{"id":13587395,"url":"https://github.com/burghardt/easy-wg-quick","last_synced_at":"2025-05-15T03:06:08.033Z","repository":{"id":39885840,"uuid":"171384618","full_name":"burghardt/easy-wg-quick","owner":"burghardt","description":"Creates Wireguard configuration for hub and peers with ease","archived":false,"fork":false,"pushed_at":"2025-02-17T13:44:45.000Z","size":345,"stargazers_count":1045,"open_issues_count":1,"forks_count":110,"subscribers_count":31,"default_branch":"master","last_synced_at":"2025-04-07T21:42:14.684Z","etag":null,"topics":["config","configuration","encryption","generator","ipv6","privacy","qrcode","security","self-hosted","vpn","vpn-server","wg-quick","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/burghardt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-19T01:42:14.000Z","updated_at":"2025-04-07T05:56:19.000Z","dependencies_parsed_at":"2024-01-13T19:43:18.727Z","dependency_job_id":"2839be87-1217-45db-a359-68a0f012ad95","html_url":"https://github.com/burghardt/easy-wg-quick","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burghardt%2Feasy-wg-quick","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burghardt%2Feasy-wg-quick/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burghardt%2Feasy-wg-quick/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/burghardt%2Feasy-wg-quick/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/burghardt","download_url":"https://codeload.github.com/burghardt/easy-wg-quick/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254264765,"owners_count":22041793,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["config","configuration","encryption","generator","ipv6","privacy","qrcode","security","self-hosted","vpn","vpn-server","wg-quick","wireguard"],"created_at":"2024-08-01T15:06:11.483Z","updated_at":"2025-05-15T03:06:08.012Z","avatar_url":"https://github.com/burghardt.png","language":"Shell","funding_links":[],"categories":["Shell","vpn","Projects"],"sub_categories":["Tools"],"readme":"# easy-wg-quick\neasy-wg-quick - Creates WireGuard configuration for hub and peers with ease\n\n * [Getting Started](#getting-started)\n   * [Docker](#docker)\n   * [Terraform](#terraform)\n   * [Prerequisites](#prerequisites)\n   * [Installing](#installing)\n * [Usage](#usage)\n   * [Special usage](#special-usage)\n   * [Sample output](#sample-output)\n   * [Using generated configuration](#using-generated-configuration)\n * [Fine tuning](#fine-tuning)\n   * [Disabling external interface autodetection](#disabling-external-interface-autodetection)\n   * [Disabling external IP address autodetection](#disabling-external-ip-address-autodetection)\n   * [Disabling random port assignment](#disabling-random-port-assignment)\n   * [Disabling randomly generated internal network addresses](#disabling-randomly-generated-internal-network-addresses)\n   * [Setting interface's maximum transmission unit (MTU) size](#setting-interfaces-maximum-transmission-unit-mtu-size)\n   * [Setting custom DNS](#setting-custom-dns)\n   * [Setting custom client's `AllowedIPs`](#setting-custom-clients-allowedips)\n   * [Choosing firewall type](#choosing-firewall-type)\n   * [Choosing if PostUp/PostDown should enable/disable IP forwarding](#choosing-if-postuppostdown-should-enabledisable-ip-forwarding)\n   * [Enabling IPv6](#enabling-ipv6)\n   * [Enabling NDP proxy (instead of default IPv6 masquerading)](#enabling-ndp-proxy-instead-of-default-ipv6-masquerading)\n   * [Redirecting DNS](#redirecting-dns)\n   * [Traffic control](#traffic-control)\n   * [Persisting configuration with systemd](#persisting-configuration-with-systemd)\n * [License](#license)\n * [Acknowledgments](#acknowledgments)\n\n## Getting Started\n\nThese instructions will get you a copy of the project up and running on your\nlocal machine. This machine (called hub) will act as VPN concentrator. All\nother peers connects to hub (as in a \"road warrior\" configuration).\n\n### Docker\n\nA Docker container image based on Alpine Linux, [WireGuard] tools\nand [libqrencode] is available from `ghcr.io`.\n\n    curl -4 ifconfig.co/ip \u003e extnetip.txt\n    docker run --rm -it -v \"$PWD:/pwd\" ghcr.io/burghardt/easy-wg-quick\n\nPlease note that `extnetip.txt` must be populated with the server IP via\nthe cURL command above or manually if you use the generated configuration\non the host (instead of the container).\n\n### Terraform\n\nTerraform code for deploying `easy-wg-quick` in the Google Cloud Platform\nis available from the [tf-gcp-easy-wg-quick] repository.\n\n### Prerequisites\n\nInstall [WireGuard] for your operating system on [local machine], [router],\n[VPS] or [container]. This will be your hub.\n\nAs dependences `/bin/sh`, `wg`, `wg-quick`, `awk`, `grep` and `ip` commands\nshould be available on hub. If `ip` is not available user is required to set\n`EXT_NET_IF` and `EXT_NET_IP` variables in script to external network interface\nname and IP address (or edit `wghub.conf`). Optionally `qrencode` can be used\nto generate [QR codes] for mobile applications.\n\n#### Debian, Ubuntu\n\n    sudo apt install wireguard-tools mawk grep iproute2 qrencode\n\n#### Fedora, RHEL, CentOS\n\n    sudo dnf install wireguard-tools gawk grep iproute qrencode\n\n#### FreeBSD\n\n    sudo pkg install net/wireguard-tools graphics/libqrencode\n\n#### macOS\n\n    brew install wireguard-tools qrencode\n\n#### Installing WireGuard tools (and modules)\n\nThis script requires only tools installed, but to use WireGuard module\n(or user-space implementation) is also required. Detailed install guide\nfor various operating systems is available at [wireguard.com/install].\n\nPeers also requires WireGuard installed. [Android] and [iOS] are supported.\n[OpenWRT clients] are supported with [UCI] configuration fragments.\n\n### Installing\n\nJust download the script and make it executable with `chmod`.\n\n    wget https://raw.githubusercontent.com/burghardt/easy-wg-quick/master/easy-wg-quick\n    chmod +x easy-wg-quick\n\nNote that you can use a short URL as well.\n\n    wget https://git.io/fjb5R -O easy-wg-quick\n    chmod +x easy-wg-quick\n\nOr clone repository.\n\n    git clone https://github.com/burghardt/easy-wg-quick.git\n\n## Usage\n\nScript do not require any arguments. Just run it and it will create usable\nWireGuard configuration for hub and one peer. Any sequential invocation creates\nanother peer configuration within same hub.\n\n    ./easy-wg-quick # 1st run creates hub configuration and one client\n    ./easy-wg-quick # any other runs creates additional clients\n\nPassing an argument to script creates configuration file with name instead of\nsequence number to help remembering which config was for which device.\nFollowing command will create `wgclient_client_name.conf` file.\n\n    ./easy-wg-quick client_name\n\n### Special usage\n\n#### -h / --help\n\nDisplays help for all supported arguments.\n\n#### -i / --init\n\nWrites the initial configuration to text files without creating a client or\nhub configuration. This option is useful if you want to change auto-detected\nor default configuration values. Repeat the script with the client name to\ncreate the final configuration.\n\n#### -c / --clear\n\nTo start over, manually remove all `*.bak`, `*.conf`, `*.key`, and `*.psk`\nfiles. If you need to remove initial configuration options as well, also\ndelete all `*.txt` files. This script does not remove anything.\n\n#### -d / --install-wg-quick\n\nThis option will download and install the wg-quick script from the official\nWireguard GitHub mirror based on the current operating system (Linux, FreeBSD,\nOpenBSD and Darwin are supported).\n\nIf run as `root`, it will install `wg-quick` in `/usr/local/sbin`. If run as\na normal user, it will use `$HOME/.local/bin`.\n\n#### -u / --upgrade\n\nThis will download the latest release of that script and replace the original\nfile with the downloaded version.\n\n### Sample output\n\n```\nNo seqno.txt... creating one!\nNo wghub.key... creating one!\nNo wghub.conf... creating one!\nWireGuard hub address is 10.13.1.140:51820 on wlp9s0.\nNote: customize [Interface] section of wghub.conf if required!\n\nNote: passing argument to script creates client configuration with supplied\n      name to help remembering which config was for which device. If you\n      didn't pass any argument you can still rename created file manually\n      with command:\n  mv -vi wgclient_10.conf wgclient_name.conf\n\nNo wgclient_10.conf... creating one!\n█████████████████████████████████████████████████████████████████████████\n█████████████████████████████████████████████████████████████████████████\n████ ▄▄▄▄▄ █▀██ ▀▄▀▄█▄ ▀▄ █▀▀▄█▄▄▀ ▄▀██▀▀▀▀█▄  █▀▀▄█  ▄▀▀ █▄▀█ ▄▄▄▄▄ ████\n████ █   █ █▀▄▀ ▀█▀▄▄▄ ▄ ▀█ ▄██▄█ ▀▀▄ ███▀▀▄▄  ▀ ▄▄▀███▄▀▀ ▀▄█ █   █ ████\n████ █▄▄▄█ █▀▀▀██▀▄██  ▀▄███▀▀▀▀▄▄ ▄▄▄ ▄  ▀██  ▄█▀▀  █▀██▄▀█▄█ █▄▄▄█ ████\n████▄▄▄▄▄▄▄█▄█▄▀ ▀▄▀▄▀ ▀▄▀▄█ █▄█ █ █▄█ █ █ ▀ ▀▄█ ▀▄▀ ▀▄▀ ▀▄█▄█▄▄▄▄▄▄▄████\n████▄▄   █▄ ▄ ██ ▄▄▄█ ▀█▀▄ ▀▄█▄▄█▄▄   ▄   █ █▀▄▀▄▀█▄▀▄▀▀▄▄ █▄ ▀▄▀ ▀ █████\n█████▀ ▄▀▀▄▀▀▄█▀  █▀ ▀▀▄▀█▄█▄ ▄▀▀▄▄▄█ ▄▀▀█ ▄ ▀▀▄ ▄▄▄ ▀ █▀▀▀██▀▄█ ▄███████\n████ ▄███ ▄▀█▄▀█▄▀ ███▀▀▀▀▀▀▄ ▄   ▀ ██▀  ▄███ ▄ ▀ ▀ ▄▄▀▄█▀▄▀▀ █▀ ▄▄▀ ████\n█████▀  ▀▀▄ ▄▀▄▀▄██▄█  ▀ ▀▄▀█ █ █▀▀▄ ▀█▀▄▀█▀▀▄▄█▀ ██▀█▄▄▀█▄ ▀  ▀██▀▄▀████\n████▀▄▄▀▀ ▄▄▄▄▄█ ▀█  ▀▀ ▀█ █▀█ ▀▀▄ ▀█▀██▀█ ▄▀▀▀▀▄▀   █▀▄▄▄ █ ▀▀▀ ▄▄ █████\n████▀▄▄██ ▄▀▀▀▀█▄▄▄ ▀▄█ ▀▀ ▄▄▄ █▀▄   █▄▄ ▄███▀▄▀██   ▀▀██ ▄ ▀▄  ▄██▀▄████\n████▄  ███▄  ▀▄█   ▄▀▄▀▀▀▀▄▀▀▄▄▀   ▄ ▄▄▄▀▄▄█▄▄ ▀█▄▄▀▀▀▄▄▄▀ ▀▄██▀ ▄▄  ████\n████ █▄▀▀ ▄██▀▄ █▄▀▄ ▀ █▀ ▄ ▄██▀█ ▄ ██▀▄▄▀   █ ▄▄█  ▀▀  ▄▀█ ▄ ██ ▀▀▄▄████\n████   ▄ ▀▄▄▄█▄█▀█▄ ▀▀▀ ▀▀▄▄█  ▀▄▀██ ▀▄█  █ █▄  █▀▀▀  ▀██  ▀▀ ▀▄▀ ██▀████\n█████▄ ▀▄▀▄█▄ ▄▄▀█ ▄█   █▄▄▀ ▄▄▀█  ▄█▄▄▄ ▀▀▀▀ ▄▄  █ ▀▄█▄ ▄▄▀▀ █ ▀▄▀▄▄████\n████ █▀█▀▄▄▀▀▄ ███ ▀█▀▀▄█▄ ▄  ▄███▀▄▄▀▀  ▀▀▀▀ ▄ █▄▀▄▄▄▀▄▀  ██ █▀ █  ▀████\n█████▄▄█ ▄▄▄  █ ▄  ▀█▀ ▄█▀█▄  █▀▄▄ ▄▄▄ ▄  █▄█▄ ██▀▄█▀██▀   ▄ ▄▄▄ ▀▀▄█████\n████▀█▀▄ █▄█ █▄█▄▀▀█ █▄▄  ▀███▀███ █▄█  ▄▄▄▀▀█ ▄██▀▀ ▀▀▄▄▄▄▄ █▄█ ██▄▀████\n████   ▀ ▄▄  ▀█ ▄█  █▀ ▄█▄█▄▄▀████ ▄  ▄ ▄▄▄███▄▀██▄▄▄▄▄▀▄▄██ ▄ ▄▄▄█ ▄████\n████ ▀ ▄▄ ▄ ▄▄ ▄▀▄█▄▀▀  █▄█▀ ▀█▀▀█ █▀██▀▀███▄▀▀▀█▄█▀  ▄█▄  ▄█▄█▀▄   ▀████\n████▄▀▄▄▀▄▄█▀▄▄ █▄▄█▀  ▄▀▀█▄ ▄█▀██  ███ █▄▄█▀█▄▀▀▄ ▀▄▀▄ ▀██ ▀▀    ▀▀▄████\n████  ▄▀▄▀▄▀ ▄▀▄ ▄  ▀█▄█  ▀▀▄█▄▀█▀▀▄██▀  ▄▀▀▄ ▄█▄██▀ ▄█▄▄▄ ▀ ██▄▀██▀▄████\n████▀█ ▄█▄▄▄▄██▄ ▄▄▄█  ▄▀▄▄█▄█▄▀▀▀ █▀ █▀▀▄▀█▀█▀█▀▄█▄ ▀█▄█▀ ▀▄█▄█ ▄▀ ▄████\n████▄▀▀█▄▄▄▀▀█▄ ▀█ ▄▀▄ ▀▀█▄▀▄▄▄ ▄▀ ▀▀▀▄▀█ █▀█  ▄▀ ▀█▄ ▀▀█▀▄▄█ █▄█▄██▀████\n████▀█▀▄ ▀▄▄  █▄ ▀█▄   ▀ ▄▄▀█▀█▀▄██▀▄  ▄█▀█▀██▀ ▀▄█  ▀██▀▄█▄█▀ █ █▀ █████\n█████ █ ▄▄▄ █▀  ▀██ ▀▄ ▄  █████▀█ ▄▀ ▄▄▄█ ▄▄█▄▄ ▄ ▄▄▄█▀▄▄▄▄▄▄▀ ▄█▄▄ █████\n████▄█▄ ▄▀▄  ▄▀█▀██▄▀▄█▄█▀   ▄ █▀██ ▀▄ ▄▄▀▀▀▀█▀█ █▄  ▀▀ █  █▀ ▀ ▄██▀▄████\n████▄▄ █ █▄▄▄▄ █ ▄▄▀█▄▀█ ▀▄▀ ▄▄ ▀ ▄█ █▄▀▀▄█▀▄  ▀███▀▀ ▄██  █▄▄█▀█▄▄▄▀████\n████▀█▄ █▄▄█ █▀ ▄ ▀██ ▀ ▀▄▄▄▄██▄█▄▄▄█▄▄▄▀▀▄▀▄█▀ ▄█  ▄▀▄  ▀█  ▄█ ▄▄▀▄▄████\n█████▄▄█▄█▄█▀▄█ ▀ █▄ ▀▀▀▀▀█▄█▄▄ ▄█ ▄▄▄  ▀▄▀██▄▄▀█▄▀▀  █▄█ ▄█ ▄▄▄ █ █▀████\n████ ▄▄▄▄▄ █▄██▀▀█▀██▀▀▄█ ▄▀ ▄█▄█▀ █▄█    █▀▀▄█▄  █▄█▄▀█▀  █ █▄█ ▀▀▀▄████\n████ █   █ █ █ ▀▄█ ▀███▄██▄▄  ▄ █ ▄▄ ▄▄█ ▄▀▀█▀▄▄▀▀█▄▄▄▀▀▀█ █   ▄▄▄▀ █████\n████ █▄▄▄█ █  ▀▄ █▄▀█▀ ▄███▄  █ ▄ ▀█▄ ▄▀ ▀▄▀▀▄ █▀ ▄ ▀▄█▀▄█▀▄▄███▄▀▀ █████\n████▄▄▄▄▄▄▄█▄▄██▄▄█▄█▄█▄▄▄▄█▄▄▄██▄█████▄▄█▄▄▄█▄▄████████▄▄▄█▄████████████\n█████████████████████████████████████████████████████████████████████████\n█████████████████████████████████████████████████████████████████████████\nScan QR code with your phone or use \"wgclient_10.conf\" file.\nUpdating wghub.conf... done!\n\nImportant: Deploy updated wghub.conf configuration to WireGuard with wg-quick:\n  sudo wg-quick down ./wghub.conf # if already configured\n  sudo wg-quick up ./wghub.conf\n  sudo wg show # to check status\n```\n\n### Using generated configuration\n\nOn hub configure WireGuard.\n\n    sudo wg-quick up ./wghub.conf\n\nOn peer scan QR code or copy `wgclient_10.conf`. To display QR code again use\n\n    qrencode -t ansiutf8 \u003c wgclient_10.conf\n\nOr use saved QR code\n\n    cat wgclient_10.qrcode.txt\n\nTo connect the whole network with a single WireGuard client running on an\n[OpenWRT] router, append generated [UCI] client configuration fragment to\nyour router `/etc/config/network` file.\n\n    cat wgclient_10.uci.txt\n\nFinally on hub check if everything works with `sudo wg show`.\n\n```\ninterface: wghub\n  public key: kbaG3HxSDz3xhqiTNXlo1fZkFa+V6oTl+w0cSAQKxwQ=\n  private key: (hidden)\n  listening port: 51820\n\npeer: th8qYu0R0mgio2wPu1kz6/5OOgi6l8iy7OobK590LHw=\n  preshared key: (hidden)\n  endpoint: 10.60.1.150:37218\n  allowed ips: 10.127.0.10/32\n  latest handshake: 50 minutes, 22 seconds ago\n  transfer: 32.64 MiB received, 95.24 MiB sent\n```\n\n## Fine tuning\n\n### Disabling external interface autodetection\n\nBy default `easy-wg-quick` use interface with default routing done over it as\nexternal network interface of VPN hub. If autodetection fails or generation of\nconfiguration is done outside the hub (i.e. on [air gapped] laptop) user can\nset interface name in `extnetif.txt` file with command:\n\n    echo vtnet0 \u003e extnetif.txt\n\n### Disabling external IP address autodetection\n\nBy default `easy-wg-quick` uses IP address of interface that has default\nrouting done over it as external IP address of VPN hub. This might not be true\nif hub is behind firewall or NAT/PAT/masquarading is done. User can set\npreferred IP address in `extnetip.txt` file with command:\n\n    echo 192.168.1.2 \u003e extnetip.txt\n\nIn case of NAT/PAT/masquarading one can try to use service like [ifconfig.co]\nfor autodetection:\n\n    curl -4 ifconfig.co/ip \u003e extnetip.txt\n\nFor IPv6 addresses, one can use curl's `-6` switch. Brackets around IPv6\naddresses are required:\n\n    sed -i 's/\\(.*\\)/[\\1]/' extnetip.txt\n\n### Disabling random port assignment\n\nBy default `easy-wg-quick` use random port number from range 1025-65535. When\nusing static port number is required for firewall configuration or other\nreasons user can set preferred port number (80 in this example) in `portno.txt`\nfile with command:\n\n    echo 80 \u003e portno.txt\n\n### Disabling randomly generated internal network addresses\n\nBy default `easy-wg-quick` use randomly generated internal network addresses\nfor both IPv4 and IPv6. Custom network addresses can be set with the following\ncommands.\n\n    echo \"10.1.1.\"               \u003e intnetaddress.txt   # for IPv4\n    echo \"fd90:d175:8e43:705d::\" \u003e intnet6address.txt  # for IPv6\n\nDefault masks are /24 for IPv4 and /64 for IPv6.\n\n#### Setting network masks\n\nTo change default masks set new masks in files named `intnetmask.txt` (IPv4)\nand `intnet6mask.txt` (IPv6).\n\n    echo 172.16.0. \u003e intnetaddress.txt\n    echo /16       \u003e intnetmask.txt\n    echo fd9d:9648:0841:0c6e:3d28:94d9:: \u003e intnet6address.txt\n    echo /112                            \u003e intnet6mask.txt\n\n### Setting interface's maximum transmission unit (MTU) size\n\nTo change the default interface's maximum transmission unit (MTU) size of 1280\nbytes, write a new value into the file named `intnetmtu.txt`. WireGuard MTU\nshould be between 1280 and 1420 bytes.\n\n    echo 1380 \u003e intnetmtu.txt\n\n### Setting custom DNS\n\n#### Setting IPv4 resolver address\n\nBy default `easy-wg-quick` uses 1.1.1.1 as it's internal DNS. You can use the\ncommand below to serve a custom IPv4 DNS to clients.\n\n    echo 8.8.8.8 \u003e intnetdns.txt\n\n#### Setting IPv6 resolver address\n\nBy default `easy-wg-quick` uses 2606:4700:4700::1111 as it's internal DNS. You\ncan use the command below to serve a custom IPv6 DNS to clients.