Installation of WireGuard & Unbound on Debian
Installation of WireGuard & Unbound on Debian
Prerequisites
Step 1: Update Your System
Ensure your system is up-to-date:
sudo apt update -y sudo apt upgrade -y
Step 2: Install WireGuard & Unbound
Follow the instructions from the WireGuard Manager GitHub repository to install WireGuard and Unbound.
Step 3: Resolve Internet Issues (Optional)
If you encounter internet issues after configuring resolvconf
, you can temporarily solve them by adding a public DNS server:
-
Edit the head file for
resolvconf
:sudo vi /etc/resolvconf/resolv.conf.d/head
-
Add the following line to the file:
nameserver 8.8.8.8
-
Update
resolvconf
:sudo resolvconf -u
-
Verify the changes:
cat /etc/resolv.conf
Step 4: Configure Firewall Rules (Optional)
Allow WireGuard Traffic
sudo ufw allow 51820/udp
Allow DNS Traffic from Localhost
sudo ufw allow from 127.0.0.1 to any port 53
Deny DNS Traffic from Other Sources (if needed)
sudo ufw deny 53
Check UFW Status
sudo ufw status
Step 5: Configure Firewall Rules (Optional)
Here’s the adjusted nftables
configuration that takes into account your specific IP addresses and restricts DNS access to connected WireGuard clients only:
Step-by-Step Guide
-
Remove UFW: (if-needed)
sudo ufw disable sudo apt-get remove ufw
-
Configure nftables rules:
- Create or edit the
nftables
configuration file.
sudo nano /etc/nftables.conf
- Create or edit the
-
Add the following configuration to handle WireGuard, DNS, and forwarding rules:
#!/usr/sbin/nft -f table inet wireguard { chain input { type filter hook input priority 0; policy drop; # Accept all traffic on the loopback interface iif "lo" accept # Accept already established or related connections ct state established,related accept # Drop invalid packets ct state invalid drop # Allow SSH on port 2222 from all interfaces tcp dport 2222 accept # Allow WireGuard udp dport 51820 accept # Allow DNS from WireGuard clients iifname "wg0" tcp dport 53 accept iifname "wg0" udp dport 53 accept } chain forward { type filter hook forward priority 0; policy drop; # Allow forwarding between WireGuard and eth0 iifname "wg0" oifname "eth0" accept iifname "eth0" oifname "wg0" accept # Accept already established or related connections ct state established,related accept # Drop invalid packets ct state invalid drop } chain output { type filter hook output priority 0; policy accept; } } table inet wireguard_nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; # Masquerade traffic from wg0 to eth0 oifname "eth0" ip saddr 10.8.0.0/24 masquerade oifname "eth0" ip6 saddr fd42:42:42::/64 masquerade } }
-
Enable IP forwarding: (Optional - not recommended)
- Edit the
/etc/sysctl.d/99-sysctl.conf
configuration file.
sudo nano /etc/sysctl.d/99-sysctl.conf
- Ensure IP forwarding is enabled by creating or editing
/etc/sysctl.d/99-sysctl.conf
and adding:
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
- Apply the changes:
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
- Edit the
-
Apply and start nftables configuration:
sudo nft -f /etc/nftables.conf sudo systemctl enable nftables sudo systemctl start nftables
-
Verify the configuration:
sudo nft list ruleset
With this configuration, your WireGuard and DNS traffic will be appropriately handled. WireGuard clients will have access to DNS on port 53, but it won't be open to the world. The NAT and forwarding rules are also updated to match your specific IP addresses.
