Table of contents

Subscribe to our newsletter.
No spam
100% Great content
Unsubscribe anytime

WireGuard VPN installer on Ubuntu (OpenVZ environment)

Deploy your own, self-hosted VPN server today and start protecting your privacy! Verifiable zero log policy, dedicated IP address and unlimited device connections!

This script is being developed and tested for this environment and requirements:

  • Ubuntu 20.04 LTS
  • OpenVZ container

The following bash script installs a userspace WireGuard implementation and a web GUI allowing you to manage the VPN. The software is used every time a customer purchase a Dedicated VPN instance.

#!/bin/sh
#!/bin/bash

#Variables
IP=$(hostname -I | awk '{print $2}')
SslKeyPath='/etc/nginx/ssl/priv.key'
SslCertPath='/etc/nginx/ssl/ssl.crt'
UiScreen=$(screen -ls | grep Detached | awk '{print $1}')
PasswordGenerator=$(</dev/urandom tr -dc '[:alnum:]' | head -c15; echo "")
now=$(date +'%Y-%m-%dT%H:%M:%S.%NZ')
PresharedKeyGen=$(openssl rand -base64 32)
export DEBIAN_FRONTEND=noninteractive

#Set proper mirrors
mv /etc/apt/sources.list /etc/apt/sources.list_backup
tee /etc/apt/sources.list <<EOF
deb https://mirrors.neterra.net/ubuntu/ focal main restricted universe
deb https://mirrors.neterra.net/ubuntu/ focal-updates main restricted universe
deb https://mirrors.neterra.net/ubuntu/ focal-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu focal partner
EOF

#Update software and install curl. 
apt-get -yq --allow-releaseinfo-change update
apt-get -y install curl nginx

#Install Go
cd /tmp 
wget https://dl.google.com/go/go1.13.4.linux-amd64.tar.gz 
tar zvxf go*
mv go /opt/go*
ln -s /opt/go*/bin/go /usr/bin/go 

#Install WireGuard
apt-get install -y --no-install-recommends wireguard-tools 
wget -P /usr/local/src http://files.vps.bg/vpn/wireguard/wireguard-go-0.0.20191012.tar.xz
tar -xvf /usr/local/src/wireguard-go-* --directory /usr/local/src/
cd /usr/local/src/wireguard-go-*
make
cp /usr/local/src/wireguard-go-*/wireguard-go /usr/local/bin 

#Install GUI
wget -P /usr/local/src/ui http://files.vps.bg/vpn/wireguard/wireguard-ui-v0.3.6-linux-amd64.tar.gz
tar xvf /usr/local/src/ui/wireguard-ui-* --directory /usr/local/src/ui

#Cleaning after the installation 
apt-get clean
rm -rf /usr/local/src/ui/*.tar.gz 
rm -rf /usr/local/src/*.tar.xz
rm -rf /tmp/*.tar.gz 

#Setting up services for the GUI
tee /etc/systemd/system/wgui.service <<EOF
[Unit]
Description=Restart WireGuard
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/systemctl restart wg-quick@wg0.service

[Install]
RequiredBy=wgui.path
EOF

tee /etc/systemd/system/wgui.path <<EOF
[Unit]
Description=Watch /etc/wireguard/wg0.conf for changes

[Path]
PathModified=/etc/wireguard/wg0.conf

[Install]
WantedBy=multi-user.target
EOF

#Generate SSL key and cert. 
mkdir /etc/nginx/ssl
openssl genrsa -out /etc/nginx/ssl/priv.key 2048
printf '\n\n\n\n\n\n\n\n' | openssl req -key /etc/nginx/ssl/priv.key -new -x509 -days 365 -out /etc/nginx/ssl/ssl.crt

#Configure proxy-pass for nginx to the UI
tee /etc/nginx/sites-available/ui.conf <<EOF
server {

    listen              7654 ssl;
    listen              [::]:7654 ssl;
    error_page 497 https://$IP:7654;
    server_name         $IP;
    root                /var/www/html/;
    error_log   /dev/null   crit;
    access_log  /dev/null;

    # SSL
    ssl_certificate     $SslCertPath;
    ssl_certificate_key $SslKeyPath;

    # reverse proxy
    location / {
        proxy_pass http://127.0.0.1:5000;

    }

}
EOF

ln -s /etc/nginx/sites-available/ui.conf /etc/nginx/sites-enabled/ui.conf
rm -rf /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default