\n\n    echo 2001:4860:4860::8888 \u003e intnet6dns.txt\n\n### Setting custom client's `AllowedIPs`\n\nBy default, the client's `AllowedIPs` variable is set to `0.0.0.0/0, ::/0`,\ndirecting the whole client's traffic through the VPN connection. If you want\nto create a VPN [split tunneling] configuration, store required IP addresses\nranges in the `intnetallowedips.txt` file:\n\n    echo '172.16.1.0/24, 172.16.2.0/24' \u003e intnetallowedips.txt\n\n### Choosing firewall type\n\nFirewall type is guessed from operating system. For Linux `iptables` and\n`ip6tables` are used. For FreeBSD and macOS basic `pf` NAT rules are\nimplemented.\n\nThere are other firewall implementations to choose from. The following table\ncompares the features of the alternative implementations.\n\n| Firewall type | IPv4 MASQ | IPv6 MASQ | IPv6 NDP | TCP MSS clamp |\n| --------------|-----------|-----------|----------|---------------|\n| iptables      | \u0026check;   | \u0026check;   | \u0026check;  | \u0026check;       |\n| nft           | \u0026check;   | \u0026check;   | \u0026check;  | \u0026check;       |\n| ufw           | \u0026check;   | \u0026check;   | \u0026check;  | \u0026check;       |\n| firewalld     | \u0026check;   | \u0026check;   | _        | \u0026check;       |\n| pf            | \u0026check;   | -         | _        | _             |\n| custom / none | -         | -         | -        | -             |\n\nFile `fwtype.txt` contains name of firewall type. To override autodetection\nor disable any rules run one of the following commands:\n\n    echo iptables  \u003e fwtype.txt  # to choose Linux netfilter\n    echo nft       \u003e fwtype.txt  # to choose Linux nftables\n    echo firewalld \u003e fwtype.txt  # to choose [firewalld]\n    echo ufw       \u003e fwtype.txt  # to choose Uncomplicated Firewall\n    echo pf        \u003e fwtype.txt  # to choose OpenBSD PF\n    echo custom    \u003e fwtype.txt  # to include predefined commands from file\n    echo none      \u003e fwtype.txt  # to skip any setup during wg-quick up/down\n\nIf `fwtype.txt` contains word `custom` content of `commands.txt` is included\nin the `wghub.conf` file.\n\nFormat of `commands.txt` is:\n\n    PostUp = echo \"command 1\"\n    PostUp = echo \"command 2\"\n    PostUp = ...\n\n    PostDown = echo \"command 1\"\n    PostDown = secho \"command 2\"\n    PostDown = ...\n\n### Choosing if PostUp/PostDown should enable/disable IP forwarding\n\nSysctl command syntax is guessed from operating system. Linux, FreeBSD (and\nmacOS) are supported. As enabling IP forwarding is required for hub to forward\nVPN traffic to the Internet it is managed by PostUp/PostDown settings by\ndefault.\n\nSome application (i.e. [Docker]) might require that IP forwarding is never\ndisabled. In that case setting `none` in `sysctltype.txt` and managing IP\nforwarding settings [elsewhere] might be required.\n\nFile `sysctltype.txt` contains name of sysctl type. To override autodetection\nor disable any commands from being run use one of the following commands:\n\n    echo linux   \u003e sysctltype.txt  # to choose Linux sysctl command\n    echo freebsd \u003e sysctltype.txt  # to choose FreeBSD sysctl command\n    echo none    \u003e sysctltype.txt  # to skip any setup during wg-quick up/down\n\n### Enabling IPv6\n\nIf a global unicast IPv6 address is detected on server tunnels will be created\nwith inner IPv6 addresses allocated. This allows hub's clients to connect over\nhub's IPv6 NAT to IPv6 network.\n\nIf a global unicast IPv6 address is not detected, the existence of a file\nnamed `forceipv6.txt` can forcibly enable IPv6 support.\n\n    touch forceipv6.txt\n\nTo use outer IPv6 addresses (i.e. connect client to hub over IPv6) just set\n`EXT_NET_IF` and `EXT_NET_IP` variables in script to external network interface\nname and IPv6 address (or edit `wghub.conf`).\n\n### Enabling NDP proxy (instead of default IPv6 masquerading)\n\nBy default `easy-wg-quick` uses IPv6 masquerading to provide IPv6 connectivity\nto peers. This is easier to setup and require only single IPv6 global unicast\naddress to work. On the other hand network address translation (NAT) has\n[issues and limitations].\n\n[Neighbor Discovery] [Proxies (ND Proxy, NDP Proxy)] allows [end-to-end\nconnectivity], but requires /64 network to be assigned to hub. From this /64\nnetwork, a subnetwork has to be divided (i.e. /112) and assigned to WireGuard\ninterface.\n\nTo enable proxied NDP create file named `ipv6mode.txt` with `proxy_ndp` string.\n\n    echo proxy_ndp \u003e ipv6mode.txt\n\nWhen hub has 2001:19f0:6c01:1c0d/64 assigned, part of it can be assigned to\nWireGuard interface (i.e. 2001:19f0:6c01:1c0d:40/112).\n\n    echo 2001:19f0:6c01:1c0d:40:: \u003e intnet6address.txt\n    echo /112 \u003e intnet6mask.txt\n\nPlease note that NDP proxy mode in `easy-wg-quick` is supported only on Linux.\n\n### Redirecting DNS\n\nDNS redirection might be required to integrate with services like [Pi-hole] or\n[Cloudflare DNS over TLS]. This could be achieved by using port 53 UDP/TCP\nredirection in `wghub.conf`.\n\n    PostUp = iptables -t nat -A PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1:53\n    PostUp = iptables -t nat -A PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 1.1.1.1:53\n    PostDown = iptables -t nat -D PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 1.1.1.1:53\n    PostDown = iptables -t nat -D PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 1.1.1.1:53\n\nWhen using IPv6 similar rules should be set independently with `ip6tables`.\n\n    PostUp = ip6tables -t nat -A PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53\n    PostUp = ip6tables -t nat -A PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53\n    PostDown = ip6tables -t nat -D PREROUTING -i %i -p udp -m udp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53\n    PostDown = ip6tables -t nat -D PREROUTING -i %i -p tcp -m tcp --dport 53 -j DNAT --to-destination 2606:4700:4700::1111:53\n\n### Traffic control\n\nClients can benefit from setting traffic control rules in the  `wghub.conf`.\nFor example, setting an SFQ scheduler on the Linux hub is the simplest way to\nensure the fairness of the download so that each flow can send data in turn,\nthus preventing any single client from drowning out the rest. In addition,\nSFQ will prevent increased latency and latency spikes (aka bufferbloat) during\nhigh bandwidth consumption.\n\n    PostUp = tc qdisc add dev %i root sfq perturb 10\n\nOn Linux clients setting the same should improve the fairness of upload flows.\n\n### Persisting configuration with systemd\n\n[Systemd] may load configuration for both hub and clients using\n`wg-quick.service`. Note that also [native support] for setting up WireGuard\ninterfaces exists (since version 237).\n\n    sudo cp wghub.conf /etc/wireguard/wghub.conf\n    sudo systemctl enable wg-quick@wghub\n    sudo systemctl start wg-quick@wghub\n    systemctl status wg-quick@wghub\n\n## License\n\nThis project is licensed under the GPLv2 License - see the [LICENSE] file for\ndetails.\n\n## Acknowledgments\n\nOpenVPN's [easy-rsa] was an inspiration for writing this script.\n\n[Android]: https://play.google.com/store/apps/details?id=com.wireguard.android\n[Cloudflare DNS over TLS]: https://github.com/qdm12/cloudflare-dns-server\n[Docker]: https://success.docker.com/article/ipv4-forwarding\n[LICENSE]: LICENSE\n[Neighbor Discovery]: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol\n[OpenWRT clients]: https://openwrt.org/docs/guide-user/services/vpn/wireguard/client\n[OpenWRT]: https://openwrt.org/\n[Pi-hole]: https://pi-hole.net/\n[Proxies (ND Proxy, NDP Proxy)]: https://tools.ietf.org/html/rfc4389\n[QR codes]: https://en.wikipedia.org/wiki/QR_code\n[Systemd]: https://wiki.debian.org/systemd\n[UCI]: https://openwrt.org/docs/techref/uci\n[VPS]: https://en.wikipedia.org/wiki/Virtual_private_server\n[WireGuard]: https://www.wireguard.com/\n[air gapped]: https://en.wikipedia.org/wiki/Air_gap_%28networking%29\n[container]: https://github.com/activeeos/wireguard-docker\n[easy-rsa]: https://github.com/OpenVPN/easy-rsa\n[elsewhere]: https://en.wikipedia.org/wiki/Sysctl\n[end-to-end connectivity]: https://en.wikipedia.org/wiki/End-to-end_principle\n[firewalld]: https://firewalld.org/\n[iOS]: https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1\u0026mt=8\n[ifconfig.co]: https://ifconfig.co/\n[issues and limitations]: https://en.wikipedia.org/wiki/Network_address_translation#Issues_and_limitations\n[libqrencode]: https://github.com/fukuchi/libqrencode\n[local machine]: https://www.wireguard.com/install/\n[native support]: https://manpages.debian.org/buster/systemd/systemd.netdev.5.en.html#%5BWIREGUARD%5D_SECTION_OPTIONS\n[router]: https://openwrt.org/docs/guide-user/services/vpn/wireguard/start\n[split tunneling]: https://en.wikipedia.org/wiki/Split_tunneling\n[tf-gcp-easy-wg-quick]: https://github.com/burghardt/tf-gcp-easy-wg-quick\n[wireguard.com/install]: https://www.wireguard.com/install/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fburghardt%2Feasy-wg-quick","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fburghardt%2Feasy-wg-quick","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fburghardt%2Feasy-wg-quick/lists"}