#!/bin/bash

set -e

# === CONFIGURATION ===
WG_INTERFACE="wg0"
WG_ADDRESS="10.0.0.2/24"
WG_PRIVATE_KEY_PATH="/etc/wireguard/privatekey"
WG_PUBLIC_KEY_PATH="/etc/wireguard/publickey"
WG_CONF_PATH="/etc/wireguard/${WG_INTERFACE}.conf"
WG_SERVER_PUBLIC_KEY="YOUR_REAL_PUBLIC_KEY_HERE"
WG_SERVER_ENDPOINT="YOUR.SERVER.IP.HERE:51820"
WG_ALLOWED_IPS="0.0.0.0/0"
WG_KEEPALIVE=25
WG_IFACE="enp0s3"  # Replace with your outbound interface name

# === INSTALL WIREGUARD ===
echo " Installing WireGuard..."
sudo apt-get update
sudo apt-get install -y wireguard

# === GENERATE KEYS ===
echo " Generating WireGuard keys..."
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard

if [ ! -f "$WG_PRIVATE_KEY_PATH" ]; then
  umask 077
  wg genkey | sudo tee "$WG_PRIVATE_KEY_PATH" | wg pubkey | sudo tee "$WG_PUBLIC_KEY_PATH"
else
  echo "] Private key already exists. Skipping key generation."
fi

PRIVATE_KEY=$(sudo cat "$WG_PRIVATE_KEY_PATH")

# === WRITE CONFIG FILE ===
echo " Writing WireGuard config to $WG_CONF_PATH..."
sudo tee "$WG_CONF_PATH" > /dev/null <<EOF
[Interface]
PrivateKey = ${PRIVATE_KEY}
Address = ${WG_ADDRESS}
PostUp = iptables -t nat -A POSTROUTING -o ${WG_IFACE} -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o ${WG_IFACE} -j MASQUERADE

[Peer]
PublicKey = ${WG_SERVER_PUBLIC_KEY}
Endpoint = ${WG_SERVER_ENDPOINT}
AllowedIPs = ${WG_ALLOWED_IPS}
PersistentKeepalive = ${WG_KEEPALIVE}
EOF

sudo chmod 600 "$WG_CONF_PATH"

# === ENABLE IP FORWARDING ===
echo " Enabling IP forwarding..."
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf > /dev/null

# === START THE TUNNEL ===
echo " Starting WireGuard interface ${WG_INTERFACE}..."
sudo wg-quick up "${WG_INTERFACE}"

echo " WireGuard VPN client is up and connected."