@@ -0,0 +1,130 @@
#! /bin/bash
# This file is designed to spin up a Wireguard VPN quickly and easily,
# including configuring a recursive local DNS server using Unbound
#
# Make sure to change the public/private keys before running the script
# Also change the IPs, IP ranges, and listening port if desired
# iptables-persistent currently requires user input
# add wireguard repo
sudo add-apt-repository ppa:wireguard/wireguard -y
# update/upgrade server and refresh repo
sudo apt update -y && apt upgrade -y
# install wireguard
sudo apt install wireguard -y
# create Wireguard interface config
cat > /etc/wireguard/wg0.conf << ENDOFFILE
[Interface]
PrivateKey = <server_private_key>
Address = 10.20.20.1/24
ListenPort = 55000
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
SaveConfig = true
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.20.20.2/24
ENDOFFILE
# make root owner of the Wireguard config file
sudo chown -v root:root /etc/wireguard/wg0.conf
sudo chmod -v 600 /etc/wireguard/wg0.conf
# bring the Wireguard interface up
sudo wg-quick up wg0
# make Wireguard interface start at boot
sudo systemctl enable wg-quick@wg0.service
# enable IPv4 forwarding
sed -i ' s/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g'
# negate the need to reboot after the above change
sudo sysctl -p
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
# configure the firewall
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.20.20.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.20.20.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# make firewall changes persistent
sudo apt install iptables-persistent -y
sudo systemctl enable netfilter-persistent
sudo netfilter-persistent save
# install Unbound DNS
sudo apt install unbound unbound-host -y
# download list of DNS root servers
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
# create Unbound config file
cat > /etc/unbound/unbound.conf << ENDOFFILE
server:
num-threads: 4
# enable logs
verbosity: 1
# list of root DNS servers
root-hints: "/var/lib/unbound/root.hints"
# use the root server's key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
# IPs authorised to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.20.20.0/24 allow
# not allowed to be returned for public Internet names
private-address: 10.20.20.0/24
#hide DNS Server info
hide-identity: yes
hide-version: yes
# limit DNS fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
unwanted-reply-threshold: 10000000
# have the validator print validation failures to the log
val-log-level: 1
# minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
# maximum lifetime of cached entries in seconds
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
ENDOFFILE
# give root ownership of the Unbound config
sudo chown -R unbound:unbound /var/lib/unbound
# disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
# enable Unbound in place of systemd-resovled
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
# reboot to make changes effective
reboot
sethenoka revised this gist