033[1;33mIf successful, run this script again without the -u parameter.\033[0m" else echo -e "\033[1;32mRoot SSH access has been configured successfully!\033[0m" fi '; then echo -e "${RED}Failed to configure root SSH access.${NC}" return 1 fi echo -e "${GREEN}Root SSH access has been configured successfully!${NC}" echo -e "${YELLOW}Please try to log in as root now using your SSH key. If successful, run this script again without the -u parameter.${NC}" return 0 } # --- Main Script --- # Initialize variables VPS_IP="" SSH_USER="root" SSH_PORT="22" CUSTOM_SSH_KEY="" CONFIG_NAME="" # Check if the script is run as root before anything else check_root # Print banner print_banner # Parse command line arguments while getopts "hi:u:p:k:" opt; do case $opt in h) print_usage exit 0 ;; i) VPS_IP=$OPTARG ;; u) SSH_USER=$OPTARG ;; p) SSH_PORT=$OPTARG ;; k) CUSTOM_SSH_KEY=$OPTARG ;; \?) echo "Invalid option: -$OPTARG" >&2 print_usage exit 1 ;; esac done # Check if custom SSH key is passed and update the private key variable if [ -n "$CUSTOM_SSH_KEY" ]; then if [ ! -f "$CUSTOM_SSH_KEY" ]; then echo -e "${RED}Custom SSH key '$CUSTOM_SSH_KEY' not found.${NC}" exit 1 fi SSH_PRIVATE_KEY="$CUSTOM_SSH_KEY" SSH_PUBLIC_KEY="$CUSTOM_SSH_KEY.pub" else # Use default StartOS SSH key if [ ! -f "$SSH_PRIVATE_KEY" ]; then echo -e "${RED}No SSH key found at default location '$SSH_PRIVATE_KEY'. Please ensure StartOS SSH keys are properly configured.${NC}" exit 1 fi fi if [ ! -f "$SSH_PUBLIC_KEY" ]; then echo -e "${RED}Public key '$SSH_PUBLIC_KEY' not found. Please ensure both private and public keys exist.${NC}" exit 1 fi # If VPS_IP is not provided via command line, ask for it if [ -z "$VPS_IP" ]; then while true; do echo -n "Please enter your VPS IP address: " read VPS_IP if validate_ip "$VPS_IP"; then break else echo -e "${RED}Invalid IP address format. Please try again.${NC}" fi done fi # Confirm SSH connection details echo -e "\n${GREEN}Connection details:${NC}" echo "VPS IP: $VPS_IP" echo "SSH User: $SSH_USER" echo "SSH Port: $SSH_PORT" echo -e "\n${GREEN}Proceeding with SSH key-based authentication...${NC}\n" # Copy SSH public key to the remote server if ! ssh-copy-id -i "$SSH_PUBLIC_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP"; then echo -e "${RED}Failed to copy SSH key to the remote server. Please ensure you have correct credentials.${NC}" exit 1 fi echo -e "${GREEN}SSH key-based authentication configured successfully!${NC}" # Test SSH connection using key-based authentication echo -e "\nTesting SSH connection with key-based authentication..." if ! ssh -q -o BatchMode=yes -o ConnectTimeout=5 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" 'exit'; then echo -e "${RED}SSH connection test failed. Please check your credentials and try again.${NC}" exit 1 fi # If we're connecting as a non-root user, set up root access first if [ "$SSH_USER" != "root" ]; then echo -e "\n${YELLOW}You are connecting as a non-root user. This script needs to enable root SSH access.${NC}" echo -e "${YELLOW}This is a one-time setup that will allow direct root login for WireGuard installation.${NC}" echo -n -e "${YELLOW}Would you like to proceed? (y/N): ${NC}" read -r answer if [[ "$answer" =~ ^[Yy]$ ]]; then if enable_root_login; then echo -e "\n${BLUE}------------------------------------------------------------------${NC}" echo -e "${GREEN}Root SSH access has been configured successfully!${NC}" echo -e "${YELLOW}Please run this script again without the -u parameter to continue setup.