Currently only IPV4 is supported by wg-monkey. wg-monkey will make entries in your IPV4 table to create killswitch behaviour. Please turn off IPV6 traffic on your interface.
Are you living in an oppressive country where your every word feels like it’s being squeezed through a vice grip? Is your online life being surveilled tighter than your grandma’s prized cookie jar? Are your lips forced shut, leaving you with no choice but to communicate in Morse code under your bed at night? Well, my friend, it sounds like you need a solution that lets you surf the web without looking over your shoulder every five seconds.
Introducing WireGuard and the all-new wg-monkey script—your personal freedom fighter in the world of internet censorship! Whether you’re dodging the prying eyes of Big Brother, navigating the ever-tightening grip of the WEF’s global digital agenda, or just want to stream your favorite cat videos without interruptions, wg-monkey has got you covered. With its ability to switch between a full kill switch, partial kill switch, and a standard connection, you’ll feel like you’re swinging through the jungle of the internet with the agility of a digital Tarzan. Say goodbye to restricted access and hello to online freedom with WireGuard and wg-monkey!
!!!WARNING!!! Although I refer in a jovial way to your personal privacy freedoms (for SEO purposes to get you here) please…. Do your own research! I can only really recommend wg-monkey to help save you from intrusive advertisements, protecting your traffic from a shoddy hotel network and perhaps enjoy an uninterrupted netflix experience while traveling and standard services and the like – if you are trying to hide from an oppressive government or other dangers I really insist you learn what needs to be done for yourself and study wg-monkey as a stepping stone in fully understanding your threats and what you need to do to keep safe online. Your choice in VPN/WireGuard providers is also something you need to look in to. Please run the page by someone who knows what they are doing before taking any action.
Here are the other articles that wg-monkey is based on,
Part 1: Tutorial, How to Use wg-monkey.sh for Managing WireGuard Modes
The wg-monkey.sh script is a powerful tool designed to manage different WireGuard connection modes on your system. These modes allow you to configure your WireGuard interface with varying levels of security and access, such as full or partial kill switches, or a standard connection without a kill switch. This tutorial will guide you through the usage of wg-monkey.sh to list available modes, switch between them, and manage routing settings.
Prerequisites
- Root Access: The script must be run as root because it requires permissions to modify network configurations. Always use
sudowhen running the script. - WireGuard Installed: Ensure that WireGuard is installed and properly configured on your system.
- Script Location: The script is located in
/opt/wg-monkey/. A symlink has been created so it can be run from anywhere aswg-monkey.
Script Overview
The wg-monkey.sh script offers three primary commands:
- List Modes: Displays all available WireGuard modes with descriptions.
- Switch Mode: Changes the WireGuard interface to a specified mode.
- Remove Blackhole: Removes the blackhole route from the routing table if it exists.
Usage Instructions
1. Listing Available Modes
To see all the available WireGuard modes, use the following command:
sudo wg-monkey list modesThis will output a list of modes defined in the /opt/wg-monkey/wg-modes/ directory. Each mode includes a name, description, and the associated configuration file.
Example output:
Available WireGuard Modes:
lankillswitch: A kill switch enabled WireGuard connection that allows access to local network devices, drops pings.
Mode file: lankillswitch.conf
totalkillswitch: A kill switch enabled WireGuard connection that blocks access to local network devices, drops pings.
Mode file: totalkillswitch.conf
wgstandard: A standard WireGuard connection (NO KILLSWITCH) that allows access to local network devices.
Mode file: wgstandard.conf
2. Switching Between Modes
To switch the WireGuard interface to a different mode, use the following command:
sudo wg-monkey switch <interface> <mode><interface>: The name of your WireGuard interface (e.g.,wg0).<mode>: The mode you want to switch to, such aslankillswitch,totalkillswitch, orwgstandard.
Location /etc/wireguard/ is where your interfaces will be created by wg-monkey, e.g. /etc/wireguard/wg0.conf.
When you create a new wireguard config file with your wireguard vpn provider you will be given connections details. You can then use these connection details to create a wg-monkey ‘device’ in /opt/wg-monkey/deviceconfigs/
Here is what your wg0.creds file should look like.
root@ubuntu-ThinkPad-X395:/opt/wg-monkey/deviceconfigs/wg0# pwd
/opt/wg-monkey/deviceconfigs/wg0
root@ubuntu-ThinkPad-X395:/opt/wg-monkey/deviceconfigs/wg0# ls -l
total 4
-rw-r--r-- 1 root root 204 Aug 20 10:40 wg0.creds
root@ubuntu-ThinkPad-X395:/opt/wg-monkey/deviceconfigs/wg0# cat wg0.creds
PUBLIC_KEY="as given to you by your wireguard provider"
PEER_ENDPOINT="as given to you by your wireguard provider"
PRIVATE_KEY="as given to you by your wireguard provider"
ADDRESS="as given to you by your wireguard provider"
FWMARK="pick a unique nuber for each of your 'devices' 51820"
TABLE="same number as FWMARK"
root@ubuntu-ThinkPad-X395:/opt/wg-monkey/deviceconfigs/wg0# wg-monkey will create a device called /etc/wireguard/wg0.conf from /opt/wg-monkey/deviceconfigs/wg0/wg0.creds
You can create as many deviceconfigs as you like /deviceconfigs/wg1/wg1.creds for example.
Example:
sudo wg-monkey switch wg0 lankillswitchThis command will:
- Back up the existing WireGuard configuration.
- Modify and apply the new configuration for the specified mode.
- Safely bring down and then bring up the interface with the new configuration.
3. Removing the Blackhole Route
In some cases, a blackhole route might be added to the routing table, which can cause network connectivity issues. To remove this route, use the following command:
sudo wg-monkey remove_blackholeThis will check for the existence of a blackhole route and remove it if found.
Example Usage
Listing Modes:
sudo wg-monkey list modesSwitching to a Mode:
sudo wg-monkey switch wg0 totalkillswitchRemoving the Blackhole Route:
sudo wg-monkey remove_blackholeUsage Conclusion
The wg-monkey.sh script provides a convenient and automated way to manage multiple WireGuard configurations with different security levels. Whether you need to switch to a secure kill switch mode or a standard connection, this script simplifies the process, ensuring that your network configurations are always correctly applied.
Part 2: WG-Monkey Installer: Step-by-Step Guide
Introduction
This installation guide will walk you through the process of installing, using, and uninstalling WG-Monkey, a tool designed to help you manage WireGuard VPN configurations easily.
Prerequisites
Before you begin, ensure you have the following:
- A Linux-based system (e.g., Ubuntu, Linux Mint).
- Basic knowledge of using the terminal.
- Root or
sudoprivileges to execute system commands.
Step 1: Download the Installer Script
First, you’ll need to download the wg-monkey-installer.sh script to your system. This script will handle the installation, uninstallation, and configuration of WG-Monkey.
I have the installer code available at,
#!/bin/bash
WG_MONKEY_DIR="/opt/wg-monkey"
WG_MONKEY_BIN="/usr/local/bin/wg-monkey"
create_files() {
echo "Creating necessary directories and files..."
# Create the main directory structure
mkdir -p "$WG_MONKEY_DIR/wg-modes"
mkdir -p "$WG_MONKEY_DIR/deviceconfigs/wg0"
mkdir -p "$WG_MONKEY_DIR/backups"
# Create modify_config.py
cat << EOF1 > "$WG_MONKEY_DIR/modify_config.py"
import configparser
import sys
def modify_config(source_file, dest_file):
config = configparser.ConfigParser()
config.optionxform = str # Preserve case of the options
config.read(source_file)
# Assume 'myconfig' is the section to be removed
if 'myconfig' in config.sections():
config.remove_section('myconfig')
with open(dest_file, 'w') as configfile:
config.write(configfile)
if __name__ == "__main__":
if len(sys.argv) < 3:
print("Usage: python modify_config.py source_file dest_file")
sys.exit(1)
modify_config(sys.argv[1], sys.argv[2])
EOF1
# Create wg-monkey.sh (the main script)
cat << EOF2 > "$WG_MONKEY_DIR/wg-monkey.sh"
#!/bin/bash
# Configuration
WG_BASE_DIR="/opt/wg-monkey"
WG_MODES_DIR="\${WG_BASE_DIR}/wg-modes"
DEVICE_CONFIGS_DIR="\${WG_BASE_DIR}/deviceconfigs"
BACKUP_DIR="\${WG_BASE_DIR}/backups"
# Function to list available modes
list_modes() {
echo "Available WireGuard Modes:"
echo
for config_file in \${WG_MODES_DIR}/*; do
local mode_file=\$(basename \$config_file)
local mode_name=\$(grep 'name=' \$config_file | cut -d '=' -f2 | xargs)
local description=\$(grep 'description=' \$config_file | cut -d '=' -f2 | xargs)
printf "%s: %s\n" "\$mode_name" "\$description"
printf "\tMode file: %s\n\n" "\$mode_file"
done
}
# Function to remove blackhole from the route table
remove_blackhole() {
echo "Checking for blackhole route..."
if ip route | grep -q 'blackhole default'; then
echo "Blackhole route found. Removing..."
ip route del blackhole default
echo "Blackhole route removed."
else
echo "No blackhole route found. Nothing to remove."
fi
}
# Function to switch modes
switch_mode() {
local interface=\$1
local mode_name=\$2
local creds_file="\${DEVICE_CONFIGS_DIR}/\${interface}/\${interface}.creds"
local config_file
local found_mode=0
local temp_config="/tmp/\${interface}_temp.conf"
local final_config="/tmp/\${interface}_final.conf"
local actual_config="/etc/wireguard/\${interface}.conf"
echo "Looking for mode '\$mode_name' in \$WG_MODES_DIR"
# Find and prepare the configuration file
for file in "\${WG_MODES_DIR}"/*; do
if grep -q "name=\$mode_name" "\$file"; then
config_file=\$file
found_mode=1
break
fi
done
if [[ \$found_mode -eq 0 ]]; then
echo "Error: Mode '\$mode_name' not found."
exit 1
fi
echo "Found mode '\$mode_name' in file \$config_file"
# Load credentials
if [ -f "\$creds_file" ]; then
source "\$creds_file"
else
echo "Credentials file not found at \$creds_file"
exit 1
fi
# Replace placeholders in the temp config file
cp "\$config_file" "\$temp_config"
sed -i "s|<privatekey>|\$PRIVATE_KEY|g" "\$temp_config"
sed -i "s|<publickey>|\$PUBLIC_KEY|g" "\$temp_config"
sed -i "s|<peer-endpoint>|\$PEER_ENDPOINT|g" "\$temp_config"
sed -i "s|<address>|\$ADDRESS|g" "\$temp_config"
sed -i "s|<fwmark>|\$FWMARK|g" "\$temp_config"
sed -i "s|<table>|\$TABLE|g" "\$temp_config"
# Modify the configuration using a Python script
python3 "\${WG_BASE_DIR}/modify_config.py" "\$temp_config" "\$final_config"
# Ensure no spaces around equals signs in the final configuration
sed -i 's/ \?= \?/=/g' "\$final_config"
# Back up existing configuration if it exists
if [[ -f "\$actual_config" ]]; then
local backup_file="\${BACKUP_DIR}/\${interface}/\${interface}_\$(date +%Y-%m-%d-%H%M%S).conf"
mkdir -p "\${BACKUP_DIR}/\${interface}"
cp "\$actual_config" "\$backup_file"
echo "Backup of existing configuration saved to \$backup_file"
fi
# Bring down the interface safely
if ip link show \$interface > /dev/null 2>&1; then
wg-quick down \$interface
fi
remove_blackhole
# Apply the final configuration
cp "\$final_config" "\$actual_config"
echo "New configuration applied from \$final_config to \$actual_config"
# Apply the new configuration using wg-quick
wg-quick up \$actual_config
echo "\$interface has been configured in \$mode_name mode."
