fz0x1/WireGuard-Guide-On_Arch_Linux
1
0
Fork 0
mirror of https://github.com/omgcast/WireGuard-Guide-On_Arch_Linux.git synced 2025-05-12 01:28:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Delete guide_free_vip

Browse source
This commit is contained in:
n3kit91 2024-11-28 18:40:16 +03:00 committed by GitHub
parent 1f4bd4da44
commit ac139591b5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 0 additions and 282 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

282
guide_free_vip
View file

@ -1,282 +0,0 @@
# WireGuard VPN Setup Guide for Arch Linux
This concise guide helps you set up a WireGuard VPN server on Arch Linux with two client types:
- **VIP**: Up to 100 Mbps
- **Free**: Up to 10 Mbps
You can easily switch a client between VIP and Free by modifying their configuration. Additionally, we'll address security concerns related to exposing your server's IP address.
## Table of Contents
1. [Prerequisites](#prerequisites)
2. [Installation](#installation)
3. [Server Configuration](#server-configuration)
4. [Client Management](#client-management)
- [Add a Client](#add-a-client)
- [Switch Client Type](#switch-client-type)
5. [Speed Limiting](#speed-limiting)
6. [Security Considerations](#security-considerations)
7. [Starting WireGuard](#starting-wireguard)
8. [Verification](#verification)
## Prerequisites
- **Arch Linux** installed on the server.
- **Root** or **sudo** privileges.
- **WireGuard** installed on client devices (Linux, Windows, iOS, Android).
## Installation
1. **Update System & Install Packages**
```bash
sudo pacman -Syu
sudo pacman -S wireguard-tools iproute2 nano
```
## Server Configuration
1. **Generate Server Keys**
```bash
sudo mkdir -p /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee server_privatekey | wg pubkey > server_publickey
```
2. **Create `wg0.conf`**
```bash
sudo nano /etc/wireguard/wg0.conf
```
```ini
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_privatekey>
# Enable IP forwarding and NAT
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
PostDown = sysctl -w net.ipv4.ip_forward=0
PostDown = iptables -t nat -D POSTROUTING -o <external_interface> -j MASQUERADE
PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT
```
- Replace `<server_privatekey>` with the content of `server_privatekey`.
- Replace `<external_interface>` with your network interface (e.g., `eth0`, `ens1`).
## Client Management
### Add a Client
Create a script to add clients with type (VIP or Free).
1. **Create `add_client.sh`**
```bash
sudo nano /etc/wireguard/add_client.sh
```
```bash
#!/bin/bash
if [ "$#" -ne 2 ]; then
echo "Usage: $0 <VIP|Free> <client_name>"
exit 1
fi
TYPE=$1
NAME=$2
if [ "$TYPE" == "VIP" ]; then
IP_START=2
RATE="100mbit"
elif [ "$TYPE" == "Free" ]; then
IP_START=12
RATE="10mbit"
else
echo "Type must be VIP or Free"
exit 1
fi
CLIENT_IP="10.0.0.$IP_START"
# Generate keys
mkdir -p ~/wireguard_clients
cd ~/wireguard_clients
wg genkey | tee ${NAME}_privatekey | wg pubkey > ${NAME}_publickey
PRIVATE_KEY=$(cat ${NAME}_privatekey)
PUBLIC_KEY=$(cat ${NAME}_publickey)
# Add to server config
echo "### Client $NAME" | sudo tee -a /etc/wireguard/wg0.conf
echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf
echo "PublicKey = $PUBLIC_KEY" | sudo tee -a /etc/wireguard/wg0.conf
echo "AllowedIPs = $CLIENT_IP/32" | sudo tee -a /etc/wireguard/wg0.conf
echo "" | sudo tee -a /etc/wireguard/wg0.conf
# Create client config
cat <<EOF > ${NAME}.conf
[Interface]
PrivateKey = $PRIVATE_KEY
Address = $CLIENT_IP/24
DNS = 8.8.8.8
[Peer]
PublicKey = $(cat /etc/wireguard/server_publickey)
Endpoint = $(curl -s ifconfig.me):51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF
echo "Client $NAME added with IP $CLIENT_IP."
echo "Config file: ~/wireguard_clients/${NAME}.conf"
```
2. **Make Script Executable**
```bash
sudo chmod +x /etc/wireguard/add_client.sh
```
3. **Add Clients**
- **Free Clients (Ваня и Вася)**
```bash
sudo /etc/wireguard/add_client.sh Free vanya
sudo /etc/wireguard/add_client.sh Free vasya
```
- **VIP Client (Петя)**
```bash
sudo /etc/wireguard/add_client.sh VIP petya
```
### Switch Client Type
To switch a client from Free to VIP or vice versa:
1. **Edit Server Configuration**
```bash
sudo nano /etc/wireguard/wg0.conf
```
2. **Locate the Client's `[Peer]` Section**
```ini
### Client vanya
[Peer]
PublicKey = <vanya_publickey>
AllowedIPs = 10.0.0.12/32
```
3. **Change the `AllowedIPs` to Assign New IP Based on Type**
- **VIP**: `10.0.0.2/32` to `10.0.0.11/32`
- **Free**: `10.0.0.12/32` to `10.0.0.21/32`
4. **Update Speed Limiting Rules (see [Speed Limiting](#speed-limiting))**
5. **Restart WireGuard and Traffic Control**
```bash
sudo systemctl restart wg-quick@wg0
sudo systemctl restart wg-tc.service
```
## Speed Limiting
Use `tc` (Traffic Control) to limit bandwidth based on client IP.
1. **Create `set_tc.sh` Script**
```bash
sudo nano /etc/wireguard/set_tc.sh
```
```bash
#!/bin/bash
INTERFACE="ens1" # Replace with your external interface
# Clear existing rules
tc qdisc del dev $INTERFACE root 2>/dev/null
tc qdisc del dev $INTERFACE ingress 2>/dev/null
# Root qdisc
tc qdisc add dev $INTERFACE root handle 1: htb default 30
# Main class
tc class add dev $INTERFACE parent 1: classid 1:1 htb rate 1000mbit
# VIP class
tc class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 100mbit
# Free class
tc class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 10mbit
# Apply filters for VIP clients
for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do
tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:10
done
# Apply filters for Free clients
for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do
tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:20
done
# Ingress qdisc
tc qdisc add dev $INTERFACE ingress
# Apply policing for VIP
for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do
tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:10 police rate 100mbit burst 10k drop flowid :1
done
# Apply policing for Free
for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do
tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:20 police rate 10mbit burst 10k drop flowid :1
done
```
2. **Make Script Executable**
```bash
sudo chmod +x /etc/wireguard/set_tc.sh
```
3. **Create `systemd` Service**
```bash
sudo nano /etc/systemd/system/wg-tc.service
```
```ini
[Unit]
Description=WireGuard Traffic Control
After=network.target wg-quick@wg0.service
Requires=wg-quick@wg0.service
[Service]
Type=oneshot
ExecStart=/etc/wireguard/set_tc.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
```
4. **Enable and Start Service**
```bash
sudo systemctl daemon-reload
sudo systemctl enable wg-tc.service
sudo systemctl start wg-tc.service
```
## Security Considerations
Distributing `.conf` files exposes your server's IP address, which can be targeted for DDoS attacks. To mitigate risks:
1. **Use a Firewall**: Ensure only necessary ports are open.
```bash
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -j DROP
```
2. **Rate Limiting**: Further protect with fail2ban or similar tools.
3. **Monitor Traffic**: Use monitoring tools to detect unusual activity.
4. **Use a Dedicated IP**: If possible, host VPN on a separate IP to isolate traffic.
## Starting WireGuard
1. **Start and Enable WireGuard**
```bash
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
```
## Verification
1. **Check WireGuard Status**
```bash
sudo wg show
```
2. **Verify Speed Limits**
- Connect clients and use [speedtest.net](https://www.speedtest.net) to ensure VIP clients have up to 100 Mbps and Free clients up to 10 Mbps.
## Conclusion
You have successfully set up a WireGuard VPN server on Arch Linux with VIP and Free clients, each having distinct bandwidth limitations. Ensure to follow security best practices to protect your server from potential threats.
For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or the Arch Linux community.