Deploying a WireGuard VPN with Automated Key Exchange Using Bash

By -


WireGuard is a modern, high-performance VPN protocol that offers simplicity, speed, and strong encryption. It operates in a minimalist and secure way, using state-of-the-art cryptography. The goal of this article is to guide you through deploying a WireGuard VPN with an automated key exchange process using Bash.

Prerequisites

Before starting the deployment process, ensure that the following are in place:

  • A Linux server (Ubuntu 20.04 or similar).
  • Root access on the server.
  • Bash scripting knowledge.
  • WireGuard installed on both the server and the client machine.

Step 1: Install WireGuard

On both the server and client machines, WireGuard needs to be installed. You can install it by running the following command on an Ubuntu-based system:

sudo apt update
sudo apt install wireguard
This will install the necessary WireGuard tools, including wg for managing the VPN interface and wg-quick for easier setup.

Step 2: Generate Key Pairs Automatically

For WireGuard, each device in the VPN network requires a public and private key pair. To automate the process, we will use a Bash script that generates these keys for both the server and client.
Create a Bash script called generate_keys.sh:
# Generate private key for the server
SERVER_PRIVATE_KEY=$(wg genkey)

# Generate public key for the server
SERVER_PUBLIC_KEY=$(echo $SERVER_PRIVATE_KEY | wg pubkey)

# Generate private key for the client
CLIENT_PRIVATE_KEY=$(wg genkey)

# Generate public key for the client
CLIENT_PUBLIC_KEY=$(echo $CLIENT_PRIVATE_KEY | wg pubkey)

# Output the keys to the terminal
echo “Server Private Key: $SERVER_PRIVATE_KEY”
echo “Server Public Key: $SERVER_PUBLIC_KEY”
echo “Client Private Key: $CLIENT_PRIVATE_KEY”
echo “Client Public Key: $CLIENT_PUBLIC_KEY”
Run this script on your server to generate the key pairs:
chmod +x generate_keys.sh
./generate_keys.sh
This will output both the server and client keys, which will be used for configuration.

Step 3: Configure the Server

The server needs a WireGuard configuration file to set up the VPN interface. This configuration defines how the server communicates with clients.
Create the server configuration file at /etc/wireguard/wg0.conf:
[Interface]
PrivateKey =
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true

[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/32
Replace and with the values generated in Step 2. The Address defines the server’s VPN IP, and the Peer section specifies the client’s public key and allowed IP address.

Step 4: Configure the Client

Next, create the client configuration file, which will be used on the client machine. Save it as wg0.conf on the client system.
[Interface]
PrivateKey =
Address = 10.0.0.2/32

[Peer]
PublicKey =
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Replace , , and with the corresponding values. The Endpoint is the server’s public IP and port, and AllowedIPs is set to 0.0.0.0/0 to route all traffic through the VPN.

Step 5: Start the WireGuard VPN

Now, bring up the VPN interface on both the server and the client. On the server, run:
sudo wg-quick up wg0
On the client, use the same command:
sudo wg-quick up wg0
These commands will establish the VPN tunnel between the server and client, routing traffic securely between the two machines.

Step 6: Automating Key Exchange with Bash

To further automate the key exchange and configuration process, a more advanced Bash script can be used to update both the server and client configuration files whenever new keys are generated.
Create the script deploy_wireguard.sh:
# Generate keys
SERVER_PRIVATE_KEY=$(wg genkey)
SERVER_PUBLIC_KEY=$(echo $SERVER_PRIVATE_KEY | wg pubkey)
CLIENT_PRIVATE_KEY=$(wg genkey)
CLIENT_PUBLIC_KEY=$(echo $CLIENT_PRIVATE_KEY | wg pubkey)

# Update server config file
echo “[Interface]
PrivateKey = $SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true

[Peer]
PublicKey = $CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32” > /etc/wireguard/wg0.conf

# Update client config file
echo “[Interface]
PrivateKey = $CLIENT_PRIVATE_KEY
Address = 10.0.0.2/32

[Peer]
PublicKey = $SERVER_PUBLIC_KEY
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25″ > /etc/wireguard/client_wg0.conf

# Bring up the interface on the server
sudo wg-quick up wg0

# Bring up the interface on the client
sudo wg-quick up wg0
Run the script to automate the setup:
chmod +x deploy_wireguard.sh
./deploy_wireguard.sh
This script generates new keys, updates configuration files, and brings up the VPN interface on both the server and client.

Step 7: Enable WireGuard to Start on Boot

To ensure that WireGuard starts automatically on boot, enable the WireGuard service:
sudo systemctl enable wg-quick@wg0
This command configures the WireGuard interface to be brought up automatically at system startup, ensuring the VPN is always active.

Conclusion

The process outlined here provides an automated and efficient way to deploy WireGuard VPN with automated key exchange using Bash. This solution ensures a smooth and repeatable deployment, allowing for fast and secure VPN configurations on Linux-based servers and clients.

We earn commissions using affiliate links.

14 Privacy Tools You Should Have

Learn how to stay safe online in this free 34-page eBook.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top