Custom Blocklist Setup
Step 1: Create Blocklist Directory
Create a directory to store your blocklist scripts:
sudo mkdir -p /opt/blocklists
Step 2: Create Safelist Script
-
Create the safelist script file:
sudo vi /opt/blocklists/safelist.sh
-
Add the following content to the file:
#!/bin/bash set -euo pipefail IFS=$'\n\t' # Download Anudeep's commonly safelisted domains and allow Unbound lookups to them. curl -sSf "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" | sort -u | # Remove any duplicates awk '{print "local-zone: \""$1".\" always_transparent"}' # Convert to Unbound configuration
-
Make the script executable:
sudo chmod +x /opt/blocklists/safelist.sh
Step 3: Create Blocklist Script
-
Create the blocklist script file:
sudo vi /opt/blocklists/blocklist.sh
-
Add the following content to the file:
#!/bin/bash set -euo pipefail IFS=$'\n\t' # Download blocklists from various sources and block access to them with Unbound. ( curl -sSf "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts_without_controversies.txt" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" ; curl -sSf "https://v.firebog.net/hosts/static/w3kbl.txt" ; curl -sSf "https://adaway.org/hosts.txt" ; curl -sSf "https://v.firebog.net/hosts/AdguardDNS.txt" ; curl -sSf "https://v.firebog.net/hosts/Admiral.txt" ; curl -sSf "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" ; curl -sSf "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" ; curl -sSf "https://v.firebog.net/hosts/Easylist.txt" ; curl -sSf "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" ; curl -sSf "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" ; curl -sSf "https://v.firebog.net/hosts/Easyprivacy.txt" ; curl -sSf "https://v.firebog.net/hosts/Prigent-Ads.txt" ; curl -sSf "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" ; curl -sSf "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" ; curl -sSf "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" ; curl -sSf "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" ; curl -sSf "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" ; curl -sSf "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" ; curl -sSf "https://mirror1.malwaredomains.com/files/justdomains" ; curl -sSf "https://v.firebog.net/hosts/Prigent-Crypto.txt" ; curl -sSf "https://v.firebog.net/hosts/Prigent-Malware.txt" ; curl -sSf "https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt" ; curl -sSf "https://www.malwaredomainlist.com/hostslist/hosts.txt" ; curl -sSf "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt" ; curl -sSf "https://phishing.army/download/phishing_army_blocklist_extended.txt" ; curl -sSf "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" ; curl -sSf "https://v.firebog.net/hosts/Shalla-mal.txt" ; curl -sSf "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" ; curl -sSf "https://urlhaus.abuse.ch/downloads/hostfile/" ; curl -sSf "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" ; ) | cat | # Combine all lists into one grep '^0\.0\.0\.0' | # Filter out any comments, etc. that aren't rules tr -d '\r' | # Normalize line endings by removing Windows carriage returns sort -u | # Remove any duplicates awk '{print "local-zone: \""$2".\" redirect\nlocal-data: \""$2". IN A 0.0.0.0\"\nlocal-data: \""$2". IN AAAA ::\""}' # Convert to Unbound configuration
-
Make the script executable:
sudo chmod +x /opt/blocklists/blocklist.sh
Step 4: Create Blocklist Update Script
-
Create the update script file:
sudo vi /opt/blocklists/update-blocklists.sh
-
Add the following content to the file:
#!/bin/bash set -euo pipefail SAFELIST_SCRIPT="/opt/blocklists/safelist.sh" BLOCKLIST_SCRIPT="/opt/blocklists/blocklist.sh" # Check if the folder exists, if not, create it if [ ! -d "/opt/blocklists" ]; then echo "Creating /opt/blocklists folder..." mkdir -p /opt/blocklists fi # Check if the scripts exist if [ ! -f "$SAFELIST_SCRIPT" ]; then echo "Error: $SAFELIST_SCRIPT not found." exit 1 fi if [ ! -f "$BLOCKLIST_SCRIPT" ]; then echo "Error: $BLOCKLIST_SCRIPT not found." exit 1 fi # Execute the scripts if they exist "$SAFELIST_SCRIPT" >/etc/unbound/unbound.conf.d/01-safelist.conf "$BLOCKLIST_SCRIPT" >/etc/unbound/unbound.conf.d/02-blocklist.conf service unbound reload
-
Make the script executable:
sudo chmod +x /opt/blocklists/update-blocklists.sh
Conclusion
You have successfully installed and configured WireGuard and Unbound on your Debian system, including setting up custom
References
https://gist.github.com/mudge/eaff0a816e8ee49046e263b0a6e99fe7 https://github.com/complexorganizations/wireguard-manager
Suggested Articles
Automate System and Blocklist Updates on Debian
This comprehensive guide explores how to automate system updates and maintain blocklists on a Debian system. We'll cover essential tools and scripts to ensure your server remains secure and up-to-date with minimal manual intervention. Learn how to schedule automatic updates, manage your blocklists effectively, and enhance your system's security posture. This tutorial is ideal for system administrators and users looking to streamline their update processes and safeguard their Debian environments from potential threats.
Read MoreSetting Up a Secure Debian VPS: SSH User and Security Configuration
In this comprehensive guide, we'll walk you through the essential steps to configure a secure Debian VPS. We'll cover the process of setting up SSH users, implementing security best practices, and ensuring your server is protected from unauthorized access. Whether you're a beginner or an experienced user, this tutorial provides actionable insights to help you secure your VPS environment effectively.
Read More