update installer for Ubuntu 22.04
This commit is contained in:
Matthew Saunders Brown
parent
144665694c
commit
1e55c8cb68
10
README.md
10
README.md
|
|
@ -8,12 +8,10 @@ Start with basic Ubuntu 20.04 install with no extra services or packages install
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd /usr/local/src/
|
cd /usr/local/src/
|
||||||
wget https://git.stack-source.com/stackaas/stack-vpn/archive/master.tar.gz
|
wget https://git.stack-source.com/msb/vpn-stack/archive/master.tar.gz
|
||||||
tar zxvf master.tar.gz
|
tar zxvf master.tar.gz
|
||||||
cd stack-vpn
|
cd vpn-stack
|
||||||
chmod 750 wg-*.sh
|
bash install.sh
|
||||||
mv wg-*.sh /usr/local/sbin/
|
|
||||||
/usr/local/sbin/wg-install.sh
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Configure Clients
|
## Configure Clients
|
||||||
|
|
@ -27,7 +25,7 @@ wg-client-add.sh username [device]
|
||||||
wg-client-qr-display.sh username [device]
|
wg-client-qr-display.sh username [device]
|
||||||
```
|
```
|
||||||
|
|
||||||
If the device option is left off then a "default" device will be added for that client/username.
|
If the device option is left off then a "default" device will be added for that client/username.\
|
||||||
For example, to add a client config for a user named joe and display the qr code on the console screen run:
|
For example, to add a client config for a user named joe and display the qr code on the console screen run:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
|
||||||
|
|
@ -20,8 +20,8 @@ fi
|
||||||
# do some basic pre-install checks - these are *not* exhaustive
|
# do some basic pre-install checks - these are *not* exhaustive
|
||||||
os_id=`lsb_release -is`
|
os_id=`lsb_release -is`
|
||||||
os_release=`lsb_release -rs`
|
os_release=`lsb_release -rs`
|
||||||
if [ $os_id != Ubuntu ] || [ $os_release != 20.04 ]; then
|
if [ $os_id != Ubuntu ] || [ $os_release != 22.04 ]; then
|
||||||
echo "this installer only runs on Ubuntu 20.04, bailing out"
|
echo "this installer only runs on Ubuntu 22.04, bailing out"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -64,22 +64,21 @@ echo "net.ipv6.ip_nonlocal_bind = 1" >> /etc/sysctl.d/60-wireguard.conf
|
||||||
/sbin/sysctl --system
|
/sbin/sysctl --system
|
||||||
|
|
||||||
# DNS over TLS (DoT) for OS
|
# DNS over TLS (DoT) for OS
|
||||||
sed -i 's|#DNS=|DNS=1.1.1.1#one.one.one.one|g' /etc/systemd/resolved.conf
|
sed -i 's|#DNS=|DNS=1.1.1.1|g' /etc/systemd/resolved.conf
|
||||||
sed -i 's|#FallbackDNS=|FallbackDNS=1.0.0.1#one.one.one.one|g' /etc/systemd/resolved.conf
|
sed -i 's|#FallbackDNS=|FallbackDNS=1.0.0.1|g' /etc/systemd/resolved.conf
|
||||||
sed -i "s|#Domains=|Domains=`hostname -d`|g" /etc/systemd/resolved.conf
|
sed -i "s|#Domains=|Domains=`hostname -d`|g" /etc/systemd/resolved.conf
|
||||||
sed -i 's|#DNSOverTLS=no|DNSOverTLS=yes|g' /etc/systemd/resolved.conf
|
sed -i 's|#DNSOverTLS=no|DNSOverTLS=yes|g' /etc/systemd/resolved.conf
|
||||||
sed -i 's|#Cache=yes|Cache=no|g' /etc/systemd/resolved.conf
|
sed -i 's|#Cache=.*|Cache=no|g' /etc/systemd/resolved.conf
|
||||||
systemctl restart systemd-resolved
|
systemctl restart systemd-resolved
|
||||||
|
|
||||||
# configure a minimal smtp server so automated emails (cron etc) can be sent
|
# configure a minimal smtp server so automated emails (cron etc) can be sent
|
||||||
apt -y install exim4-daemon-light mailutils
|
DEBIAN_FRONTEND=noninteractive apt-get -y install exim4-daemon-light mailutils
|
||||||
sed -i "s|dc_eximconfig_configtype='local'|dc_eximconfig_configtype='internet'|g" /etc/exim4/update-exim4.conf.conf
|
sed -i "s|dc_eximconfig_configtype='local'|dc_eximconfig_configtype='internet'|g" /etc/exim4/update-exim4.conf.conf
|
||||||
/usr/sbin/update-exim4.conf
|
/usr/sbin/update-exim4.conf
|
||||||
systemctl restart exim4
|
systemctl restart exim4
|
||||||
|
|
||||||
# configure automatic updates
|
# configure automatic updates
|
||||||
apt -y install --no-install-recommends mailutils
|
DEBIAN_FRONTEND=noninteractive apt-get -y install unattended-upgrades
|
||||||
apt -y install unattended-upgrades
|
|
||||||
sed -i 's|APT::Periodic::Download-Upgradeable-Packages "0";|APT::Periodic::Download-Upgradeable-Packages "1";|g' /etc/apt/apt.conf.d/10periodic
|
sed -i 's|APT::Periodic::Download-Upgradeable-Packages "0";|APT::Periodic::Download-Upgradeable-Packages "1";|g' /etc/apt/apt.conf.d/10periodic
|
||||||
sed -i 's|APT::Periodic::AutocleanInterval "0";|APT::Periodic::AutocleanInterval "7";|g' /etc/apt/apt.conf.d/10periodic
|
sed -i 's|APT::Periodic::AutocleanInterval "0";|APT::Periodic::AutocleanInterval "7";|g' /etc/apt/apt.conf.d/10periodic
|
||||||
echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/10periodic
|
echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/10periodic
|
||||||
|
|
@ -92,7 +91,7 @@ REBOOT_TIME=$(printf "%02d" $((8 + RANDOM % 2))):$(printf "%02d" $((0 + RANDOM %
|
||||||
sed -i "s|//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";|Unattended-Upgrade::Automatic-Reboot-Time \"$REBOOT_TIME\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
sed -i "s|//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";|Unattended-Upgrade::Automatic-Reboot-Time \"$REBOOT_TIME\";|g" /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
|
||||||
# stubby DNS Privacy stub resolver for wireguard clients
|
# stubby DNS Privacy stub resolver for wireguard clients
|
||||||
apt -y install stubby
|
DEBIAN_FRONTEND=noninteractive apt-get -y install stubby
|
||||||
cp /etc/stubby/stubby.yml /etc/stubby/stubby.yml.default
|
cp /etc/stubby/stubby.yml /etc/stubby/stubby.yml.default
|
||||||
echo 'resolution_type: GETDNS_RESOLUTION_STUB' > /etc/stubby/stubby.yml
|
echo 'resolution_type: GETDNS_RESOLUTION_STUB' > /etc/stubby/stubby.yml
|
||||||
echo 'dns_transport_list:' >> /etc/stubby/stubby.yml
|
echo 'dns_transport_list:' >> /etc/stubby/stubby.yml
|
||||||
|
|
@ -131,7 +130,7 @@ wget --output-document=/usr/local/etc/hosts https://raw.githubusercontent.com/St
|
||||||
install -m 755 /dev/null /usr/sbin/policy-rc.d
|
install -m 755 /dev/null /usr/sbin/policy-rc.d
|
||||||
echo '#!/bin/sh' > /usr/sbin/policy-rc.d
|
echo '#!/bin/sh' > /usr/sbin/policy-rc.d
|
||||||
echo 'exit 101' >> /usr/sbin/policy-rc.d
|
echo 'exit 101' >> /usr/sbin/policy-rc.d
|
||||||
apt -y install dnsmasq
|
DEBIAN_FRONTEND=noninteractive apt-get -y install dnsmasq
|
||||||
echo "domain-needed" > /etc/dnsmasq.d/local.conf
|
echo "domain-needed" > /etc/dnsmasq.d/local.conf
|
||||||
echo "bogus-priv" >> /etc/dnsmasq.d/local.conf
|
echo "bogus-priv" >> /etc/dnsmasq.d/local.conf
|
||||||
echo "no-resolv" >> /etc/dnsmasq.d/local.conf
|
echo "no-resolv" >> /etc/dnsmasq.d/local.conf
|
||||||
|
|
@ -150,7 +149,7 @@ rm -f /usr/sbin/policy-rc.d
|
||||||
systemctl restart dnsmasq.service
|
systemctl restart dnsmasq.service
|
||||||
|
|
||||||
# install and configure ufw firewall
|
# install and configure ufw firewall
|
||||||
apt -y install ufw
|
DEBIAN_FRONTEND=noninteractive apt-get -y install ufw
|
||||||
# enable wireguard port
|
# enable wireguard port
|
||||||
ufw allow from any to $IPv4 port 51820 proto udp
|
ufw allow from any to $IPv4 port 51820 proto udp
|
||||||
# allow dns queries for wireguard clients
|
# allow dns queries for wireguard clients
|
||||||
|
|
@ -182,7 +181,7 @@ echo "COMMIT" >> /etc/ufw/before.rules
|
||||||
ufw --force enable
|
ufw --force enable
|
||||||
|
|
||||||
# install & configure wireguard
|
# install & configure wireguard
|
||||||
apt -y install net-tools wireguard wireguard-tools qrencode
|
DEBIAN_FRONTEND=noninteractive apt-get -y install net-tools wireguard wireguard-tools qrencode
|
||||||
|
|
||||||
# this will be the private network used by wireguard server & clients
|
# this will be the private network used by wireguard server & clients
|
||||||
# Network: 10.96.0.0/12
|
# Network: 10.96.0.0/12
|
||||||
Loading…
Reference in New Issue
Block a user