-
enable bbrplus on debian 9 and above
git clone https://github.com/Xaster/bbrplus-debian.git cd bbrplus-debian # run as root make && make install sysctl -w net.core.default_qdisc=fq sysctl -w net.ipv4.tcp_congestion_control=bbrplus
-
udp2raw + udpspeeder
# server side nohup ./udp2raw_amd64 -s -l 0.0.0.0:50001 -r 127.0.0.1:50000 --raw-mode faketcp -a -k moon5 --cipher-mode none --auth-mode none & nohup ./speederv2_amd64 -s -l 0.0.0.0:50000 -r 127.0.0.1:55000 -f1:4,2:5,10:14,20:20,100:82 --mode 1 --mtu 1400 & # macOS sudo ./udp2raw_mp_nolibnet -c -l 127.0.0.1:12316 -r 8.182.8.24:50001 --raw-mode easyfaketcp -k moon5 --cipher-mode none --auth-mode none sudo ./speederv2 -c -l 0.0.0.0:12315 -r 127.0.0.1:12316 -f1:4,2:5,10:14,20:20,100:82 --mode 1 --mtu 1400 --report 10
-
-
Save zjx20/a2cadf869bd015aeee6c34f361686d53 to your computer and use it in GitHub Desktop.
A script to spin up a Wireguard VPN server with Unbound recursive DNS in a hurry
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| server_ip=$(curl -4 ifconfig.co) | |
| echo "Detected server ip is ${server_ip}, please double check." | |
| sudo bash -c "cat > /etc/wireguard/client2" << EOF | |
| [Interface] | |
| Address = 10.20.20.2/32 | |
| PrivateKey = client_private_key | |
| DNS = 10.20.20.1 | |
| TABLE = auto | |
| [Peer] | |
| PublicKey = server_public_key | |
| Endpoint = ${server_ip}:55000 | |
| AllowedIPs = 0.0.0.0/0 | |
| EOF | |
| sudo sed -i "s/client_private_key/$(sudo sed 's:/:\\/:g' /etc/wireguard/client_private.key)/" /etc/wireguard/client2 | |
| sudo sed -i "s/server_public_key/$(sudo sed 's:/:\\/:g' /etc/wireguard/server_public.key)/" /etc/wireguard/client2 | |
| sudo apt install qrencode -y | |
| sudo bash -c "qrencode -t ansiutf8 < /etc/wireguard/client2" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This file is designed to spin up a Wireguard VPN quickly and easily, | |
| # including configuring a recursive local DNS server using Unbound | |
| # | |
| # Change the IPs, IP ranges, and listening port if desired | |
| # iptables-persistent currently requires user input | |
| # | |
| # When setting up on AWS lightsail vps, it's better to use Debian to | |
| # avoid the confliction between unbound and systemd-resolved. | |
| # Reference: https://golb.hplar.ch/2018/10/wireguard-on-amazon-lightsail.html | |
| # the interface name for default routing | |
| default_ifname=eth0 | |
| # add wireguard repo | |
| if [ -f /etc/debian_version ]; then | |
| sudo bash -c 'echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list' | |
| sudo bash -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable" | |
| else | |
| # for ubuntu <= 19.04 | |
| sudo add-apt-repository ppa:wireguard/wireguard -y | |
| fi | |
| # update/upgrade server and refresh repo | |
| sudo apt update -y && sudo apt upgrade -y | |
| # install wireguard | |
| sudo apt install wireguard -y | |
| # create Wireguard interface config | |
| sudo bash -c "cat > /etc/wireguard/wg0.conf" << ENDOFFILE | |
| [Interface] | |
| PrivateKey = server_private_key | |
| Address = 10.20.20.1 | |
| ListenPort = 55000 | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ${default_ifname} -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ${default_ifname} -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ${default_ifname} -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ${default_ifname} -j MASQUERADE | |
| SaveConfig = true | |
| [Peer] | |
| PublicKey = client_public_key | |
| AllowedIPs = 10.20.20.0/24 | |
| ENDOFFILE | |
| cat << EOF | sudo bash | |
| cd /etc/wireguard/ | |
| umask 077 | |
| [ ! -f server_private.key ] && wg genkey | tee server_private.key | wg pubkey > server_public.key | |
| [ ! -f client_private.key ] && wg genkey | tee client_private.key | wg pubkey > client_public.key | |
| EOF | |
| sudo sed -i "s/server_private_key/$(sudo sed 's:/:\\/:g' /etc/wireguard/server_private.key)/" /etc/wireguard/wg0.conf | |
| sudo sed -i "s/client_public_key/$(sudo sed 's:/:\\/:g' /etc/wireguard/client_public.key)/" /etc/wireguard/wg0.conf | |
| # make root owner of the Wireguard config file | |
| sudo chown -v root:root /etc/wireguard/wg0.conf | |
| sudo chmod -v 600 /etc/wireguard/wg0.conf | |
| # bring the Wireguard interface up, note that the command only works after a reboot | |
| #sudo wg-quick up wg0 | |
| # make Wireguard interface start at boot | |
| sudo systemctl enable wg-quick@wg0.service | |
| # enable IPv4 forwarding | |
| sudo sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf | |
| # negate the need to reboot after the above change | |
| sudo sysctl -p | |
| # configure the firewall and make it persistent | |
| sudo apt install iptables-persistent -y | |
| sudo systemctl enable netfilter-persistent | |
| sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT | |
| sudo iptables -A INPUT -s 10.20.20.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| sudo iptables -A INPUT -s 10.20.20.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| sudo netfilter-persistent save | |
| # install Unbound DNS | |
| sudo apt install unbound unbound-host -y | |
| # download list of DNS root servers | |
| sudo curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache | |
| # create Unbound config file | |
| sudo bash -c "cat > /etc/unbound/unbound.conf" << ENDOFFILE | |
| server: | |
| num-threads: 4 | |
| # enable logs | |
| verbosity: 1 | |
| # list of root DNS servers | |
| root-hints: "/var/lib/unbound/root.hints" | |
| # use the root server's key for DNSSEC | |
| auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
| # respond to DNS requests on all interfaces | |
| interface: 0.0.0.0 | |
| max-udp-size: 3072 | |
| # IPs authorised to access the DNS Server | |
| access-control: 0.0.0.0/0 refuse | |
| access-control: 127.0.0.1 allow | |
| access-control: 10.20.20.0/24 allow | |
| # not allowed to be returned for public Internet names | |
| private-address: 10.20.20.0/24 | |
| #hide DNS Server info | |
| hide-identity: yes | |
| hide-version: yes | |
| # limit DNS fraud and use DNSSEC | |
| harden-glue: yes | |
| harden-dnssec-stripped: yes | |
| harden-referral-path: yes | |
| # add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning | |
| unwanted-reply-threshold: 10000000 | |
| # have the validator print validation failures to the log | |
| val-log-level: 1 | |
| # minimum lifetime of cache entries in seconds | |
| cache-min-ttl: 1800 | |
| # maximum lifetime of cached entries in seconds | |
| cache-max-ttl: 14400 | |
| prefetch: yes | |
| prefetch-key: yes | |
| ENDOFFILE | |
| # give root ownership of the Unbound config | |
| sudo chown -R unbound:unbound /var/lib/unbound | |
| # disable systemd-resolved | |
| sudo systemctl stop systemd-resolved | |
| sudo systemctl disable systemd-resolved | |
| # enable Unbound in place of systemd-resovled | |
| sudo systemctl enable unbound-resolvconf | |
| sudo systemctl enable unbound | |
| # reboot to make changes effective | |
| reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment