Skip to content

Instantly share code, notes, and snippets.

@bloeys
Last active March 11, 2020 20:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bloeys/bb4498e418937efb7e61dbb07357582e to your computer and use it in GitHub Desktop.
Save bloeys/bb4498e418937efb7e61dbb07357582e to your computer and use it in GitHub Desktop.
#!/bin/sh
apt-get install unbound unbound-host
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
rm /etc/unbound/unbound.conf
mv unbound.conf /etc/unbound/
chown -R unbound:unbound /var/lib/unbound
systemctl enable unbound
#!/bin/sh
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
#!/bin/sh
set -e
if [ $# -lt 2 ]; then
echo 'Give client name and number (2-254)'
exit
fi
wg genkey | tee $1-$2_private_key | wg pubkey > $1-$2_public_key
PubKey=$(cat $1-$2_public_key)
PrivKey=$(cat $1-$2_private_key)
wg set wg0 peer $PubKey allowed-ips 10.200.200.$2/32
#Gen conf file
conf=$1-$2.conf
echo [Interface] > $conf
echo Address = 10.200.200.$2/32 >> $conf
echo PrivateKey = $PrivKey >> $conf
echo DNS = 1.1.1.1 >> $conf
echo '' >> $conf
echo [Peer] >> $conf
echo PublicKey = $(cat ../server_public_key) >> $conf
echo Endpoint = 157.230.78.45:51820 >> $conf
echo AllowedIPs = 0.0.0.0/0 >> $conf
echo PersistentKeepalive = 25 >> $conf
#!/bin/sh
set -e
add-apt-repository ppa:wireguard/wireguard
apt-get update
sudo apt-get install wireguard
umask 077
wg genkey | tee server_private_key | wg pubkey > server_public_key
echo PrivateKey = $(cat server_private_key) >> wg0.conf
mv wg0.conf /etc/wireguard/
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable wg-quick@wg0.service #Enable the interface at boot
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward
./config-firewall.sh
./config-dns.sh
server:
num-threads: 4
#Enable logs
verbosity: 1
#list of Root DNS Server
root-hints: "/var/lib/unbound/root.hints"
#Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
#Respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
#Authorized IPs to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.200.200.0/24 allow
#not allowed to be returned for public internet names
private-address: 10.200.200.0/24
# Hide DNS Server info
hide-identity: yes
hide-version: yes
#Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
#Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000000
#Have the validator print validation failures to the log.
val-log-level: 1
#Minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
#Maximum lifetime of cached entries
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
[Interface]
Address = 10.200.200.1/24
SaveConfig = true
ListenPort = 51820
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment