kjuulh/wireguard-setup
1
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Refactor

Browse Source
This commit is contained in:
Héctor Molinero Fernández
2020-01-30 21:33:16 +01:00
parent 1abc1d8631
commit 26b9228cf7
21 changed files with 123 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packer/rootfs/etc/apt/apt.conf.d/20auto-upgrades Normal file
View File

@@ -0,0 +1,4 @@
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

9
packer/rootfs/etc/apt/apt.conf.d/50unattended-upgrades Normal file
View File

@@ -0,0 +1,9 @@
Unattended-Upgrade::Origins-Pattern { "origin=*"; };
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "05:30";

9
packer/rootfs/etc/fail2ban/jail.d/sshd.conf Normal file
View File

@@ -0,0 +1,9 @@
[sshd]
enabled = true
filter = sshd
banaction = ufw
backend = systemd
maxretry = 5
findtime = 10m
bantime = 10m
ignoreip = 127.0.0.1/8 ::1

26
packer/rootfs/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,26 @@
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
ListenAddress 0.0.0.0
Port 22
UseDNS no
UsePAM yes
X11Forwarding no
AllowTcpForwarding yes
AllowGroups ssh-user
PermitRootLogin without-password
PermitEmptyPasswords no
PermitUserEnvironment no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
Subsystem sftp internal-sftp
LoginGraceTime 30
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 5
PrintMotd yes
PrintLastLog yes
SyslogFacility AUTH
LogLevel INFO

43
packer/rootfs/etc/unbound/unbound.conf Normal file
View File

@@ -0,0 +1,43 @@
server:
interface: 0.0.0.0
interface: ::0
port: 53
root-hints: "/usr/share/dns/root.hints"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.10.10.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.0/104 allow
access-control: fd10:10:10::1/64 allow
private-address: 0.0.0.0/8
private-address: ::ffff:0.0.0.0/104
private-address: 10.0.0.0/8
private-address: ::ffff:10.0.0.0/104
private-address: 100.64.0.0/10
private-address: ::ffff:100.64.0.0/106
private-address: 127.0.0.0/8
private-address: ::ffff:127.0.0.0/104
private-address: 169.254.0.0/16
private-address: ::ffff:169.254.0.0/112
private-address: 172.16.0.0/12
private-address: ::ffff:172.16.0.0/108
private-address: 192.168.0.0/16
private-address: ::ffff:192.168.0.0/112
private-address: ::/128
private-address: ::1/128
private-address: fc00::/7
private-address: fd00::/8
private-address: fe80::/10
hide-identity: yes
hide-version: yes
qname-minimisation: yes
cache-min-ttl: 300
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
verbosity: 1
val-log-level: 1
#include: "/etc/unbound/unbound.conf.d/*.conf"

9
packer/rootfs/etc/wireguard/client-sample.conf Normal file
View File

@@ -0,0 +1,9 @@
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.10.10.2/32, fd10:10:10::2/128
DNS = 10.10.10.1, fd10:10:10::1
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0, ::0/0
Endpoint = XXX.XXX.XXX.XXX:51820

11
packer/rootfs/etc/wireguard/wg0-peers.conf Normal file
View File

@@ -0,0 +1,11 @@
#[Peer]
#PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#AllowedIPs = 10.10.10.2/32, fd10:10:10::2/128
#[Peer]
#PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#AllowedIPs = 10.10.10.3/32, fd10:10:10::3/128
#[Peer]
#PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#AllowedIPs = 10.10.10.4/32, fd10:10:10::4/128

36
packer/rootfs/etc/wireguard/wg0.conf Normal file
View File

@@ -0,0 +1,36 @@
[Interface]
Address = 10.10.10.1/24, fd10:10:10::1/64
ListenPort = 51820
# Load keys
PostUp = [ -e '/etc/wireguard/%i-privatekey' ] || (umask 077 && wg genkey > '/etc/wireguard/%i-privatekey')
PostUp = [ -e '/etc/wireguard/%i-publickey' ] || (umask 022 && wg pubkey < '/etc/wireguard/%i-privatekey' > '/etc/wireguard/%i-publickey')
PostUp = wg set '%i' private-key '/etc/wireguard/%i-privatekey'
# Load peers
PostUp = [ -e '/etc/wireguard/%i-peers.conf' ] || (umask 022 && touch '/etc/wireguard/%i-peers.conf')
PostUp = wg addconf '%i' '/etc/wireguard/%i-peers.conf'
# Enable IPv4/IPv6 forwarding
PostUp = grep -Fxq '1' /proc/sys/net/ipv4/ip_forward || printf 1 > /proc/sys/net/ipv4/ip_forward
PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/all/forwarding || printf 1 > /proc/sys/net/ipv6/conf/all/forwarding
PostUp = grep -Fxq '1' /proc/sys/net/ipv6/conf/default/forwarding || printf 1 > /proc/sys/net/ipv6/conf/default/forwarding
# Store the internet-facing interface in a file for later use
PostUp = ip route show default | awk '/^default/{print $5}' > '/etc/wireguard/%i-iface'
# Allow access WireGuard via port 51820/UDP on the internet-facing interface
PostUp = iptables -A INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostUp = ip6tables -A INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
PostDown = ip6tables -D INPUT -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 51820 -j ACCEPT
# Allow access WireGuard via port 53/UDP on the internet-facing interface (to circumvent some firewalls)
PostUp = iptables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostUp = ip6tables -t nat -A PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = iptables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
PostDown = ip6tables -t nat -D PREROUTING -i "$(cat '/etc/wireguard/%i-iface')" -p udp --dport 53 -j REDIRECT --to-port 51820
# Allow packet forwarding on the WireGuard interface
PostUp = iptables -A FORWARD -i '%i' -j ACCEPT && iptables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
PostUp = ip6tables -A FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -A POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
PostDown = iptables -D FORWARD -i '%i' -j ACCEPT && iptables -t nat -D POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
PostDown = ip6tables -D FORWARD -i '%i' -j ACCEPT && ip6tables -t nat -D POSTROUTING -o "$(cat '/etc/wireguard/%i-iface')" -j MASQUERADE
# Allow access to the local DNS server on the WireGuard interface
PostUp = iptables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostUp = ip6tables -A INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -A INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = iptables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && iptables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT
PostDown = ip6tables -D INPUT -i '%i' -p tcp --dport 53 -j ACCEPT && ip6tables -D INPUT -i '%i' -p udp --dport 53 -j ACCEPT