debian buster wireguard router

doit.txt

# 2019-03-29
# debian-buster-DI-alpha5-amd64-netinst.iso
# ssh only installed at the end up and running, ie internet interface setup and working
# I was running in a hyper-v guest vm on windows and so installed the hyper-v daemons
# and curl as base install doesn't include it, useful for checking public ip's
# then the following

export DEBIAN_FRONTEND=noninteractive
cat <<-EOF > /etc/apt/sources.list
deb http://httpredir.debian.org/debian buster main contrib non-free
deb-src http://httpredir.debian.org/debian/ buster main contrib non-free
deb http://httpredir.debian.org/debian/ buster-updates main contrib non-free
deb-src http://httpredir.debian.org/debian/ buster-updates main contrib non-free
deb http://security.debian.org/ buster/updates main contrib non-free
deb-src http://security.debian.org/ buster/updates main contrib non-free
deb http://httpredir.debian.org/debian experimental main contrib non-free
deb-src http://httpredir.debian.org/debian experimental main contrib non-free
EOF

echo "deb http://httpredir.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt upgrade -y
apt install -y wireguard unbound iptables-persistent

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

touch /etc/wireguard/{private,public}.key
chmod 600 /etc/wireguard/*
# wg genkey > /etc/wireguard/private.key
# wg pubkey > /etc/wireguard/public.key < /etc/wireguard/private.key

echo "a private key" > /etc/wireguard/private.key
echo "a public key" > /etc/wireguard/public.key

cat <<-EOF > /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $(cat /etc/wireguard/private.key)

[Peer]
PublicKey = other-ends-public-key
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ot.he.re.nd:51820
PersistentKeepalive = 25
EOF

chmod 600 /etc/wireguard/*

cat <<-EOF > /etc/network/interfaces
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.100.2/24
        gateway 192.168.100.1
        dns-nameservers 1.1.1.1

auto eth1
iface eth1 inet static
        address 192.168.20.1/24
        post-up ip -4 route flush table private
        post-up ip -4 rule add from 192.168.200.0/24 lookup private
        post-up ip -4 route add 192.168.200.0/24 dev eth1 table private
        

auto wg0
iface wg0 inet manual
        pre-up ip link add dev wg0 type wireguard
        pre-up ip link set dev wg0 mtu 1376
        pre-up ip address add 10.1.0.2/16 dev wg0
        pre-up wg setconf wg0 /etc/wireguard/wg0.conf
        up ip link set up dev wg0
        post-up echo 1 > /proc/sys/net/ipv4/conf/wg0/forwarding
        post-up ip -4 route flush table private
        post-up ip -4 route add 192.168.200.0/24 dev eth1 table private
        post-up ip -4 route add 0.0.0.0/0 dev wg0 table private
        down ip link del dev wg0
EOF

cat <<-EOF > /etc/unbound/unbound.conf.d/wg0.conf
server:
  num-threads: 4

  interface: 192.168.200.1
  interface-automatic: no

  access-control: 192.168.200.0/24 allow

  cache-min-ttl: 1800
  cache-max-ttl: 14400
  prefetch: yes

forward-zone:
      name: "."
      forward-addr: 10.1.0.1
EOF

cat <<-EOF >> /etc/iproute2/rt_tables
# custom
200 private
EOF


cat <<-EOF > /etc/iptables/rules.v4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wg0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
EOF
iptables-restore < /etc/iptables/rules.v4


cat <<-EOF >> ~/.bashrc
alias ips='iptables -nvL --line-numbers'
EOF

reboot