From 1f4bd4da44e0db2c4e68325dbf53883141be2247 Mon Sep 17 00:00:00 2001
From: n3kit91 <omgcast87@gmail.com>
Date: Thu, 28 Nov 2024 18:38:07 +0300
Subject: [PATCH] Create_free_vip

---
 guide_free_vip | 282 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 282 insertions(+)
 create mode 100644 guide_free_vip

diff --git a/guide_free_vip b/guide_free_vip
new file mode 100644
index 0000000..03297e5
--- /dev/null
+++ b/guide_free_vip
@@ -0,0 +1,282 @@
+# WireGuard VPN Setup Guide for Arch Linux
+
+This concise guide helps you set up a WireGuard VPN server on Arch Linux with two client types:
+- **VIP**: Up to 100 Mbps
+- **Free**: Up to 10 Mbps
+
+You can easily switch a client between VIP and Free by modifying their configuration. Additionally, we'll address security concerns related to exposing your server's IP address.
+
+## Table of Contents
+1. [Prerequisites](#prerequisites)
+2. [Installation](#installation)
+3. [Server Configuration](#server-configuration)
+4. [Client Management](#client-management)
+    - [Add a Client](#add-a-client)
+    - [Switch Client Type](#switch-client-type)
+5. [Speed Limiting](#speed-limiting)
+6. [Security Considerations](#security-considerations)
+7. [Starting WireGuard](#starting-wireguard)
+8. [Verification](#verification)
+
+## Prerequisites
+- **Arch Linux** installed on the server.
+- **Root** or **sudo** privileges.
+- **WireGuard** installed on client devices (Linux, Windows, iOS, Android).
+
+## Installation
+1. **Update System & Install Packages**
+    ```bash
+    sudo pacman -Syu
+    sudo pacman -S wireguard-tools iproute2 nano
+    ```
+
+## Server Configuration
+1. **Generate Server Keys**
+    ```bash
+    sudo mkdir -p /etc/wireguard
+    cd /etc/wireguard
+    umask 077
+    wg genkey | tee server_privatekey | wg pubkey > server_publickey
+    ```
+
+2. **Create `wg0.conf`**
+    ```bash
+    sudo nano /etc/wireguard/wg0.conf
+    ```
+    ```ini
+    [Interface]
+    Address = 10.0.0.1/24
+    ListenPort = 51820
+    PrivateKey = <server_privatekey>
+
+    # Enable IP forwarding and NAT
+    PostUp = sysctl -w net.ipv4.ip_forward=1
+    PostUp = iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
+    PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
+    PostDown = sysctl -w net.ipv4.ip_forward=0
+    PostDown = iptables -t nat -D POSTROUTING -o <external_interface> -j MASQUERADE
+    PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT
+    ```
+    - Replace `<server_privatekey>` with the content of `server_privatekey`.
+    - Replace `<external_interface>` with your network interface (e.g., `eth0`, `ens1`).
+
+## Client Management
+
+### Add a Client
+Create a script to add clients with type (VIP or Free).
+
+1. **Create `add_client.sh`**
+    ```bash
+    sudo nano /etc/wireguard/add_client.sh
+    ```
+    ```bash
+    #!/bin/bash
+
+    if [ "$#" -ne 2 ]; then
+        echo "Usage: $0 <VIP|Free> <client_name>"
+        exit 1
+    fi
+
+    TYPE=$1
+    NAME=$2
+
+    if [ "$TYPE" == "VIP" ]; then
+        IP_START=2
+        RATE="100mbit"
+    elif [ "$TYPE" == "Free" ]; then
+        IP_START=12
+        RATE="10mbit"
+    else
+        echo "Type must be VIP or Free"
+        exit 1
+    fi
+
+    CLIENT_IP="10.0.0.$IP_START"
+
+    # Generate keys
+    mkdir -p ~/wireguard_clients
+    cd ~/wireguard_clients
+    wg genkey | tee ${NAME}_privatekey | wg pubkey > ${NAME}_publickey
+
+    PRIVATE_KEY=$(cat ${NAME}_privatekey)
+    PUBLIC_KEY=$(cat ${NAME}_publickey)
+
+    # Add to server config
+    echo "### Client $NAME" | sudo tee -a /etc/wireguard/wg0.conf
+    echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf
+    echo "PublicKey = $PUBLIC_KEY" | sudo tee -a /etc/wireguard/wg0.conf
+    echo "AllowedIPs = $CLIENT_IP/32" | sudo tee -a /etc/wireguard/wg0.conf
+    echo "" | sudo tee -a /etc/wireguard/wg0.conf
+
+    # Create client config
+    cat <<EOF > ${NAME}.conf
+    [Interface]
+    PrivateKey = $PRIVATE_KEY
+    Address = $CLIENT_IP/24
+    DNS = 8.8.8.8
+
+    [Peer]
+    PublicKey = $(cat /etc/wireguard/server_publickey)
+    Endpoint = $(curl -s ifconfig.me):51820
+    AllowedIPs = 0.0.0.0/0, ::/0
+    PersistentKeepalive = 25
+    EOF
+
+    echo "Client $NAME added with IP $CLIENT_IP."
