-
Notifications
You must be signed in to change notification settings - Fork 51
/
Copy pathwg-debian-server-up.sh
executable file
·180 lines (148 loc) · 6.18 KB
/
wg-debian-server-up.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/usr/bin/env bash
# usage:
# wg-ubuntu-server-up.sh [--clients=<clients_count>] [--no-reboot] [--no-unbound]
#
set -e # exit when any command fails
set -x # enable print all commands
# constants:
working_dir="$HOME/wireguard"
# inputs:
clients=10
reboot_enabled=true
unbound_enabled=true
for arg in "$@"
do
[[ "${arg}" == "--no-reboot" ]] && reboot_enabled=
[[ "${arg}" == "--no-unbound" ]] && unbound_enabled=
[[ "${arg}" == "--clients="* ]] && clients=${arg#*=}
done
# check a user is root
if [ "$(id -u)" != 0 ]; then
echo Please, run the script as root: \"sudo ./wg-ubuntu-server-up.sh\"
exit 1
fi
mkdir -p "${working_dir}"
mkdir -p "/etc/wireguard"
echo ----------------------------------------------------------set backports
echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list
echo ---------------------------------------------------------------------update
apt update -y
echo --------------------------------------------------------------upgrade kernel
sudo apt -y install linux-image-amd64 linux-headers-amd64
echo ---------------------------------------------------------install wireguard
apt -y install wireguard
echo ----------------------------------------------------------install qrencode
apt install -y qrencode
echo -------------------------------------------------- download wg-genconfig.sh
cd "${working_dir}" &&
wget https://raw.githubusercontent.com/drew2a/wireguard/master/wg-genconf.sh
chmod +x ./wg-genconf.sh
echo ----------------------generate configurations for "${clients}" clients
if [[ ${unbound_enabled} ]]; then
# use the wireguard server as a DNS resolver
./wg-genconf.sh "${clients}"
else
# use the cloudflare as a DNS resolver
./wg-genconf.sh "${clients}" "1.1.1.1"
fi
echo -----------------------------------move server\'s config to /etc/wireguard/
mv -v ./wg0.conf \
/etc/wireguard/
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
echo -----------------------------------------------------------add to systemctl
systemctl enable wg-quick@wg0
echo ------------------------------------------------------enable IPv4 forwarding
sysctl net.ipv4.ip_forward=1
echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/99-sysctl.conf
echo ---------------------------------------------------configure firewall rules
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# make firewall changes persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt install -y iptables-persistent
systemctl enable netfilter-persistent
netfilter-persistent save
if [[ ${unbound_enabled} ]]; then
echo ---------------------------------------------install and configure unbound
apt install -y unbound unbound-host
echo 'wget https://www.internic.net/domain/named.cache -O /var/lib/unbound/root.hints' > /etc/cron.monthly/curl_root_hints.sh
chmod +x /etc/cron.monthly/curl_root_hints.sh
/etc/cron.monthly/curl_root_hints.sh
cat > /etc/unbound/unbound.conf << ENDOFFILE
server:
num-threads: 4
# disable logs
verbosity: 0
# list of root DNS servers
root-hints: "/var/lib/unbound/root.hints"
# use the root server's key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# respond to DNS requests on all interfaces
interface: 0.0.0.0
max-udp-size: 3072
# IPs authorised to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 10.0.0.0/24 allow
# not allowed to be returned for public Internet names
private-address: 10.0.0.0/24
#hide DNS Server info
hide-identity: yes
hide-version: yes
# limit DNS fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
unwanted-reply-threshold: 10000000
# have the validator print validation failures to the log
val-log-level: 1
# minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
# maximum lifetime of cached entries in seconds
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
# don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# reduce EDNS reassembly buffer size.
# suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# ensure privacy of local IP ranges
private-address: 10.0.0.0/24
ENDOFFILE
# give root ownership of the Unbound config
chown -R unbound:unbound /var/lib/unbound
# disable systemd-resolved
systemctl stop systemd-resolved
systemctl disable systemd-resolved
# enable Unbound in place of systemd-resovled
systemctl enable unbound
systemctl start unbound
fi
set +x # disable print all commands
echo && echo You can use this config: client1.conf
echo "--------------------------------------------------------↓"
qrencode -t ansiutf8 < ~/wireguard/client1.conf
echo "--------------------------------------------------------↑"
echo && echo You can use this config: client1.conf
echo "--------------------------------------------------------↓"
cat "${working_dir}/client1.conf"
echo "--------------------------------------------------------↑"
echo && echo "Or you could find all the generated configs here: ${working_dir}"
echo
# if WG_SCRIPT_DISABLE_REBOOT is not set, then
# reboot to make changes effective
if [[ ${reboot_enabled} ]]; then
echo All done, reboot...
reboot
fi
exit 0