${NC}" echo -e "${BLUE}------------------------------------------------------------------${NC}" exit 0 else echo -e "${RED}Failed to configure root SSH access. Please check your sudo privileges and try again.${NC}" exit 1 fi else echo -e "\n${BLUE}------------------------------------------------------------------${NC}" echo -e "${YELLOW}To manually configure SSH for root access:${NC}" echo -e "\n ${YELLOW}1. Connect to your VPS and edit sshd_config:${NC}" echo " sudo nano /etc/ssh/sshd_config" echo -e "\n ${YELLOW}2. Find and uncomment or add these lines:${NC}" echo " PubkeyAuthentication yes" echo " PermitRootLogin yes" echo " AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2" echo -e "\n ${YELLOW}3. Restart the SSH service:${NC}" echo " sudo systemctl restart sshd" echo -e "\n ${YELLOW}4. Copy your SSH key to root user:${NC}" echo " sudo mkdir -p /root/.ssh" echo " sudo cp ~/.ssh/authorized_keys /root/.ssh/" echo " sudo chown -R root:root /root/.ssh" echo " sudo chmod 700 /root/.ssh" echo " sudo chmod 600 /root/.ssh/authorized_keys" echo -e "${BLUE}------------------------------------------------------------------${NC}" echo -e "\n${YELLOW}After completing these steps, run this script again without the -u parameter.${NC}" exit 1 fi fi # Check if root login is permitted when connecting as root if [ "$SSH_USER" = "root" ]; then # Check for both "yes" and "prohibit-password" as valid root login settings if ! ssh -q -o BatchMode=yes -o ConnectTimeout=5 -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -p "$SSH_PORT" "$SSH_USER@$VPS_IP" 'grep -q "^PermitRootLogin.*\(yes\|prohibit-password\)" /etc/ssh/sshd_config'; then echo -e "\n${RED}Root SSH login is not enabled on your VPS.${NC}" echo -e "\n${YELLOW}Would you like this script to automatically enable root SSH access? (y/N):${NC} " read -r answer if [[ "$answer" =~ ^[Yy]$ ]]; then configure_ssh_key_auth else echo -e "\n${BLUE}------------------------------------------------------------------${NC}" echo -e "${YELLOW}To manually configure SSH for root access:${NC}" echo -e "\n ${YELLOW}1. Connect to your VPS and edit sshd_config:${NC}" echo " sudo nano /etc/ssh/sshd_config" echo -e "\n ${YELLOW}2. Find and uncomment or add these lines:${NC}" echo " PubkeyAuthentication yes" echo " PermitRootLogin prohibit-password" echo " AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2" echo -e "\n ${YELLOW}3. Restart the SSH service:${NC}" echo " sudo systemctl restart sshd" echo -e "${BLUE}------------------------------------------------------------------${NC}" echo -e "\n${YELLOW}Please enable root SSH access and run this script again.${NC}" exit 1 fi fi fi echo -e "${GREEN}SSH connection successful with key-based authentication!${NC}" # Download the WireGuard install script locally if ! download_install_script; then echo -e "${RED}Failed to download the latest install script. Exiting...${NC}" exit 1 fi # Upload the install script to the remote server if ! scp -i "$SSH_PRIVATE_KEY" -o StrictHostKeyChecking=no -P "$SSH_PORT" wireguard-install.sh "$SSH_USER@$VPS_IP":~/; then echo -e "${RED}Failed to upload WireGuard install script to the remote server.${NC}" exit 1 fi # Install WireGuard on remote server using the downloaded script if ! install_wireguard; then echo -e "${RED}WireGuard installation failed.${NC}" exit 1 fi # Remove the local install script rm wireguard-install.sh >/dev/null 2>&1 # Handle the StartOS config (download) if ! handle_startos_connection; then echo -e "${RED}StartOS configuration download failed!${NC}" exit 1 fi # Import the configuration if ! import_wireguard_config "$CONFIG_NAME"; then echo -e "${RED}StartOS configuration import failed or skipped!${NC}" fi