Installation of WireGuard & Unbound on Debian

Installation of WireGuard & Unbound on Debian image

Installation of WireGuard & Unbound on Debian

Prerequisites

Step 1: Update Your System

Ensure your system is up-to-date:

sudo apt update -y sudo apt upgrade -y

Step 2: Install WireGuard & Unbound

Follow the instructions from the WireGuard Manager GitHub repository to install WireGuard and Unbound.

Step 3: Resolve Internet Issues (Optional)

If you encounter internet issues after configuring resolvconf, you can temporarily solve them by adding a public DNS server:

  1. Edit the head file for resolvconf:

    sudo vi /etc/resolvconf/resolv.conf.d/head
  2. Add the following line to the file:

    nameserver 8.8.8.8
  3. Update resolvconf:

    sudo resolvconf -u
  4. Verify the changes:

    cat /etc/resolv.conf

Step 4: Configure Firewall Rules (Optional)

Allow WireGuard Traffic

sudo ufw allow 51820/udp

Allow DNS Traffic from Localhost

sudo ufw allow from 127.0.0.1 to any port 53

Deny DNS Traffic from Other Sources (if needed)

sudo ufw deny 53

Check UFW Status

sudo ufw status

Step 5: Configure Firewall Rules (Optional)

Here’s the adjusted nftables configuration that takes into account your specific IP addresses and restricts DNS access to connected WireGuard clients only:

Step-by-Step Guide

  1. Remove UFW: (if-needed)

    sudo ufw disable sudo apt-get remove ufw
  2. Configure nftables rules:

    • Create or edit the nftables configuration file.
    sudo nano /etc/nftables.conf
  3. Add the following configuration to handle WireGuard, DNS, and forwarding rules:

#!/usr/sbin/nft -f table inet wireguard { chain input { type filter hook input priority 0; policy drop; # Accept all traffic on the loopback interface iif "lo" accept # Accept already established or related connections ct state established,related accept # Drop invalid packets ct state invalid drop # Allow SSH on port 2222 from all interfaces tcp dport 2222 accept # Allow WireGuard udp dport 51820 accept # Allow DNS from WireGuard clients iifname "wg0" tcp dport 53 accept iifname "wg0" udp dport 53 accept } chain forward { type filter hook forward priority 0; policy drop; # Allow forwarding between WireGuard and eth0 iifname "wg0" oifname "eth0" accept iifname "eth0" oifname "wg0" accept # Accept already established or related connections ct state established,related accept # Drop invalid packets ct state invalid drop } chain output { type filter hook output priority 0; policy accept; } } table inet wireguard_nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; # Masquerade traffic from wg0 to eth0 oifname "eth0" ip saddr 10.8.0.0/24 masquerade oifname "eth0" ip6 saddr fd42:42:42::/64 masquerade } }
  1. Enable IP forwarding: (Optional - not recommended)

    • Edit the /etc/sysctl.d/99-sysctl.conf configuration file.
    sudo nano /etc/sysctl.d/99-sysctl.conf
    • Ensure IP forwarding is enabled by creating or editing /etc/sysctl.d/99-sysctl.conf and adding:
    net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
    • Apply the changes:
    sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
  2. Apply and start nftables configuration:

    sudo nft -f /etc/nftables.conf sudo systemctl enable nftables sudo systemctl start nftables
  3. Verify the configuration:

    sudo nft list ruleset

With this configuration, your WireGuard and DNS traffic will be appropriately handled. WireGuard clients will have access to DNS on port 53, but it won't be open to the world. The NAT and forwarding rules are also updated to match your specific IP addresses.

