Skip to content

Instantly share code, notes, and snippets.

Forked from sethenoka/
Created June 24, 2019 07:15
Show Gist options
  • Save Anachron/e2ba7ace4e4ef6988182adc7462ffb80 to your computer and use it in GitHub Desktop.
Save Anachron/e2ba7ace4e4ef6988182adc7462ffb80 to your computer and use it in GitHub Desktop.
A script to spin up a Wireguard VPN server with Unbound recursive DNS in a hurry
# This file is designed to spin up a Wireguard VPN quickly and easily,
# including configuring a recursive local DNS server using Unbound
# Make sure to change the public/private keys before running the script
# Also change the IPs, IP ranges, and listening port if desired
# iptables-persistent currently requires user input
# add wireguard repo
sudo add-apt-repository ppa:wireguard/wireguard -y
# update/upgrade server and refresh repo
sudo apt update -y && apt upgrade -y
# install wireguard
sudo apt install wireguard -y
# create Wireguard interface config
cat > /etc/wireguard/wg0.conf << ENDOFFILE
PrivateKey = <server_private_key>
Address =
ListenPort = 55000
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
SaveConfig = true
PublicKey = <client_public_key>
AllowedIPs =
# make root owner of the Wireguard config file
sudo chown -v root:root /etc/wireguard/wg0.conf
sudo chmod -v 600 /etc/wireguard/wg0.conf
# bring the Wireguard interface up
sudo wg-quick up wg0
# make Wireguard interface start at boot
sudo systemctl enable [email protected]
# enable IPv4 forwarding
sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
# negate the need to reboot after the above change
sudo sysctl -p
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
# configure the firewall
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -s -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# make firewall changes persistent
sudo apt install iptables-persistent -y
sudo systemctl enable netfilter-persistent
sudo netfilter-persistent save
# install Unbound DNS
sudo apt install unbound unbound-host -y
# download list of DNS root servers
curl -o /var/lib/unbound/root.hints
# create Unbound config file
cat > /etc/unbound/unbound.conf << ENDOFFILE
num-threads: 4
# enable logs
verbosity: 1
# list of root DNS servers
root-hints: "/var/lib/unbound/root.hints"
# use the root server's key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# respond to DNS requests on all interfaces
max-udp-size: 3072
# IPs authorised to access the DNS Server
access-control: refuse
access-control: allow
access-control: allow
# not allowed to be returned for public Internet names
#hide DNS Server info
hide-identity: yes
hide-version: yes
# limit DNS fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
unwanted-reply-threshold: 10000000
# have the validator print validation failures to the log
val-log-level: 1
# minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
# maximum lifetime of cached entries in seconds
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
# give root ownership of the Unbound config
sudo chown -R unbound:unbound /var/lib/unbound
# disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
# enable Unbound in place of systemd-resovled
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
# reboot to make changes effective
Copy link

drew2a commented Nov 2, 2019

👏 👏 👏

Copy link


Copy link

drew2a commented Apr 12, 2021

@mhalizade hi! Try to use the latest version of with fixed dig issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment