Для установки нового VPN сервера

vpn_install.sh

#!/bin/bash

if [ "${EUID}" -ne 0 ]; then
        echo "You need to run this script as root"
        exit 1
fi

# Добавляем официальные репозитории для ubuntu 20.04 LTS
echo "deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse

deb http://archive.canonical.com/ubuntu focal partner
deb-src http://archive.canonical.com/ubuntu focal partner" >> /etc/apt/sources.list;

echo "nameserver 8.8.8.8" >> /etc/resolv.conf;
echo "213.226.68.157 axo-vpn.ru" >> /etc/hosts;

apt-get update && apt-get upgrade -y;
apt-get install curl nano net-tools -y;
mkdir -p /home/vpn/wireguard && cd /home/vpn/wireguard;

# Ставим wireguard
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh;
chmod +x wireguard-install.sh;
./wireguard-install.sh;
# Далее необходимо вручную выбрать настройки VPN

# Правила для рекурсивного DNS
iptables -A INPUT -s 10.66.66.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT;
iptables -A INPUT -s 10.66.66.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT;

# Правила для доступа к вебке pihole
iptables -A INPUT -s 10.66.66.0/24 -p tcp --dport 80 -j ACCEPT;
iptables -A INPUT -p tcp --dport 80 -j DROP;

# Правила для Zabbix-agent
iptables -A INPUT -s axo-vpn.ru -p tcp -m tcp --dport 10050 -j ACCEPT;
iptables -A INPUT -p tcp -m tcp --dport 10050 -j DROP;

# Сохраняем правила
apt-get install iptables-persistent -y;
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections;
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections;
sudo systemctl enable netfilter-persistent;
sudo netfilter-persistent save;

# Ставим PIHOLE
mkdir /home/pihole && cd /home/pihole;
curl -sSL https://install.pi-hole.net | bash;

# Ставим unbound DNS
apt-get install unbound unbound-host -y;
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache;
# Создаем конфиг
echo "server:
     # if no logfile is specified, syslog is used
     # logfile: /var/log/unbound/unbound.log
     verbosity: 1
     port: 5353

     do-ip4: yes
     do-udp: yes
     do-tcp: yes

     # may be set to yes if you have IPv6 connectivity
     do-ip6: no

     # use this only when you downloaded the list of primary root servers
     root-hints: '/var/lib/unbound/root.hints'

     # respond to DNS requests on all interfaces
     interface: 127.0.0.1
     max-udp-size: 3072

     # IPs authorised to access the DNS Server
     access-control: 0.0.0.0/0                 refuse
     access-control: 127.0.0.1                 allow
     access-control: 10.66.66.0/24             allow

     # hide DNS Server info
     hide-identity: yes
     hide-version: yes

     # limit DNS fraud and use DNSSEC
     harden-glue: yes
     harden-dnssec-stripped: yes
     harden-referral-path: yes

     # add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
     unwanted-reply-threshold: 10000000

     # have the validator print validation failures to the log val-log-level: 1
     # don't use Capitalisation randomisation as it known to cause DNSSEC issues sometimes
     # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
     use-caps-for-id: no

     # reduce EDNS reassembly buffer size
     # suggested by the unbound man page to reduce fragmentation reassembly problems
     edns-buffer-size: 1472

     # TTL bounds for cache
     cache-min-ttl: 3600
     cache-max-ttl: 86400

     # perform prefetching of close to expired message cache entries
     # this only applies to domains that have been frequently queried
     prefetch: yes
     prefetch-key: yes
     # one thread should be sufficient, can be increased on beefy machines
     num-threads: 1
     # ensure kernel buffer is large enough to not lose messages in traffic spikes
     so-rcvbuf: 1m

     # ensure privacy of local IP ranges
     private-address: 192.168.0.0/16
     private-address: 169.254.0.0/16
     private-address: 172.16.0.0/12
     private-address: 10.0.0.0/8
     private-address: fd00::/8
     private-address: fe80::/10" > /etc/unbound/unbound.conf.d/pi-hole.conf;

# Перезагружаем сервисы
systemctl restart unbound.service;
systemctl restart pihole-FTL.service;

# ZABBIX
wget https://repo.zabbix.com/zabbix/6.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_6.0-1+ubuntu20.04_all.deb;
dpkg -i zabbix-release_6.0-1+ubuntu20.04_all.deb;
apt-get install zabbix-agent -y;
echo "
TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/etc/zabbix/zabbix_agentd.psk
TLSPSKIdentity=AXO-AGENT

EnableRemoteCommands=1

Server=axo-vpn.ru
ServerActive=axo-vpn.ru
Timeout=30" >> /etc/zabbix/zabbix_agentd.conf;

PSK_KEY=$(openssl rand -hex 32);
echo "$PSK_KEY" > /etc/zabbix/zabbix_agentd.psk;
systemctl restart zabbix-agent.service;

echo "Zabbix psk key: $PSK_KEY";
echo "Zabbix TLSPSKIdentity: AXO-AGENT";
echo "Done!";