forked from drew2a/wireguard
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwg-ububtu-server-up.sh
executable file
·125 lines (100 loc) · 4.41 KB
/
wg-ububtu-server-up.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/env bash
# usage:
# wg-ubuntu-server-up.sh [<number_of_clients>]
clients_count=${1:-10}
mkdir -p "$HOME/wireguard"
mkdir -p "/etc/wireguard"
echo ------------------------------------------------------install linux headers
sudo apt install -y linux-headers-"$(uname -r)"
echo ------------------------------------------install software-properties-common
sudo apt install -y software-properties-common
echo ---------------------------------------------------------install wireguard
sudo add-apt-repository -y ppa:wireguard/wireguard
sudo apt update && sudo apt upgrade -y
sudo apt install -y wireguard
sudo modprobe wireguard
echo ----------------------------------------------------------install qrencode
sudo apt install -y qrencode
echo -------------------------------------------------- download wg-genconfig.sh
cd "$HOME/wireguard" &&
wget https://raw.githubusercontent.com/buraksarica/wireguard/master/wg-genconf.sh
chmod +x ./wg-genconf.sh
echo ----------------------generate configurations for "${clients_count}" clients
./wg-genconf.sh "${clients_count}"
echo -----------------------------------move server\'s config to /etc/wireguard/
mv -v ./wg0.conf \
/etc/wireguard/
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
echo ------------------------------------------------------------- run wireguard
wg-quick up wg0
systemctl enable wg-quick@wg0
echo ------------------------------------------------------enable IPv4 forwarding
sysctl net.ipv4.ip_forward=1
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/99-sysctl.conf
echo ---------------------------------------------------configure firewall rules
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# make firewall changes persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
sudo apt install -y iptables-persistent
sudo systemctl enable netfilter-persistent
sudo netfilter-persistent save
echo ---------------------------------------------install and configure unbound
sudo apt install -y unbound unbound-host
curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
echo 'curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache' > /etc/cron.monthly/curl_root_hints.sh
chmod +x /etc/cron.monthly/curl_root_hints.sh
cat > /etc/unbound/unbound.conf << ENDOFFILE
server:
num-threads: 4
# enable logs
verbosity: 1
# list of root DNS servers
root-hints: "/var/lib/unbound/root.hints"
# use the root server's key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
# IPs authorised to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.0.0.0/24 allow
# not allowed to be returned for public Internet names
private-address: 10.0.0.0/24
#hide DNS Server info
hide-identity: yes
hide-version: yes
# limit DNS fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
unwanted-reply-threshold: 10000000
# have the validator print validation failures to the log
val-log-level: 1
# minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
# maximum lifetime of cached entries in seconds
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
ENDOFFILE
# give root ownership of the Unbound config
sudo chown -R unbound:unbound /var/lib/unbound
# disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
# enable Unbound in place of systemd-resovled
sudo systemctl enable unbound
sudo systemctl start unbound
# show wg
wg show
# reboot to make changes effective
echo all done, reboot...
reboot