Last active
April 25, 2021 04:17
-
-
Save sethenoka/db8b165179e0b6488f544af404b9ff0f to your computer and use it in GitHub Desktop.
A script to spin up a Wireguard VPN server with Unbound recursive DNS in a hurry
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This file is designed to spin up a Wireguard VPN quickly and easily, | |
| # including configuring a recursive local DNS server using Unbound | |
| # | |
| # Make sure to change the public/private keys before running the script | |
| # Also change the IPs, IP ranges, and listening port if desired | |
| # iptables-persistent currently requires user input | |
| # add wireguard repo | |
| sudo add-apt-repository ppa:wireguard/wireguard -y | |
| # update/upgrade server and refresh repo | |
| sudo apt update -y && apt upgrade -y | |
| # install wireguard | |
| sudo apt install wireguard -y | |
| # create Wireguard interface config | |
| cat > /etc/wireguard/wg0.conf << ENDOFFILE | |
| [Interface] | |
| PrivateKey = <server_private_key> | |
| Address = 10.20.20.1/24 | |
| ListenPort = 55000 | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE | |
| SaveConfig = true | |
| [Peer] | |
| PublicKey = <client_public_key> | |
| AllowedIPs = 10.20.20.2/24 | |
| ENDOFFILE | |
| # make root owner of the Wireguard config file | |
| sudo chown -v root:root /etc/wireguard/wg0.conf | |
| sudo chmod -v 600 /etc/wireguard/wg0.conf | |
| # bring the Wireguard interface up | |
| sudo wg-quick up wg0 | |
| # make Wireguard interface start at boot | |
| sudo systemctl enable [email protected] | |
| # enable IPv4 forwarding | |
| sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf | |
| # negate the need to reboot after the above change | |
| sudo sysctl -p | |
| sudo echo 1 > /proc/sys/net/ipv4/ip_forward | |
| # configure the firewall | |
| sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT | |
| sudo iptables -A INPUT -s 10.20.20.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| sudo iptables -A INPUT -s 10.20.20.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT | |
| # make firewall changes persistent | |
| sudo apt install iptables-persistent -y | |
| sudo systemctl enable netfilter-persistent | |
| sudo netfilter-persistent save | |
| # install Unbound DNS | |
| sudo apt install unbound unbound-host -y | |
| # download list of DNS root servers | |
| curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache | |
| # create Unbound config file | |
| cat > /etc/unbound/unbound.conf << ENDOFFILE | |
| server: | |
| num-threads: 4 | |
| # enable logs | |
| verbosity: 1 | |
| # list of root DNS servers | |
| root-hints: "/var/lib/unbound/root.hints" | |
| # use the root server's key for DNSSEC | |
| auto-trust-anchor-file: "/var/lib/unbound/root.key" | |
| # respond to DNS requests on all interfaces | |
| interface: 0.0.0.0 | |
| max-udp-size: 3072 | |
| # IPs authorised to access the DNS Server | |
| access-control: 0.0.0.0/0 refuse | |
| access-control: 127.0.0.1 allow | |
| access-control: 10.20.20.0/24 allow | |
| # not allowed to be returned for public Internet names | |
| private-address: 10.20.20.0/24 | |
| #hide DNS Server info | |
| hide-identity: yes | |
| hide-version: yes | |
| # limit DNS fraud and use DNSSEC | |
| harden-glue: yes | |
| harden-dnssec-stripped: yes | |
| harden-referral-path: yes | |
| # add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning | |
| unwanted-reply-threshold: 10000000 | |
| # have the validator print validation failures to the log | |
| val-log-level: 1 | |
| # minimum lifetime of cache entries in seconds | |
| cache-min-ttl: 1800 | |
| # maximum lifetime of cached entries in seconds | |
| cache-max-ttl: 14400 | |
| prefetch: yes | |
| prefetch-key: yes | |
| ENDOFFILE | |
| # give root ownership of the Unbound config | |
| sudo chown -R unbound:unbound /var/lib/unbound | |
| # disable systemd-resolved | |
| sudo systemctl stop systemd-resolved | |
| sudo systemctl disable systemd-resolved | |
| # enable Unbound in place of systemd-resovled | |
| sudo systemctl enable unbound-resolvconf | |
| sudo systemctl enable unbound | |
| # reboot to make changes effective | |
| reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment