Last active
March 11, 2020 20:34
-
-
Save bloeys/bb4498e418937efb7e61dbb07357582e to your computer and use it in GitHub Desktop.
Setup wireguard with one cmd. All from https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
apt-get install unbound unbound-host | |
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache | |
rm /etc/unbound/unbound.conf | |
mv unbound.conf /etc/unbound/ | |
chown -R unbound:unbound /var/lib/unbound | |
systemctl enable unbound |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -e | |
if [ $# -lt 2 ]; then | |
echo 'Give client name and number (2-254)' | |
exit | |
fi | |
wg genkey | tee $1-$2_private_key | wg pubkey > $1-$2_public_key | |
PubKey=$(cat $1-$2_public_key) | |
PrivKey=$(cat $1-$2_private_key) | |
wg set wg0 peer $PubKey allowed-ips 10.200.200.$2/32 | |
#Gen conf file | |
conf=$1-$2.conf | |
echo [Interface] > $conf | |
echo Address = 10.200.200.$2/32 >> $conf | |
echo PrivateKey = $PrivKey >> $conf | |
echo DNS = 1.1.1.1 >> $conf | |
echo '' >> $conf | |
echo [Peer] >> $conf | |
echo PublicKey = $(cat ../server_public_key) >> $conf | |
echo Endpoint = 157.230.78.45:51820 >> $conf | |
echo AllowedIPs = 0.0.0.0/0 >> $conf | |
echo PersistentKeepalive = 25 >> $conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -e | |
add-apt-repository ppa:wireguard/wireguard | |
apt-get update | |
sudo apt-get install wireguard | |
umask 077 | |
wg genkey | tee server_private_key | wg pubkey > server_public_key | |
echo PrivateKey = $(cat server_private_key) >> wg0.conf | |
mv wg0.conf /etc/wireguard/ | |
chown -v root:root /etc/wireguard/wg0.conf | |
chmod -v 600 /etc/wireguard/wg0.conf | |
wg-quick up wg0 | |
systemctl enable wg-quick@wg0.service #Enable the interface at boot | |
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf | |
sysctl -p | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
./config-firewall.sh | |
./config-dns.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server: | |
num-threads: 4 | |
#Enable logs | |
verbosity: 1 | |
#list of Root DNS Server | |
root-hints: "/var/lib/unbound/root.hints" | |
#Use the root servers key for DNSSEC | |
auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
#Respond to DNS requests on all interfaces | |
interface: 0.0.0.0 | |
max-udp-size: 3072 | |
#Authorized IPs to access the DNS Server | |
access-control: 0.0.0.0/0 refuse | |
access-control: 127.0.0.1 allow | |
access-control: 10.200.200.0/24 allow | |
#not allowed to be returned for public internet names | |
private-address: 10.200.200.0/24 | |
# Hide DNS Server info | |
hide-identity: yes | |
hide-version: yes | |
#Limit DNS Fraud and use DNSSEC | |
harden-glue: yes | |
harden-dnssec-stripped: yes | |
harden-referral-path: yes | |
#Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning | |
unwanted-reply-threshold: 10000000 | |
#Have the validator print validation failures to the log. | |
val-log-level: 1 | |
#Minimum lifetime of cache entries in seconds | |
cache-min-ttl: 1800 | |
#Maximum lifetime of cached entries | |
cache-max-ttl: 14400 | |
prefetch: yes | |
prefetch-key: yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Interface] | |
Address = 10.200.200.1/24 | |
SaveConfig = true | |
ListenPort = 51820 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment