diff --git a/guide_free_vip b/guide_free_vip deleted file mode 100644 index 03297e5..0000000 --- a/guide_free_vip +++ /dev/null @@ -1,282 +0,0 @@ -# WireGuard VPN Setup Guide for Arch Linux - -This concise guide helps you set up a WireGuard VPN server on Arch Linux with two client types: -- **VIP**: Up to 100 Mbps -- **Free**: Up to 10 Mbps - -You can easily switch a client between VIP and Free by modifying their configuration. Additionally, we'll address security concerns related to exposing your server's IP address. - -## Table of Contents -1. [Prerequisites](#prerequisites) -2. [Installation](#installation) -3. [Server Configuration](#server-configuration) -4. [Client Management](#client-management) - - [Add a Client](#add-a-client) - - [Switch Client Type](#switch-client-type) -5. [Speed Limiting](#speed-limiting) -6. [Security Considerations](#security-considerations) -7. [Starting WireGuard](#starting-wireguard) -8. [Verification](#verification) - -## Prerequisites -- **Arch Linux** installed on the server. -- **Root** or **sudo** privileges. -- **WireGuard** installed on client devices (Linux, Windows, iOS, Android). - -## Installation -1. **Update System & Install Packages** - ```bash - sudo pacman -Syu - sudo pacman -S wireguard-tools iproute2 nano - ``` - -## Server Configuration -1. **Generate Server Keys** - ```bash - sudo mkdir -p /etc/wireguard - cd /etc/wireguard - umask 077 - wg genkey | tee server_privatekey | wg pubkey > server_publickey - ``` - -2. **Create `wg0.conf`** - ```bash - sudo nano /etc/wireguard/wg0.conf - ``` - ```ini - [Interface] - Address = 10.0.0.1/24 - ListenPort = 51820 - PrivateKey = - - # Enable IP forwarding and NAT - PostUp = sysctl -w net.ipv4.ip_forward=1 - PostUp = iptables -t nat -A POSTROUTING -o -j MASQUERADE - PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT - PostDown = sysctl -w net.ipv4.ip_forward=0 - PostDown = iptables -t nat -D POSTROUTING -o -j MASQUERADE - PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT - ``` - - Replace `` with the content of `server_privatekey`. - - Replace `` with your network interface (e.g., `eth0`, `ens1`). - -## Client Management - -### Add a Client -Create a script to add clients with type (VIP or Free). - -1. **Create `add_client.sh`** - ```bash - sudo nano /etc/wireguard/add_client.sh - ``` - ```bash - #!/bin/bash - - if [ "$#" -ne 2 ]; then - echo "Usage: $0 " - exit 1 - fi - - TYPE=$1 - NAME=$2 - - if [ "$TYPE" == "VIP" ]; then - IP_START=2 - RATE="100mbit" - elif [ "$TYPE" == "Free" ]; then - IP_START=12 - RATE="10mbit" - else - echo "Type must be VIP or Free" - exit 1 - fi - - CLIENT_IP="10.0.0.$IP_START" - - # Generate keys - mkdir -p ~/wireguard_clients - cd ~/wireguard_clients - wg genkey | tee ${NAME}_privatekey | wg pubkey > ${NAME}_publickey - - PRIVATE_KEY=$(cat ${NAME}_privatekey) - PUBLIC_KEY=$(cat ${NAME}_publickey) - - # Add to server config - echo "### Client $NAME" | sudo tee -a /etc/wireguard/wg0.conf - echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf - echo "PublicKey = $PUBLIC_KEY" | sudo tee -a /etc/wireguard/wg0.conf - echo "AllowedIPs = $CLIENT_IP/32" | sudo tee -a /etc/wireguard/wg0.conf - echo "" | sudo tee -a /etc/wireguard/wg0.conf - - # Create client config - cat < ${NAME}.conf - [Interface] - PrivateKey = $PRIVATE_KEY - Address = $CLIENT_IP/24 - DNS = 8.8.8.8 - - [Peer] - PublicKey = $(cat /etc/wireguard/server_publickey) - Endpoint = $(curl -s ifconfig.me):51820 - AllowedIPs = 0.0.0.0/0, ::/0 - PersistentKeepalive = 25 - EOF - - echo "Client $NAME added with IP $CLIENT_IP." - echo "Config file: ~/wireguard_clients/${NAME}.conf" - ``` - 2. **Make Script Executable** - ```bash - sudo chmod +x /etc/wireguard/add_client.sh - ``` - -3. **Add Clients** - - **Free Clients (Ваня и Вася)** - ```bash - sudo /etc/wireguard/add_client.sh Free vanya - sudo /etc/wireguard/add_client.sh Free vasya - ``` - - **VIP Client (Петя)** - ```bash - sudo /etc/wireguard/add_client.sh VIP petya - ``` - -### Switch Client Type -To switch a client from Free to VIP or vice versa: - -1. **Edit Server Configuration** - ```bash - sudo nano /etc/wireguard/wg0.conf - ``` -2. **Locate the Client's `[Peer]` Section** - ```ini - ### Client vanya - [Peer] - PublicKey = - AllowedIPs = 10.0.0.12/32 - ``` -3. **Change the `AllowedIPs` to Assign New IP Based on Type** - - **VIP**: `10.0.0.2/32` to `10.0.0.11/32` - - **Free**: `10.0.0.12/32` to `10.0.0.21/32` -4. **Update Speed Limiting Rules (see [Speed Limiting](#speed-limiting))** -5. **Restart WireGuard and Traffic Control** - ```bash - sudo systemctl restart wg-quick@wg0 - sudo systemctl restart wg-tc.service - ``` - -## Speed Limiting -Use `tc` (Traffic Control) to limit bandwidth based on client IP. - -1. **Create `set_tc.sh` Script** - ```bash - sudo nano /etc/wireguard/set_tc.sh - ``` - ```bash - #!/bin/bash - - INTERFACE="ens1" # Replace with your external interface - - # Clear existing rules - tc qdisc del dev $INTERFACE root 2>/dev/null - tc qdisc del dev $INTERFACE ingress 2>/dev/null - - # Root qdisc - tc qdisc add dev $INTERFACE root handle 1: htb default 30 - - # Main class - tc class add dev $INTERFACE parent 1: classid 1:1 htb rate 1000mbit - - # VIP class - tc class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 100mbit - - # Free class - tc class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 10mbit - - # Apply filters for VIP clients - for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do - tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:10 - done - - # Apply filters for Free clients - for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do - tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:20 - done - - # Ingress qdisc - tc qdisc add dev $INTERFACE ingress - - # Apply policing for VIP - for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do - tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:10 police rate 100mbit burst 10k drop flowid :1 - done - - # Apply policing for Free - for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do - tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:20 police rate 10mbit burst 10k drop flowid :1 - done - ``` -2. **Make Script Executable** - ```bash - sudo chmod +x /etc/wireguard/set_tc.sh - ``` - -3. **Create `systemd` Service** - ```bash - sudo nano /etc/systemd/system/wg-tc.service - ``` - ```ini - [Unit] - Description=WireGuard Traffic Control - After=network.target wg-quick@wg0.service - Requires=wg-quick@wg0.service - - [Service] - Type=oneshot - ExecStart=/etc/wireguard/set_tc.sh - RemainAfterExit=yes - - [Install] - WantedBy=multi-user.target - ``` -4. **Enable and Start Service** - ```bash - sudo systemctl daemon-reload - sudo systemctl enable wg-tc.service - sudo systemctl start wg-tc.service - ``` - -## Security Considerations -Distributing `.conf` files exposes your server's IP address, which can be targeted for DDoS attacks. To mitigate risks: - -1. **Use a Firewall**: Ensure only necessary ports are open. - ```bash - sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT - sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - sudo iptables -A INPUT -j DROP - ``` -2. **Rate Limiting**: Further protect with fail2ban or similar tools. -3. **Monitor Traffic**: Use monitoring tools to detect unusual activity. -4. **Use a Dedicated IP**: If possible, host VPN on a separate IP to isolate traffic. - -## Starting WireGuard -1. **Start and Enable WireGuard** - ```bash - sudo systemctl start wg-quick@wg0 - sudo systemctl enable wg-quick@wg0 - ``` - -## Verification -1. **Check WireGuard Status** - ```bash - sudo wg show - ``` -2. **Verify Speed Limits** - - Connect clients and use [speedtest.net](https://www.speedtest.net) to ensure VIP clients have up to 100 Mbps and Free clients up to 10 Mbps. - -## Conclusion -You have successfully set up a WireGuard VPN server on Arch Linux with VIP and Free clients, each having distinct bandwidth limitations. Ensure to follow security best practices to protect your server from potential threats. - -For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or the Arch Linux community.