#Start GUI for first time so that the files can be generated. 
tee -a /etc/systemd/system/wireguard-ui.service <<EOF
{
[Unit]
Description=wireguard-ui

[Service]
User=root
WorkingDirectory=/usr/local/src/ui
ExecStart=/usr/local/src/ui/wireguard-ui
Restart=always

[Install]
WantedBy=multi-user.target
}
EOF

systemctl start wireguard-ui.service
while ! netstat -tulpn | grep -q '5000'; do
  sleep 2
done
systemctl stop wireguard-ui.service

#Generate Client keys
wg genkey | tee /etc/wireguard/dedicatedvpn_private_key | wg pubkey > /etc/wireguard/dedicatedvpn_public_key

ClientPrivateKey=$(cat /etc/wireguard/dedicatedvpn_private_key)
ClientPubkey=$(cat /etc/wireguard/dedicatedvpn_public_key)

#Append initial config to the UI
tee /usr/local/src/ui/db/server/global_settings.json <<EOF
{
        "endpoint_address": "$IP",
         "dns_servers": [
                "9.9.9.9",
                "149.112.112.112"
        ],
        "mtu": "1450",
        "persistent_keepalive": "15",
        "config_file_path": "/etc/wireguard/wg0.conf",
        "updated_at": "$now"
}
EOF

tee /usr/local/src/ui/db/server/interfaces.json <<EOF
{
        "addresses": [
                "10.0.3.1/24"
        ],
        "listen_port": "51820",
		"updated_at": "$now",
        "post_up": "iptables -t nat -A POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE;  iptables -A INPUT -i venet0 -p tcp --destination-port 5000 -j DROP",
        "post_down": "iptables -t nat -D POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE; iptables -D INPUT -i venet0 -p tcp --destination-port 5000 -j DROP"
}
EOF

tee /usr/local/src/ui/db/server/users.json <<EOF
{
        "username": "dedicatedvpn",
        "password": "$PasswordGenerator"
}
EOF

tee /usr/local/src/ui/db/clients/c8lk2jip7fiao760lhq0.json <<EOF
{
        "id": "c8lk2jip7fiao760lhq0",
        "private_key": "$ClientPrivateKey",
        "public_key": "$ClientPubkey",
        "preshared_key": "$PresharedKeyGen",
        "name": "dedicatedvpn",
        "email": "noreply@vpn.vpn",
        "allocated_ips": [
                "10.0.3.2/32"
        ],
        "allowed_ips": [
                "0.0.0.0/0"
        ],
        "extra_allowed_ips": [],
        "use_server_dns": true,
        "enabled": true,
        "created_at": "$now",
        "updated_at": "$now"
}
EOF

#Create a default wg0 conf for initial config
WireguardPrivateKey=$(cat /usr/local/src/ui/db/server/keypair.json | grep private | awk '{print $2}' | cut -d '"' -f2)

tee /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.0.3.1/24
ListenPort = 51820
PrivateKey = $WireguardPrivateKey
MTU = 1450
PostUp = iptables -t nat -A POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE;  iptables -A INPUT -i venet0 -p tcp --destination-port 5000 -j DROP;
PostDown = iptables -t nat -D POSTROUTING -o venet0 -s 10.0.3.2/24 -j MASQUERADE; iptables -D INPUT -i venet0 -p tcp --destination-port 5000 -j DROP;


[Peer]
PublicKey = $ClientPubkey
PresharedKey = $PresharedKeyGen
AllowedIPs = 10.0.3.2/32
EOF

#Start all of the needed services
systemctl start wg-quick@wg0 
systemctl start wgui.service
systemctl start wgui.path
systemctl start wireguard-ui.service
systemctl restart nginx

systemctl enable wireguard-ui.service
systemctl enable wg-quick@wg0 
systemctl enable wgui.path
systemctl enable wgui.service


#Configure SSH.
sed -i "s/#Port 22/Port 22000/g" /etc/ssh/sshd_config
systemctl restart sshd


#Remove bloatware & update
apt-get purge libpython* exim* apache2* python* pwgen tcpdump telnet -y 
apt-get clean
reboot

Deploy a self-hosted VPN server today and protect your privacy!

Configure
Payment methods we accept:
Bitcoin
Lightning Network (Bitcoin)
Credit card
Bank transfer