WireGuard-Guide-On_Arch_Linux/guide_free_vip

# WireGuard VPN Setup Guide for Arch Linux

This concise guide helps you set up a WireGuard VPN server on Arch Linux with two client types:
- **VIP**: Up to 100 Mbps
- **Free**: Up to 10 Mbps

You can easily switch a client between VIP and Free by modifying their configuration. Additionally, we'll address security concerns related to exposing your server's IP address.

## Table of Contents
1. [Prerequisites](#prerequisites)
2. [Installation](#installation)
3. [Server Configuration](#server-configuration)
4. [Client Management](#client-management)
    - [Add a Client](#add-a-client)
    - [Switch Client Type](#switch-client-type)
5. [Speed Limiting](#speed-limiting)
6. [Security Considerations](#security-considerations)
7. [Starting WireGuard](#starting-wireguard)
8. [Verification](#verification)

## Prerequisites
- **Arch Linux** installed on the server.
- **Root** or **sudo** privileges.
- **WireGuard** installed on client devices (Linux, Windows, iOS, Android).

## Installation
1. **Update System & Install Packages**
    ```bash
    sudo pacman -Syu
    sudo pacman -S wireguard-tools iproute2 nano
    ```

## Server Configuration
1. **Generate Server Keys**
    ```bash
    sudo mkdir -p /etc/wireguard
    cd /etc/wireguard
    umask 077
    wg genkey | tee server_privatekey | wg pubkey > server_publickey
    ```

2. **Create `wg0.conf`**
    ```bash
    sudo nano /etc/wireguard/wg0.conf
    ```
    ```ini
    [Interface]
    Address = 10.0.0.1/24
    ListenPort = 51820
    PrivateKey = <server_privatekey>

    # Enable IP forwarding and NAT
    PostUp = sysctl -w net.ipv4.ip_forward=1
    PostUp = iptables -t nat -A POSTROUTING -o <external_interface> -j MASQUERADE
    PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    PostUp = iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
    PostDown = sysctl -w net.ipv4.ip_forward=0
    PostDown = iptables -t nat -D POSTROUTING -o <external_interface> -j MASQUERADE
    PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    PostDown = iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT
    ```
    - Replace `<server_privatekey>` with the content of `server_privatekey`.
    - Replace `<external_interface>` with your network interface (e.g., `eth0`, `ens1`).

## Client Management

### Add a Client
Create a script to add clients with type (VIP or Free).

1. **Create `add_client.sh`**
    ```bash
    sudo nano /etc/wireguard/add_client.sh
    ```
    ```bash
    #!/bin/bash

    if [ "$#" -ne 2 ]; then
        echo "Usage: $0 <VIP|Free> <client_name>"
        exit 1
    fi

    TYPE=$1
    NAME=$2

    if [ "$TYPE" == "VIP" ]; then
        IP_START=2
        RATE="100mbit"
    elif [ "$TYPE" == "Free" ]; then
        IP_START=12
        RATE="10mbit"
    else
        echo "Type must be VIP or Free"
        exit 1
    fi

    CLIENT_IP="10.0.0.$IP_START"

    # Generate keys
    mkdir -p ~/wireguard_clients
    cd ~/wireguard_clients
    wg genkey | tee ${NAME}_privatekey | wg pubkey > ${NAME}_publickey

    PRIVATE_KEY=$(cat ${NAME}_privatekey)
    PUBLIC_KEY=$(cat ${NAME}_publickey)

    # Add to server config
    echo "### Client $NAME" | sudo tee -a /etc/wireguard/wg0.conf
    echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf
    echo "PublicKey = $PUBLIC_KEY" | sudo tee -a /etc/wireguard/wg0.conf
    echo "AllowedIPs = $CLIENT_IP/32" | sudo tee -a /etc/wireguard/wg0.conf
    echo "" | sudo tee -a /etc/wireguard/wg0.conf

    # Create client config
    cat <<EOF > ${NAME}.conf
    [Interface]
    PrivateKey = $PRIVATE_KEY
    Address = $CLIENT_IP/24
    DNS = 8.8.8.8

    [Peer]
    PublicKey = $(cat /etc/wireguard/server_publickey)
    Endpoint = $(curl -s ifconfig.me):51820
    AllowedIPs = 0.0.0.0/0, ::/0
    PersistentKeepalive = 25
    EOF

    echo "Client $NAME added with IP $CLIENT_IP."
    echo "Config file: ~/wireguard_clients/${NAME}.conf"
    ```
    2. **Make Script Executable**
    ```bash
    sudo chmod +x /etc/wireguard/add_client.sh
    ```

3. **Add Clients**
    - **Free Clients (Ваня и Вася)**
        ```bash
        sudo /etc/wireguard/add_client.sh Free vanya
        sudo /etc/wireguard/add_client.sh Free vasya
        ```
    - **VIP Client (Петя)**
        ```bash
        sudo /etc/wireguard/add_client.sh VIP petya
        ```

### Switch Client Type
To switch a client from Free to VIP or vice versa:

1. **Edit Server Configuration**
    ```bash
    sudo nano /etc/wireguard/wg0.conf
    ```
2. **Locate the Client's `[Peer]` Section**
    ```ini
    ### Client vanya
    [Peer]
    PublicKey = <vanya_publickey>
    AllowedIPs = 10.0.0.12/32
    ```
3. **Change the `AllowedIPs` to Assign New IP Based on Type**
    - **VIP**: `10.0.0.2/32` to `10.0.0.11/32`
    - **Free**: `10.0.0.12/32` to `10.0.0.21/32`
4. **Update Speed Limiting Rules (see [Speed Limiting](#speed-limiting))**
5. **Restart WireGuard and Traffic Control**
    ```bash
    sudo systemctl restart wg-quick@wg0
    sudo systemctl restart wg-tc.service
    ```

## Speed Limiting
Use `tc` (Traffic Control) to limit bandwidth based on client IP.

1. **Create `set_tc.sh` Script**
    ```bash
    sudo nano /etc/wireguard/set_tc.sh
    ```
    ```bash
    #!/bin/bash

    INTERFACE="ens1"  # Replace with your external interface

    # Clear existing rules
    tc qdisc del dev $INTERFACE root 2>/dev/null
    tc qdisc del dev $INTERFACE ingress 2>/dev/null

    # Root qdisc
    tc qdisc add dev $INTERFACE root handle 1: htb default 30

    # Main class
    tc class add dev $INTERFACE parent 1: classid 1:1 htb rate 1000mbit

    # VIP class
    tc class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 100mbit

    # Free class
    tc class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 10mbit

    # Apply filters for VIP clients
    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do
        tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:10
    done

    # Apply filters for Free clients
    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do
        tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip src $ip flowid 1:20
    done

    # Ingress qdisc
    tc qdisc add dev $INTERFACE ingress

    # Apply policing for VIP
    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[2-11]$"); do
        tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:10 police rate 100mbit burst 10k drop flowid :1
    done

    # Apply policing for Free
    for ip in $(grep "AllowedIPs" /etc/wireguard/wg0.conf | grep "/32" | awk '{print $3}' | grep "^10\.0\.0\.[12-21]$"); do
        tc filter add dev $INTERFACE parent ffff: protocol ip prio 1 u32 match ip dst $ip flowid 1:20 police rate 10mbit burst 10k drop flowid :1
    done
    ```
2. **Make Script Executable**
    ```bash
    sudo chmod +x /etc/wireguard/set_tc.sh
    ```

3. **Create `systemd` Service**
    ```bash
    sudo nano /etc/systemd/system/wg-tc.service
    ```
    ```ini
    [Unit]
    Description=WireGuard Traffic Control
    After=network.target wg-quick@wg0.service
    Requires=wg-quick@wg0.service

    [Service]
    Type=oneshot
    ExecStart=/etc/wireguard/set_tc.sh
    RemainAfterExit=yes

    [Install]
    WantedBy=multi-user.target
    ```
4. **Enable and Start Service**
    ```bash
    sudo systemctl daemon-reload
    sudo systemctl enable wg-tc.service
    sudo systemctl start wg-tc.service
    ```

## Security Considerations
Distributing `.conf` files exposes your server's IP address, which can be targeted for DDoS attacks. To mitigate risks:

1. **Use a Firewall**: Ensure only necessary ports are open.
    ```bash
    sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A INPUT -j DROP
    ```
2. **Rate Limiting**: Further protect with fail2ban or similar tools.
3. **Monitor Traffic**: Use monitoring tools to detect unusual activity.
4. **Use a Dedicated IP**: If possible, host VPN on a separate IP to isolate traffic.

## Starting WireGuard
1. **Start and Enable WireGuard**
    ```bash
    sudo systemctl start wg-quick@wg0
    sudo systemctl enable wg-quick@wg0
    ```

## Verification
1. **Check WireGuard Status**
    ```bash
    sudo wg show
    ```
2. **Verify Speed Limits**
    - Connect clients and use [speedtest.net](https://www.speedtest.net) to ensure VIP clients have up to 100 Mbps and Free clients up to 10 Mbps.

## Conclusion
You have successfully set up a WireGuard VPN server on Arch Linux with VIP and Free clients, each having distinct bandwidth limitations. Ensure to follow security best practices to protect your server from potential threats.

For further assistance, refer to the [WireGuard Documentation](https://www.wireguard.com/#documentation) or the Arch Linux community.