+    echo "Config file: ~/wireguard_clients/${NAME}.conf"
+    ```
+    2. **Make Script Executable**
+    ```bash
+    sudo chmod +x /etc/wireguard/add_client.sh
+    ```
+
+3. **Add Clients**
+    - **Free Clients (Ваня и Вася)**
+        ```bash
+        sudo /etc/wireguard/add_client.sh Free vanya
+        sudo /etc/wireguard/add_client.sh Free vasya
+        ```
+    - **VIP Client (Петя)**
+        ```bash
+        sudo /etc/wireguard/add_client.sh VIP petya
+        ```
+
+### Switch Client Type
+To switch a client from Free to VIP or vice versa:
+
+1. **Edit Server Configuration**
+    ```bash
+    sudo nano /etc/wireguard/wg0.conf
+    ```
+2. **Locate the Client's `[Peer]` Section**
+    ```ini
+    ### Client vanya
+    [Peer]
+    PublicKey = <vanya_publickey>
+    AllowedIPs = 10.0.0.12/32
+    ```
+3. **Change the `AllowedIPs` to Assign New IP Based on Type**
+    - **VIP**: `10.0.0.2/32` to `10.0.0.11/32`
+    - **Free**: `10.0.0.12/32` to `10.0.0.21/32`
+4. **Update Speed Limiting Rules (see [Speed Limiting](#speed-limiting))**
+5. **Restart WireGuard and Traffic Control**
+    ```bash
+    sudo systemctl restart wg-quick@wg0
+    sudo systemctl restart wg-tc.service
+    ```
+
+## Speed Limiting
+Use `tc` (Traffic Control) to limit bandwidth based on client IP.
+
+1. **Create `set_tc.sh` Script**
+    ```bash
+    sudo nano /etc/wireguard/set_tc.sh
+    ```
+    ```bash
+    #!/bin/bash
+
+    INTERFACE="ens1"  # Replace with your external interface
+
+    # Clear existing rules
+    tc qdisc del dev $INTERFACE root 2>/dev/null
+    tc qdisc del dev $INTERFACE ingress 2>/dev/null
+
+    # Root qdisc
+    tc qdisc add dev $INTERFACE root handle 1: htb default 30
+
+    # Main class
+    tc class add dev $INTERFACE parent 1: classid 1:1 htb rate 1000mbit
+
+    # VIP class
+    tc class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 100mbit
+
+    # Free class
+    tc class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 10mbit
+
+    # Apply filters for VIP clients
+    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do
+        tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:10
+    done
+
+    # Apply filters for Free clients
+    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do
+        tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:20
+    done
+
+    # Ingress qdisc
+    tc qdisc add dev $INTERFACE ingress
+
+    # Apply policing for VIP
+    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do
+        tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:10 police rate 100mbit burst 10k drop flowid :1
+    done
+
+    # Apply policing for Free
+    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do
+        tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:20 police rate 10mbit burst 10k drop flowid :1
+    done
+    ```
+2. **Make Script Executable**
+    ```bash
+    sudo chmod +x /etc/wireguard/set_tc.sh
+    ```
+
+3. **Create `systemd` Service**
+    ```bash
+    sudo nano /etc/systemd/system/wg-tc.service
+    ```
+    ```ini
+    [Unit]
+    Description=WireGuard Traffic Control
+    After=network.target wg-quick@wg0.service
+    Requires=wg-quick@wg0.service
+
+    [Service]
+    Type=oneshot
+    ExecStart=/etc/wireguard/set_tc.sh
+    RemainAfterExit=yes
+
+    [Install]
+    WantedBy=multi-user.target
+    ```
+4. **Enable and Start Service**
+    ```bash
+    sudo systemctl daemon-reload
+    sudo systemctl enable wg-tc.service
+    sudo systemctl start wg-tc.service
+    ```
+
+## Security Considerations
+Distributing `.conf` files exposes your server's IP address, which can be targeted for DDoS attacks. To mitigate risks:
+
+1. **Use a Firewall**: Ensure only necessary ports are open.
+    ```bash
+    sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
+    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+    sudo iptables -A INPUT -j DROP
+    ```
+2. **Rate Limiting**: Further protect with fail2ban or similar tools.
+3. **Monitor Traffic**: Use monitoring tools to detect unusual activity.
+4. **Use a Dedicated IP**: If possible, host VPN on a separate IP to isolate traffic.
+
+## Starting WireGuard
+1. **Start and Enable WireGuard**
+    ```bash
+    sudo systemctl start wg-quick@wg0
+    sudo systemctl enable wg-quick@wg0
+    ```
+
+## Verification
+1. **Check WireGuard Status**
+    ```bash
+    sudo wg show
+    ```
+2. **Verify Speed Limits**
+    - Connect clients and use [speedtest.net](https://www.speedtest.net) to ensure VIP clients have up to 100 Mbps and Free clients up to 10 Mbps.
+
+## Conclusion
+You have successfully set up a WireGuard VPN server on Arch Linux with VIP and Free clients, each having distinct bandwidth limitations. Ensure to follow security best practices to protect your server from potential threats.
+
+For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or the Arch Linux community.