$ git clone https://github.com/Trigus42/Private-LAN /etc/private-lan
$ mkdir -p /etc/private-lan/volumes/{unbound,dnsmasq,wireguard-gw,wireguard-dns,pihole,pihole-vpn}
$ mv /etc/private-lan/unbound/docker-compose.yml /etc/private-lan/
Edit the IPs in the port section of the pihole and pihole-vpn container in /etc/private-lan/docker-compose.yml to match your network environment.
$ echo "GRAVITYDB=/etc/pihole/gravity/gravity.db" | tee /etc/private-lan/volumes/pihole/pihole-FTL.conf /etc/private-lan/volumes/pihole-vpn/pihole-FTL.conf
$ cp /etc/private-lan/unbound/unbound.conf /etc/private-lan/volumes/unbound/
Add this to /etc/network/interfaces to create a new virtual interface and set a static IP:
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.178.2
netmask 255.255.255.0
gateway 192.168.178.1
dns-nameservers 8.8.8.8 1.1.1.1
dns-search domain-name
auto eth0.1
allow-hotplug eth0.1
iface eth0.1 inet static
address 192.168.178.3
netmask 255.255.255.0
vlan-raw-device eth0
$ systemctl disable dhcpcd
$ systemctl restart networking.service
$ curl -fsSL https://get.docker.com | bash
$ apt install python3-pip -y && pip3 install docker-compose
$ systemctl enable docker
$ echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
$ wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add -
$ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
$ apt update
On Rapberry PI OS run:
$ apt install raspberrypi-kernel-headers wireguard -y
On any standard Debian installation run:
$ apt install linux-headers wireguard -y
$ apt install wireguard -y
Download your config file(s) and insert the following lines in the Wireguard config file below [Interface]
:
# Don't allow forwarding from eth0 to eth0 (bypassing the VPN gateway)
PreUp = iptables -I FORWARD -i eth0 -o eth0 -j REJECT
# Replace the source IP of packets going out trough the Wireguard interface AND add a route to your LAN subnet
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE && ip route add <Your Subnet> via 172.16.238.1
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE && ip route delete <Your Subnet> via 172.16.238.1
Copy it to /etc/private-lan/volumes/wireguard-gw
and /etc/private-lan/volumes/wireguard-dns
as wg0.conf
.
Example
[Interface]
PrivateKey = ...
Address = 100.64.67.64/32
DNS = 10.255.255.3
PreUp = iptables -I FORWARD -i eth0 -o eth0 -j REJECT
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE && ip route add 192.168.178.0/24 via 172.16.238.1
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE && ip route delete 192.168.178.0/24 via 172.16.238.1
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = lon-229-wg.whiskergalaxy.com:443
PresharedKey = ...
Assign permissions and ownership (No one but root should be able to see Private Key and PSK):
$ chown -R root:root /etc/private-lan/volumes/wireguard-gw
$ chmod 600 -R /etc/private-lan/volumes/wireguard-gw
$ cp /etc/private-lan/unbound/gateway*.sh /etc/init.d/
$ cp /etc/private-lan/unbound/gateway*.service /etc/systemd/system/
$ cp /etc/private-lan/gateway*.service /etc/systemd/system/
$ chmod +x /etc/init.d/gateway*.sh
$ chmod +x /etc/private-lan/set-route.sh
$ systemctl daemon-reload
$ systemctl enable gateway.service
$ systemctl enable gateway-firewall.service
Uncomment/paste in /etc/sysctl.conf:
#IP Forwarding
net.ipv4.ip_forward = 1
#IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
#Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
#Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians=1
Load these changes:
$ sysctl -p /etc/sysctl.conf
More info about these settings:
IP Spoofing
ICMP broadcast requests
ICMP redirects
Source packet routing
SYN attacks
$ systemctl start gateway-firewall.service
$ docker-compose -f /etc/private-lan/docker-compose.yml up -d
$ systemctl start gateway.service
$ chown 999:spi -R /etc/private-lan/volumes/pihole/gravity
$ chmod 774 -R /etc/private-lan/volumes/pihole/gravity
$ docker exec -it pihole pihole -a -p
You can now manually configure your server as network gateway and DNS server in individual devices.
However, it's much more convenient to set up a DHCP server.
Using the IPs from the example network environment in /etc/private-lan/docker-compose.yml, you would configure the devices as follows:
VPN:
Gateway: 192.168.178.2
(or 192.168.178.3
)
DNS: 192.168.178.3
Direct:
Gateway: 192.168.178.1
DNS: 192.168.178.2