sethenoka/wg_install.sh

## wg_install.sh
#!/bin/bash
# This file is designed to spin up a Wireguard VPN quickly and easily,
# including configuring a recursive local DNS server using Unbound
#
# Make sure to change the public/private keys before running the script
# Also change the IPs, IP ranges, and listening port if desired
# iptables-persistent currently requires user input

# add wireguard repo
sudo add-apt-repository ppa:wireguard/wireguard -y

# update/upgrade server and refresh repo
sudo apt update -y && apt upgrade -y

# install wireguard
sudo apt install wireguard -y

# create Wireguard interface config
cat > /etc/wireguard/wg0.conf << ENDOFFILE
[Interface]
PrivateKey = <server_private_key>
Address = 10.20.20.1/24
ListenPort = 55000
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
SaveConfig = true

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.20.20.2/24
ENDOFFILE

# make root owner of the Wireguard config file
sudo chown -v root:root /etc/wireguard/wg0.conf
sudo chmod -v 600 /etc/wireguard/wg0.conf

# bring the Wireguard interface up
sudo wg-quick up wg0

# make Wireguard interface start at boot
sudo systemctl enable wg-quick@wg0.service

# enable IPv4 forwarding
sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

# negate the need to reboot after the above change
sudo sysctl -p
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

# configure the firewall
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.20.20.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.20.20.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# make firewall changes persistent
sudo apt install iptables-persistent -y
sudo systemctl enable netfilter-persistent
sudo netfilter-persistent save

# install Unbound DNS
sudo apt install unbound unbound-host -y

# download list of DNS root servers
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

# create Unbound config file
cat > /etc/unbound/unbound.conf << ENDOFFILE
server:
    num-threads: 4

    # enable logs
    verbosity: 1

    # list of root DNS servers
    root-hints: "/var/lib/unbound/root.hints"

    # use the root server's key for DNSSEC
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # respond to DNS requests on all interfaces
    interface: 0.0.0.0
    max-udp-size: 3072

    # IPs authorised to access the DNS Server
    access-control: 0.0.0.0/0                 refuse
    access-control: 127.0.0.1                 allow
    access-control: 10.20.20.0/24             allow

    # not allowed to be returned for public Internet  names
    private-address: 10.20.20.0/24

    #hide DNS Server info
    hide-identity: yes
    hide-version: yes

    # limit DNS fraud and use DNSSEC
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-referral-path: yes

    # add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
    unwanted-reply-threshold: 10000000

    # have the validator print validation failures to the log
    val-log-level: 1

    # minimum lifetime of cache entries in seconds
    cache-min-ttl: 1800

    # maximum lifetime of cached entries in seconds
    cache-max-ttl: 14400
    prefetch: yes
    prefetch-key: yes
ENDOFFILE

# give root ownership of the Unbound config
sudo chown -R unbound:unbound /var/lib/unbound

# disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

# enable Unbound in place of systemd-resovled
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound

# reboot to make changes effective
reboot
	#!/bin/bash
	# This file is designed to spin up a Wireguard VPN quickly and easily,
	# including configuring a recursive local DNS server using Unbound
	#
	# Make sure to change the public/private keys before running the script
	# Also change the IPs, IP ranges, and listening port if desired
	# iptables-persistent currently requires user input

	# add wireguard repo
	sudo add-apt-repository ppa:wireguard/wireguard -y

	# update/upgrade server and refresh repo
	sudo apt update -y && apt upgrade -y

	# install wireguard
	sudo apt install wireguard -y

	# create Wireguard interface config
	cat > /etc/wireguard/wg0.conf << ENDOFFILE
	[Interface]
	PrivateKey = <server_private_key>
	Address = 10.20.20.1/24
	ListenPort = 55000
	PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
	PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
	SaveConfig = true

	[Peer]
	PublicKey = <client_public_key>
	AllowedIPs = 10.20.20.2/24
	ENDOFFILE

	# make root owner of the Wireguard config file
	sudo chown -v root:root /etc/wireguard/wg0.conf
	sudo chmod -v 600 /etc/wireguard/wg0.conf

	# bring the Wireguard interface up
	sudo wg-quick up wg0

	# make Wireguard interface start at boot
	sudo systemctl enable wg-quick@wg0.service

	# enable IPv4 forwarding
	sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

	# negate the need to reboot after the above change
	sudo sysctl -p
	sudo echo 1 > /proc/sys/net/ipv4/ip_forward

	# configure the firewall
	sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT
	sudo iptables -A INPUT -s 10.20.20.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
	sudo iptables -A INPUT -s 10.20.20.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

	# make firewall changes persistent
	sudo apt install iptables-persistent -y
	sudo systemctl enable netfilter-persistent
	sudo netfilter-persistent save

	# install Unbound DNS
	sudo apt install unbound unbound-host -y

	# download list of DNS root servers
	curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

	# create Unbound config file
	cat > /etc/unbound/unbound.conf << ENDOFFILE
	server:
	num-threads: 4

	# enable logs
	verbosity: 1

	# list of root DNS servers
	root-hints: "/var/lib/unbound/root.hints"

	# use the root server's key for DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"

	# respond to DNS requests on all interfaces
	interface: 0.0.0.0
	max-udp-size: 3072

	# IPs authorised to access the DNS Server
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.1 allow
	access-control: 10.20.20.0/24 allow

	# not allowed to be returned for public Internet names
	private-address: 10.20.20.0/24

	#hide DNS Server info
	hide-identity: yes
	hide-version: yes

	# limit DNS fraud and use DNSSEC
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-referral-path: yes

	# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
	unwanted-reply-threshold: 10000000

	# have the validator print validation failures to the log
	val-log-level: 1

	# minimum lifetime of cache entries in seconds
	cache-min-ttl: 1800

	# maximum lifetime of cached entries in seconds
	cache-max-ttl: 14400
	prefetch: yes
	prefetch-key: yes
	ENDOFFILE

	# give root ownership of the Unbound config
	sudo chown -R unbound:unbound /var/lib/unbound

	# disable systemd-resolved
	sudo systemctl stop systemd-resolved
	sudo systemctl disable systemd-resolved

	# enable Unbound in place of systemd-resovled
	sudo systemctl enable unbound-resolvconf
	sudo systemctl enable unbound

	# reboot to make changes effective
	reboot