}
# Function to display usage information
display_usage() {
cat << EOF
Usage: \$0 <command> [options]
Commands:
list modes List all available WireGuard modes
switch <interface> <mode> Switch to a specific mode for the given interface
remove_blackhole Remove the blackhole route from the routing table
Examples:
\$0 list modes
\$0 switch wg0 lankillswitch
\$0 remove_blackhole
EOF
}
# Main script logic
if [[ \$# -lt 1 ]]; then
display_usage
exit 1
fi
case \$1 in
list)
if [[ \$2 == "modes" ]]; then
list_modes
else
display_usage
fi
;;
switch)
if [[ -n \$2 && -n \$3 ]]; then
switch_mode \$2 \$3
else
display_usage
fi
;;
remove_blackhole)
remove_blackhole
;;
*)
display_usage
;;
esac
EOF2
chmod +x "$WG_MONKEY_DIR/wg-monkey.sh"
# Create sample configuration files
cat << EOF3 > "$WG_MONKEY_DIR/wg-modes/lankillswitch.conf"
[myconfig]
name=lankillswitch
description=A kill switch enabled wireguard connection that allows access to local network devices, drops pings.
[Interface]
PrivateKey=<privatekey>
Address=<address>
FwMark=<fwmark>
Table=<table>
PostUp=ip rule show | grep -q 'not fwmark <fwmark> table <table>' || ip rule add not fwmark <fwmark> table <table>; ip rule show | grep -q 'table main suppress_prefixlength 0' || ip rule add table main suppress_prefixlength 0; ip route | grep -q 'blackhole default' && ip route del blackhole 0.0.0.0/0 || true;
PostDown=ip rule show | grep -q 'not fwmark <fwmark> table <table>' && ip rule del not fwmark <fwmark> table <table>; ip rule show | grep -q 'table main suppress_prefixlength 0' && ip rule del table main suppress_prefixlength 0; ip route | grep -q 'blackhole default' || ip route add blackhole 0.0.0.0/0 || true;
[Peer]
PublicKey=<publickey>
Endpoint=<peer-endpoint>
AllowedIPs=0.0.0.0/0
PersistentKeepalive=25
EOF3
cat << EOF4 > "$WG_MONKEY_DIR/wg-modes/totalkillswitch.conf"
[myconfig]
name=totalkillswitch
description=A kill switch enabled wireguard connection that blocks access to local network devices, drops pings.
[Interface]
PrivateKey=<privatekey>
Address=<address>
FwMark=<fwmark>
Table=<table>
PostUp=ip rule add not fwmark <fwmark> table <table>; ip rule add table main suppress_prefixlength 0; ip route | grep -q 'blackhole default' && ip route del blackhole 0.0.0.0/0 || true; iptables -A OUTPUT -d 192.168.0.0/16 -j DROP; iptables -A OUTPUT -d 172.16.0.0/12 -j DROP; iptables -A OUTPUT -d 10.0.0.0/8 -j DROP; iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
PreDown=ip rule del not fwmark <fwmark> table <table>; ip rule del table main suppress_prefixlength 0; ip route | grep -q 'blackhole default' || ip route add blackhole 0.0.0.0/0 || true; iptables -D OUTPUT -d 192.168.0.0/16 -j DROP; iptables -D OUTPUT -d 172.16.0.0/12 -j DROP; iptables -D OUTPUT -d 10.0.0.0/8 -j DROP; iptables -D INPUT -p icmp --icmp-type echo-request -j DROP
[Peer]
PublicKey=<publickey>
Endpoint=<peer-endpoint>
AllowedIPs=0.0.0.0/0
PersistentKeepalive=25
EOF4
cat << EOF5 > "$WG_MONKEY_DIR/wg-modes/wgstandard.conf"
[myconfig]
name=wgstandard
description=A standard wireguard connection (NO KILLSWITCH) that allows access to local network devices.
[Interface]
PrivateKey=<privatekey>
Address=<address>
PostUp=ip route del 192.168.0.0/24 dev wg0; ip route del 10.0.0.0/8 dev wg0; ip route del 172.16.0.0/12 dev wg0
[Peer]
PublicKey=<publickey>
Endpoint=<peer-endpoint>
AllowedIPs=0.0.0.0/0, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24
PersistentKeepalive=25
EOF5
# Create example wg0.creds file
cat << EOF6 > "$WG_MONKEY_DIR/deviceconfigs/wg0/wg0.creds"
PUBLIC_KEY="example public key"
PEER_ENDPOINT="example peer endpoint"
PRIVATE_KEY="example private key"
ADDRESS="example address"
FWMARK="example fwmark"
TABLE="example table"
EOF6
echo "Files created successfully."
}
install_wg_monkey() {
echo "Installing wg-monkey..."
# Create necessary directories and files
create_files
# Create a symbolic link to make wg-monkey accessible from anywhere
ln -sf "$WG_MONKEY_DIR/wg-monkey.sh" "$WG_MONKEY_BIN"
echo "wg-monkey installed successfully. You can run it using the command 'wg-monkey'."
}
uninstall_wg_monkey() {
local full_uninstall=$1
echo "Uninstalling wg-monkey..."
# Remove the symbolic link
if [ -f "$WG_MONKEY_BIN" ]; then
rm "$WG_MONKEY_BIN"
echo "Removed symbolic link $WG_MONKEY_BIN."
fi
if [ "$full_uninstall" = "full" ]; then # Use a single '=' for string comparison
# Remove the entire wg-monkey directory, including deviceconfigs
rm -rf "$WG_MONKEY_DIR"
echo "Full uninstallation complete. Removed $WG_MONKEY_DIR and all its contents."
else
# Remove all files and folders except the deviceconfigs directory
if [ -d "$WG_MONKEY_DIR" ]; then
find "$WG_MONKEY_DIR" -mindepth 1 -maxdepth 1 ! -name "deviceconfigs" -exec rm -rf {} +
echo "Uninstallation complete. Retained $WG_MONKEY_DIR/deviceconfigs directory."
fi
fi
}
display_usage() {
cat << EOF7
Usage: $0 <command>
Commands:
install Install wg-monkey
uninstall Uninstall wg-monkey but keep the deviceconfigs directory
uninstall full Uninstall wg-monkey and remove everything including deviceconfigs directory
EOF7
}
# Main script logic for the installer
if [[ $# -lt 1 ]]; then
display_usage
exit 1
fi
# Ensure this part is correct in the main logic
case $1 in
install)
install_wg_monkey
;;
uninstall)
if [ "$2" == "full" ]; then
uninstall_wg_monkey "full"
else
uninstall_wg_monkey
fi
;;
*)
display_usage
;;
esacPlace the wg-monkey-installer.sh file in a directory where you have the necessary permissions (e.g., your home directory).
Step 2: Make the Script Executable
Once you have the script on your system, you need to make it executable. Open a terminal, navigate to the directory containing the script, and run the following command:
chmod +x wg-monkey-installer.shThis command changes the script’s permissions, allowing you to execute it.
Step 3: Install WG-Monkey
To install WG-Monkey, run the installer script with the install command:
!!!WARNING!!! You really shouldn’t run random code from the internet with sudo privileges, not even from me. You must read the install script, and the code being installed and satisfy yourself that nothing nefarious is included. You continue at your own risk.
sudo wg-monkey-installer.sh install- What This Does: The script will create the necessary directories and files in
/opt/wg-monkey, set up the WireGuard modes, and create a symbolic link so that you can easily run WG-Monkey from anywhere in your terminal. - Symbolic Link: After installation, you can run WG-Monkey using the
wg-monkeycommand.
Step 4: Using WG-Monkey
With WG-Monkey installed, you can list available modes, switch modes, or remove blackhole routes. Here’s how:
List Available Modes:
sudo wg-monkey list modesThis command will display all available WireGuard modes configured in WG-Monkey.
Switch Modes:
sudo wg-monkey switch <interface> <mode>Replace <interface> with your WireGuard interface (e.g., wg0) and <mode> with the desired mode (e.g., lankillswitch).
Remove Blackhole Route:
sudo wg-monkey remove_blackholeThis command will remove any existing blackhole routes from your system.
This is sometimes needed if the black hole killswitch in your ip route is left behind if you use any other command to switch your wire guard connection off.
Step 5: Uninstall WG-Monkey
If you need to uninstall WG-Monkey, the script provides two options:
Regular Uninstall (Keep Device Configurations):
sudo ./wg-monkey-installer.sh uninstallThis option will remove the WG-Monkey installation but will retain your device configurations in /opt/wg-monkey/deviceconfigs.
Full Uninstall (Remove Everything):
sudo ./wg-monkey-installer.sh uninstall fullThis option will remove the entire WG-Monkey installation, including all device configurations.
Install Conclusion
That’s it! You now have WG-Monkey installed and ready to manage your WireGuard VPN configurations. If you encounter any issues or have further questions, don’t hesitate to reach out for support.
Happy networking!