被Linux之父称其为艺术品的WireGuard

运维密码

已于 2023-11-21 23:13:33 修改

阅读量462

点赞数 2

分类专栏：【Linux常用】【计算机网络】【Shell脚本】文章标签： linux 运维服务器 wireguard

于 2023-11-18 12:07:00 首次发布

本文链接：https://blog.csdn.net/jackmaf/article/details/134507165

版权

【Linux常用】同时被 3 个专栏收录

38 篇文章 2 订阅

订阅专栏

【计算机网络】

12 篇文章 1 订阅

订阅专栏

【Shell脚本】

7 篇文章 0 订阅

订阅专栏

简介

WireGuard 是一种极其简单但快速且现代的 VPN，它利用了最先进的加密技术。它的目标是比 IPsec 更快、更简单、更精简和更有用，同时避免令人头疼的问题。旨在提供比 OpenVPN 更高的性能。WireGuard 被设计为在嵌入式接口和超级计算机等上运行的通用 VPN，适用于许多不同的环境。最初仅支持 Linux 平台，现在可以进行跨平台(Windows、macOS、BSD、iOS、Android)的广泛部署。目前仍然在大力开发中，但已经被认为是业内最安全、最容易使用和最简单的 VPN 解决方案。

WireGuard 是由贾森·多南菲尔德 (Jason Donenfeld)等人用 C 语言编写的一个开源3层网络隧道工具，被视为下一代 VPN 协议，从 2020 年 1 月开始，它已经并入了 Linux 内核的 5.6 版本，这意味着大多数 Linux 发行版的用户将拥有一个开箱即用的 WireGuard。

项目官网：https://www.wireguard.com/

Arch Wiki：WireGuard - Arch Linux 中文维基

安装

如果你的内核版本 >= 5.6，就可以用上原生的 WireGuard 了，只需要安装 wireguard-tools 即可使用，而在ubuntu22.04中已做到开箱即用。

# 查看当前内核版本

uname --kernel-release

官方安装手册：https://www.wireguard.com/install/

docker安装：https://hub.docker.com/r/linuxs
脚本一键安装：https://github.com/hwdsl2/wireguard-install/tree/master 或者 https://github.com/angristan/wireguard-install

WireGuard 优点：

高性能和低延迟： WireGuard 被设计成非常快速的 VPN 协议，它能够在保证安全性的同时提供卓越的性能。相比于传统的 VPN 协议，WireGuard 的连接速度更快，延迟更低，适用于对性能要求较高的应用场景。
现代加密： WireGuard 使用了最新的密码学技术，包括 Curve25519 曲线加密、ChaCha20 加密和Poly1305 认证，以确保数据在传输过程中的安全性和隐私保护。
简单易用： WireGuard 的设计理念之一是简单性。它的配置相对较少，易于理解和部署。这使得它非常适合普通用户和系统管理员使用。
跨平台支持： WireGuard 支持多个操作系统，包括 Linux、Windows、macOS、Android 和 iOS 等。这意味着你可以在各种设备和操作系统上使用 WireGuard 创建安全的 VPN 连接。
内核集成： 在 Linux 中，WireGuard 作为一个内核模块集成在操作系统中，这有助于提高性能并降低系统资源的消耗。
透明网络隧道： WireGuard 创建了一个透明的网络隧道，使得连接两个网络的设备可以像在同一个局域网中一样进行通信，这对于建立分布式网络非常有用。
开源： WireGuard 是开源项目，代码可供查看和审核。这意味着它的安全性可以经过广泛的审查来验证。

注意

关于深度包检测：WireGuard并不关注混淆问题。相反，混淆应该发生在WireGuard之上的一层，WireGuard专注于以简单的实现方式提供坚实的加密技术，可以在上层进行混淆操作。
UDP协议：WireGuard默认使用UDP协议，由于TCP-over-TCP隧道的网络性能非常糟糕，WireGuard明确地不支持TCP隧道。相反，将WireGuard的UDP数据包转化为TCP是上层混淆的工作，可以由udptunnel和udp2raw等项目完成。

自定义

配置转发

开启ipv4转发，检查是否已存在 net.ipv4.ip_forward 的配置

echo "net.ipv4.ip_forward=1" | tee -a /etc/sysctl.conf

配置网卡流量转发

PostUp = iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE;iptables -t nat -A POSTROUTING -o hklai -j MASQUERADE;iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE;iptables -t nat -D POSTROUTING -o hklai -j MASQUERADE;iptables -t nat -D POSTROUTING -o ens192 -j MASQUERADE

WireGuard installer脚本

#!/bin/bash

# Secure WireGuard server installer
# https://github.com/angristan/wireguard-install

RED='\033[0;31m'
ORANGE='\033[0;33m'
NC='\033[0m'

function isRoot() {
    if [ "${EUID}" -ne 0 ]; then
        echo "You need to run this script as root"
        exit 1
    fi
}

function checkVirt() {
    if [ "$(systemd-detect-virt)" == "openvz" ]; then
        echo "OpenVZ is not supported"
        exit 1
    fi

    if [ "$(systemd-detect-virt)" == "lxc" ]; then
        echo "LXC is not supported (yet)."
        echo "WireGuard can technically run in an LXC container,"
        echo "but the kernel module has to be installed on the host,"
        echo "the container has to be run with some specific parameters"
        echo "and only the tools need to be installed in the container."
        exit 1
    fi
}

function checkOS() {
    # Check OS version
    if [[ -e /etc/debian_version ]]; then
        source /etc/os-release
        OS="${ID}" # debian or ubuntu
        if [[ ${ID} == "debian" || ${ID} == "raspbian" ]]; then
            if [[ ${VERSION_ID} -lt 10 ]]; then
                echo "Your version of Debian (${VERSION_ID}) is not supported. Please use Debian 10 Buster or later"
                exit 1
            fi
            OS=debian # overwrite if raspbian
        fi
    elif [[ -e /etc/fedora-release ]]; then
        source /etc/os-release
        OS="${ID}"
    elif [[ -e /etc/centos-release ]]; then
        source /etc/os-release
        OS=centos
    elif [[ -e /etc/oracle-release ]]; then
        source /etc/os-release
        OS=oracle
    elif [[ -e /etc/arch-release ]]; then
        OS=arch
    else
        echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Oracle or Arch Linux system"
        exit 1
    fi
}

function initialCheck() {
    isRoot
    checkVirt
    checkOS
}

function installQuestions() {
    echo "Welcome to the WireGuard installer!"
    echo "The git repository is available at: https://github.com/angristan/wireguard-install"
    echo ""
    echo "I need to ask you a few questions before starting the setup."
    echo "You can leave the default options and just press enter if you are ok with them."
    echo ""

    # Detect public IPv4 or IPv6 address and pre-fill for the user
    SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1)
    if [[ -z ${SERVER_PUB_IP} ]]; then
        # Detect public IPv6 address
        SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
    fi
    read -rp "IPv4 or IPv6 public address: " -e -i "${SERVER_PUB_IP}" SERVER_PUB_IP

    # Detect public interface and pre-fill for the user
    SERVER_NIC="$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)"
    until [[ ${SERVER_PUB_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do
        read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC
    done

    until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ && ${#SERVER_WG_NIC} -lt 16 ]]; do
        read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC
    done

    until [[ ${SERVER_WG_IPV4} =~ ^([0-9]{1,3}\.){3} ]]; do
        read -rp "Server's WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4
    done

    until [[ ${SERVER_WG_IPV6} =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do
        read -rp "Server's WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6
    done

    # Generate random number within private ports range
    RANDOM_PORT=$(shuf -i49152-65535 -n1)
    until [[ ${SERVER_PORT} =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do
        read -rp "Server's WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT
    done

    # Adguard DNS by default
    until [[ ${CLIENT_DNS_1} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
        read -rp "First DNS resolver to use for the clients: " -e -i 94.140.14.14 CLIENT_DNS_1
    done
    until [[ ${CLIENT_DNS_2} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
        read -rp "Second DNS resolver to use for the clients (optional): " -e -i 94.140.15.15 CLIENT_DNS_2
        if [[ ${CLIENT_DNS_2} == "" ]]; then
            CLIENT_DNS_2="${CLIENT_DNS_1}"
        fi
    done

    echo ""
    echo "Okay, that was all I needed. We are ready to setup your WireGuard server now."
    echo "You will be able to generate a client at the end of the installation."
    read -n1 -r -p "Press any key to continue..."
}

function installWireGuard() {
    # Run setup questions first
    installQuestions

    # Install WireGuard tools and module
    if [[ ${OS} == 'ubuntu' ]] || [[ ${OS} == 'debian' && ${VERSION_ID} -gt 10 ]]; then
        apt-get update
        apt-get install -y wireguard iptables resolvconf qrencode
    elif [[ ${OS} == 'debian' ]]; then
        if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then
            echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list
            apt-get update
        fi
        apt update
        apt-get install -y iptables resolvconf qrencode
        apt-get install -y -t buster-backports wireguard
    elif [[ ${OS} == 'fedora' ]]; then
        if [[ ${VERSION_ID} -lt 32 ]]; then
            dnf install -y dnf-plugins-core
            dnf copr enable -y jdoss/wireguard
            dnf install -y wireguard-dkms
        fi
        dnf install -y wireguard-tools iptables qrencode
    elif [[ ${OS} == 'centos' ]]; then
        yum -y install epel-release elrepo-release
        if [[ ${VERSION_ID} -eq 7 ]]; then
            yum -y install yum-plugin-elrepo
        fi
        yum -y install kmod-wireguard wireguard-tools iptables qrencode
    elif [[ ${OS} == 'oracle' ]]; then
        dnf install -y oraclelinux-developer-release-el8
        dnf config-manager --disable -y ol8_developer
        dnf config-manager --enable -y ol8_developer_UEKR6
        dnf config-manager --save -y --setopt=ol8_developer_UEKR6.includepkgs='wireguard-tools*'
        dnf install -y wireguard-tools qrencode iptables
    elif [[ ${OS} == 'arch' ]]; then
        pacman -S --needed --noconfirm wireguard-tools qrencode
    fi

    # Make sure the directory exists (this does not seem the be the case on fedora)
    mkdir /etc/wireguard >/dev/null 2>&1

    chmod 600 -R /etc/wireguard/

    SERVER_PRIV_KEY=$(wg genkey)
    SERVER_PUB_KEY=$(echo "${SERVER_PRIV_KEY}" | wg pubkey)

    # Save WireGuard settings
    echo "SERVER_PUB_IP=${SERVER_PUB_IP}
SERVER_PUB_NIC=${SERVER_PUB_NIC}
SERVER_WG_NIC=${SERVER_WG_NIC}
SERVER_WG_IPV4=${SERVER_WG_IPV4}
SERVER_WG_IPV6=${SERVER_WG_IPV6}
SERVER_PORT=${SERVER_PORT}
SERVER_PRIV_KEY=${SERVER_PRIV_KEY}
SERVER_PUB_KEY=${SERVER_PUB_KEY}
CLIENT_DNS_1=${CLIENT_DNS_1}
CLIENT_DNS_2=${CLIENT_DNS_2}" >/etc/wireguard/params

    # Add server interface
    echo "[Interface]
Address = ${SERVER_WG_IPV4}/24,${SERVER_WG_IPV6}/64
ListenPort = ${SERVER_PORT}
PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf"

    if pgrep firewalld; then
        FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0"
        FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/')
        echo "PostUp = firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'
PostDown = firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"
    else
        echo "PostUp = iptables -A FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -A FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE
PostDown = iptables -D FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT; iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE; ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"
    fi

    # Enable routing on the server
    echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf

    sysctl --system

    systemctl start "wg-quick@${SERVER_WG_NIC}"
    systemctl enable "wg-quick@${SERVER_WG_NIC}"

    newClient
    echo "If you want to add more clients, you simply need to run this script another time!"

    # Check if WireGuard is running
    systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}"
    WG_RUNNING=$?

    # WireGuard might not work if we updated the kernel. Tell the user to reboot
    if [[ ${WG_RUNNING} -ne 0 ]]; then
        echo -e "\n${RED}WARNING: WireGuard does not seem to be running.${NC}"
        echo -e "${ORANGE}You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}${NC}"
        echo -e "${ORANGE}If you get something like \"Cannot find device ${SERVER_WG_NIC}\", please reboot!${NC}"
    fi
}

function newClient() {
    ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}"

    echo ""
    echo "Tell me a name for the client."
    echo "The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars."

    until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' && ${#CLIENT_NAME} -lt 16 ]]; do
        read -rp "Client name: " -e CLIENT_NAME
        CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf")

        if [[ ${CLIENT_EXISTS} == '1' ]]; then
            echo ""
            echo "A client with the specified name was already created, please choose another name."
            echo ""
        fi
    done

    for DOT_IP in {2..254}; do
        DOT_EXISTS=$(grep -c "${SERVER_WG_IPV4::-1}${DOT_IP}" "/etc/wireguard/${SERVER_WG_NIC}.conf")
        if [[ ${DOT_EXISTS} == '0' ]]; then
            break
        fi
    done

    if [[ ${DOT_EXISTS} == '1' ]]; then
        echo ""
        echo "The subnet configured supports only 253 clients."
        exit 1
    fi

    BASE_IP=$(echo "$SERVER_WG_IPV4" | awk -F '.' '{ print $1"."$2"."$3 }')
    until [[ ${IPV4_EXISTS} == '0' ]]; do
        read -rp "Client's WireGuard IPv4: ${BASE_IP}." -e -i "${DOT_IP}" DOT_IP
        CLIENT_WG_IPV4="${BASE_IP}.${DOT_IP}"
        IPV4_EXISTS=$(grep -c "$CLIENT_WG_IPV4/24" "/etc/wireguard/${SERVER_WG_NIC}.conf")

        if [[ ${IPV4_EXISTS} == '1' ]]; then
            echo ""
            echo "A client with the specified IPv4 was already created, please choose another IPv4."
            echo ""
        fi
    done

    BASE_IP=$(echo "$SERVER_WG_IPV6" | awk -F '::' '{ print $1 }')
    until [[ ${IPV6_EXISTS} == '0' ]]; do
        read -rp "Client's WireGuard IPv6: ${BASE_IP}::" -e -i "${DOT_IP}" DOT_IP
        CLIENT_WG_IPV6="${BASE_IP}::${DOT_IP}"
        IPV6_EXISTS=$(grep -c "${CLIENT_WG_IPV6}/64" "/etc/wireguard/${SERVER_WG_NIC}.conf")

        if [[ ${IPV6_EXISTS} == '1' ]]; then
            echo ""
            echo "A client with the specified IPv6 was already created, please choose another IPv6."
            echo ""
        fi
    done

    # Generate key pair for the client
    CLIENT_PRIV_KEY=$(wg genkey)
    CLIENT_PUB_KEY=$(echo "${CLIENT_PRIV_KEY}" | wg pubkey)
    CLIENT_PRE_SHARED_KEY=$(wg genpsk)

    # Home directory of the user, where the client configuration will be written
    if [ -e "/home/${CLIENT_NAME}" ]; then
        # if $1 is a user name
        HOME_DIR="/home/${CLIENT_NAME}"
    elif [ "${SUDO_USER}" ]; then
        # if not, use SUDO_USER
        if [ "${SUDO_USER}" == "root" ]; then
            # If running sudo as root
            HOME_DIR="/root"
        else
            HOME_DIR="/home/${SUDO_USER}"
        fi
    else
        # if not SUDO_USER, use /root
        HOME_DIR="/root"
    fi

    # Create client file and add the server as a peer
    echo "[Interface]
PrivateKey = ${CLIENT_PRIV_KEY}
Address = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128
DNS = ${CLIENT_DNS_1},${CLIENT_DNS_2}

[Peer]
PublicKey = ${SERVER_PUB_KEY}
PresharedKey = ${CLIENT_PRE_SHARED_KEY}
Endpoint = ${ENDPOINT}
AllowedIPs = 0.0.0.0/0,::/0" >>"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"

    # Add the client as a peer to the server
    echo -e "\n### Client ${CLIENT_NAME}
[Peer]
PublicKey = ${CLIENT_PUB_KEY}
PresharedKey = ${CLIENT_PRE_SHARED_KEY}
AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"

    wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}")

    echo -e "\nHere is your client config file as a QR Code:"

    qrencode -t ansiutf8 -l L <"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"

    echo "It is also available in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"
}

function revokeClient() {
    NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf")
    if [[ ${NUMBER_OF_CLIENTS} == '0' ]]; then
        echo ""
        echo "You have no existing clients!"
        exit 1
    fi

    echo ""
    echo "Select the existing client you want to revoke"
    grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') '
    until [[ ${CLIENT_NUMBER} -ge 1 && ${CLIENT_NUMBER} -le ${NUMBER_OF_CLIENTS} ]]; do
        if [[ ${CLIENT_NUMBER} == '1' ]]; then
            read -rp "Select one client [1]: " CLIENT_NUMBER
        else
            read -rp "Select one client [1-${NUMBER_OF_CLIENTS}]: " CLIENT_NUMBER
        fi
    done

    # match the selected number to a client name
    CLIENT_NAME=$(grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${CLIENT_NUMBER}"p)

    # remove [Peer] block matching $CLIENT_NAME
    sed -i "/^### Client ${CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${SERVER_WG_NIC}.conf"

    # remove generated client file
    rm -f "${HOME}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"

    # restart wireguard to apply changes
    wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}")
}

function uninstallWg() {
    echo ""
    read -rp "Do you really want to remove WireGuard? [y/n]: " -e -i n REMOVE
    if [[ $REMOVE == 'y' ]]; then
        checkOS

        systemctl stop "wg-quick@${SERVER_WG_NIC}"
        systemctl disable "wg-quick@${SERVER_WG_NIC}"

        if [[ ${OS} == 'ubuntu' ]]; then
            apt-get autoremove --purge -y wireguard qrencode
        elif [[ ${OS} == 'debian' ]]; then
            apt-get autoremove --purge -y wireguard qrencode
        elif [[ ${OS} == 'fedora' ]]; then
            dnf remove -y wireguard-tools qrencode
            if [[ ${VERSION_ID} -lt 32 ]]; then
                dnf remove -y wireguard-dkms
                dnf copr disable -y jdoss/wireguard
            fi
            dnf autoremove -y
        elif [[ ${OS} == 'centos' ]]; then
            yum -y remove kmod-wireguard wireguard-tools qrencode
            yum -y autoremove
        elif [[ ${OS} == 'oracle' ]]; then
            yum -y remove wireguard-tools qrencode
            yum -y autoremove
        elif [[ ${OS} == 'arch' ]]; then
            pacman -Rs --noconfirm wireguard-tools qrencode
        fi

        rm -rf /etc/wireguard
        rm -f /etc/sysctl.d/wg.conf

        # Reload sysctl
        sysctl --system

        # Check if WireGuard is running
        systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}"
        WG_RUNNING=$?

        if [[ ${WG_RUNNING} -eq 0 ]]; then
            echo "WireGuard failed to uninstall properly."
            exit 1
        else
            echo "WireGuard uninstalled successfully."
            exit 0
        fi
    else
        echo ""
        echo "Removal aborted!"
    fi
}

function manageMenu() {
    echo "Welcome to WireGuard-install!"
    echo "The git repository is available at: https://github.com/angristan/wireguard-install"
    echo ""
    echo "It looks like WireGuard is already installed."
    echo ""
    echo "What do you want to do?"
    echo "   1) Add a new user"
    echo "   2) Revoke existing user"
    echo "   3) Uninstall WireGuard"
    echo "   4) Exit"
    until [[ ${MENU_OPTION} =~ ^[1-4]$ ]]; do
        read -rp "Select an option [1-4]: " MENU_OPTION
    done
    case "${MENU_OPTION}" in
    1)
        newClient
        ;;
    2)
        revokeClient
        ;;
    3)
        uninstallWg
        ;;
    4)
        exit 0
        ;;
    esac
}

# Check for root, virt, OS...
initialCheck

# Check if WireGuard is already installed and load params
if [[ -e /etc/wireguard/params ]]; then
    source /etc/wireguard/params
    manageMenu
else
    installWireGuard
fi