Custom Blocklist Setup

Step 1: Create Blocklist Directory

Create a directory to store your blocklist scripts:

sudo mkdir -p /opt/blocklists

Step 2: Create Safelist Script

  1. Create the safelist script file:

    sudo vi /opt/blocklists/safelist.sh
  2. Add the following content to the file:

    #!/bin/bash set -euo pipefail IFS=$'\n\t' # Download Anudeep's commonly safelisted domains and allow Unbound lookups to them. curl -sSf "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" | sort -u | # Remove any duplicates awk '{print "local-zone: \""$1".\" always_transparent"}' # Convert to Unbound configuration
  3. Make the script executable:

    sudo chmod +x /opt/blocklists/safelist.sh

Step 3: Create Blocklist Script

  1. Create the blocklist script file:

    sudo vi /opt/blocklists/blocklist.sh
  2. Add the following content to the file:

    #!/bin/bash set -euo pipefail IFS=$'\n\t' # Download blocklists from various sources and block access to them with Unbound. ( curl -sSf "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts_without_controversies.txt" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" ; curl -sSf "https://v.firebog.net/hosts/static/w3kbl.txt" ; curl -sSf "https://adaway.org/hosts.txt" ; curl -sSf "https://v.firebog.net/hosts/AdguardDNS.txt" ; curl -sSf "https://v.firebog.net/hosts/Admiral.txt" ; curl -sSf "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" ; curl -sSf "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" ; curl -sSf "https://v.firebog.net/hosts/Easylist.txt" ; curl -sSf "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" ; curl -sSf "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" ; curl -sSf "https://v.firebog.net/hosts/Easyprivacy.txt" ; curl -sSf "https://v.firebog.net/hosts/Prigent-Ads.txt" ; curl -sSf "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" ; curl -sSf "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" ; curl -sSf "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" ; curl -sSf "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" ; curl -sSf "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" ; curl -sSf "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" ; curl -sSf "https://mirror1.malwaredomains.com/files/justdomains" ; curl -sSf "https://v.firebog.net/hosts/Prigent-Crypto.txt" ; curl -sSf "https://v.firebog.net/hosts/Prigent-Malware.txt" ; curl -sSf "https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt" ; curl -sSf "https://www.malwaredomainlist.com/hostslist/hosts.txt" ; curl -sSf "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt" ; curl -sSf "https://phishing.army/download/phishing_army_blocklist_extended.txt" ; curl -sSf "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" ; curl -sSf "https://v.firebog.net/hosts/Shalla-mal.txt" ; curl -sSf "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" ; curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" ; curl -sSf "https://urlhaus.abuse.ch/downloads/hostfile/" ; curl -sSf "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" ; ) | cat | # Combine all lists into one grep '^0\.0\.0\.0' | # Filter out any comments, etc. that aren't rules tr -d '\r' | # Normalize line endings by removing Windows carriage returns sort -u | # Remove any duplicates awk '{print "local-zone: \""$2".\" redirect\nlocal-data: \""$2". IN A 0.0.0.0\"\nlocal-data: \""$2". IN AAAA ::\""}' # Convert to Unbound configuration
  3. Make the script executable:

    sudo chmod +x /opt/blocklists/blocklist.sh

Step 4: Create Blocklist Update Script

  1. Create the update script file:

    sudo vi /opt/blocklists/update-blocklists.sh
  2. Add the following content to the file:

    #!/bin/bash set -euo pipefail SAFELIST_SCRIPT="/opt/blocklists/safelist.sh" BLOCKLIST_SCRIPT="/opt/blocklists/blocklist.sh" # Check if the folder exists, if not, create it if [ ! -d "/opt/blocklists" ]; then echo "Creating /opt/blocklists folder..." mkdir -p /opt/blocklists fi # Check if the scripts exist if [ ! -f "$SAFELIST_SCRIPT" ]; then echo "Error: $SAFELIST_SCRIPT not found." exit 1 fi if [ ! -f "$BLOCKLIST_SCRIPT" ]; then echo "Error: $BLOCKLIST_SCRIPT not found." exit 1 fi # Execute the scripts if they exist "$SAFELIST_SCRIPT" >/etc/unbound/unbound.conf.d/01-safelist.conf "$BLOCKLIST_SCRIPT" >/etc/unbound/unbound.conf.d/02-blocklist.conf service unbound reload
  3. Make the script executable:

    sudo chmod +x /opt/blocklists/update-blocklists.sh

Conclusion

You have successfully installed and configured WireGuard and Unbound on your Debian system, including setting up custom

References

https://gist.github.com/mudge/eaff0a816e8ee49046e263b0a6e99fe7 https://github.com/complexorganizations/wireguard-manager

Suggested Articles