#!/bin/bash # This file is designed to spin up a Wireguard VPN quickly and easily, # including configuring a recursive local DNS server using Unbound # # Make sure to change the public/private keys before running the script # Also change the IPs, IP ranges, and listening port if desired # iptables-persistent currently requires user input # add wireguard repo sudo add-apt-repository ppa:wireguard/wireguard -y # update/upgrade server and refresh repo sudo apt update -y && apt upgrade -y # install wireguard sudo apt install wireguard -y # create Wireguard interface config cat > /etc/wireguard/wg0.conf << ENDOFFILE [Interface] PrivateKey = Address = 10.20.20.1/24 ListenPort = 55000 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE SaveConfig = true [Peer] PublicKey = AllowedIPs = 10.20.20.2/24 ENDOFFILE # make root owner of the Wireguard config file sudo chown -v root:root /etc/wireguard/wg0.conf sudo chmod -v 600 /etc/wireguard/wg0.conf # bring the Wireguard interface up sudo wg-quick up wg0 # make Wireguard interface start at boot sudo systemctl enable wg-quick@wg0.service # enable IPv4 forwarding sed -i 's/\#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf # negate the need to reboot after the above change sudo sysctl -p sudo echo 1 > /proc/sys/net/ipv4/ip_forward # configure the firewall sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A INPUT -p udp -m udp --dport 55000 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A INPUT -s 10.20.20.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A INPUT -s 10.20.20.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # make firewall changes persistent sudo apt install iptables-persistent -y sudo systemctl enable netfilter-persistent sudo netfilter-persistent save # install Unbound DNS sudo apt install unbound unbound-host -y # download list of DNS root servers curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache # create Unbound config file cat > /etc/unbound/unbound.conf << ENDOFFILE server: num-threads: 4 # enable logs verbosity: 1 # list of root DNS servers root-hints: "/var/lib/unbound/root.hints" # use the root server's key for DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" # respond to DNS requests on all interfaces interface: 0.0.0.0 max-udp-size: 3072 # IPs authorised to access the DNS Server access-control: 0.0.0.0/0 refuse access-control: 127.0.0.1 allow access-control: 10.20.20.0/24 allow # not allowed to be returned for public Internet names private-address: 10.20.20.0/24 #hide DNS Server info hide-identity: yes hide-version: yes # limit DNS fraud and use DNSSEC harden-glue: yes harden-dnssec-stripped: yes harden-referral-path: yes # add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning unwanted-reply-threshold: 10000000 # have the validator print validation failures to the log val-log-level: 1 # minimum lifetime of cache entries in seconds cache-min-ttl: 1800 # maximum lifetime of cached entries in seconds cache-max-ttl: 14400 prefetch: yes prefetch-key: yes ENDOFFILE # give root ownership of the Unbound config sudo chown -R unbound:unbound /var/lib/unbound # disable systemd-resolved sudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved # enable Unbound in place of systemd-resovled sudo systemctl enable unbound-resolvconf sudo systemctl enable unbound # reboot to make changes effective reboot