#!/bin/sh
#
# VA1DER - qsy.va1der.ca Generate wireguard keys and configs
#

# Edit these values for your network

# Interface name, wg0 for your first one
INTERFACE="wg0"
# Prefix part of network, any private IP area
NETPREFIX="10.30.1."
# Put the names of all the devices you'll be generating keys for - this
# doesn't have to be hostnames - any name will do.  The first one is for
# this server
HOSTS="guardian glitch hexadecimal megabyte frisket hack slash device8 device9"
# The actual full internet hostname for this server
SERVER="guardian.mydomain.ca"
# Port number for this instance - generally best to stick to 51820
PORT="51820"
# A DNS server your peers will use if you decide to route all traffic on them
DNS="9.9.9.9"
# A temporary public key for a workstation for the initial connection
PUBTEMP="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
#############################################################################


A=01
for HOST in $HOSTS; do

  # Generate the keys and save them
  touch "$A"_$HOST.key "$A"_$HOST.psk
  chmod g-rwx,o-rwx "$A"_$HOST.key "$A"_$HOST.psk
  wg genkey | tee "$A"_$HOST.key | wg pubkey > "$A"_$HOST.pub 2> /dev/null
  wg genpsk > "$A"_$HOST.psk 2> /dev/null
  chmod g-rwx,o-rwx "$A"_$HOST.key "$A"_$HOST.psk

  # Output our configs
  if [ $A -eq 1 ]; then # The first host is the "server"
    # Make the [Interface] section for the server
    touch $INTERFACE.conf
    chmod g-rwx,o-rwx $INTERFACE.conf
    printf "# $SERVER wireguard configuration for $INTERFACE\n\n# Our private key and port\n[Interface]\nPrivateKey = %s\nListenPort = $PORT\n\n# Sections for our peers (really our clients)\n\n" $(cat "$A"_$HOST.key) > $INTERFACE.conf
    rm "$A"_$HOST.psk   # We don't actually need or want a preshared key for the server
    SERVERHOST=$HOST    # Save for later when we're doing the peer configs
  else                  # Every other host is a "client"
    # Make a [Peer] section for the client in the VPN config
    printf "# $HOST\n[Peer]\nPublicKey = %s\nPresharedKey = %s\nAllowedIPs = $NETPREFIX$(expr $A + 0)/32\nPersistentKeepalive = 25\n\n" $(cat "$A"_$HOST.pub) $(cat "$A"_$HOST.psk) >> $INTERFACE.conf
    # Also generate a config file for the peer itself
    printf "# WireGuard configuration for $HOST\n\n[Interface]\nPrivateKey = %s\nAddress = $NETPREFIX$(expr $A + 0)/24\nDNS = $DNS\n\n[Peer]\nPublicKey = %s\nPresharedKey = %s\nAllowedIPs = $NETPREFIX""0/24\nEndPoint = $SERVER:$PORT\nPersistentKeepalive = 25\n"\
            $(cat "$A"_$HOST.key) $(cat 01_$SERVERHOST.pub) $(cat "$A"_$HOST.psk) > "$A"_$HOST.conf
  fi
  
  A=$(printf "%02d" $(expr $A + 1));
done

# Add a tempoary peer to the configuration file for use with the initial connection
printf "# TEMPORARY peer for the initial connection\n[Peer]\nPublicKey = $PUBTEMP\nAllowedIPs = $NETPREFIX""200/32\nPersistentKeepalive = 25\n" >> $INTERFACE.conf

# Create a temporary peer configuration template.  This doesn't have the private key, that never leaves the workstation.
printf "# Wireguard TEMPORARY configuration for one workstation. Use this as a\n# template to set up wireguard on the workstation for an initial connection.\n# Use the private key generated on the workstation.\n\n" > INITIAL.conf
printf "[Interface]\nPrivateKey = <workstationkey>\nAddress = $NETPREFIX""200/32\nDNS = $DNS\n\n[Peer]\nPublicKey = %s\nAllowedIPs = $NETPREFIX""0/24\nEndPoint = $SERVER:$PORT\nPersistentKeepalive = 25\n"\
       $(cat 01_$SERVERHOST.pub) >> INITIAL.conf
#end.