Home  Main Website     Git     Matrix     Searx    

PwOSS - Wiki

Changes in e1e5162: changed OpenVPN to WireGuard
content/server/arch-server-docu.md
... ...
@@ -771,7 +771,7 @@ Hit enter and set up the mysql root password (use a good password) and hit the f
771 771
772 772
# 17. Seafile
773 773
774
-# 17.1 Needed packages
774
+## 17.1. Needed packages
775 775
```
776 776
pikaur -S seahub libselinux --noconfirm
777 777
```
... ...
@@ -1111,357 +1111,164 @@ su - pwoss
1111 1111
1112 1112
 
1113 1113
1114
-# 19. OpenVPN
1115
-```
1116
-sudo groupadd nogroup
1117
-```
1114
+# 19. WireGuard
1118 1115
1119
1116
+## 19.1. Server
1120 1117
1121
-## 19.1. DDClient-Dynamic DNS
1118
+Do everything with root.
1122 1119
```
1123
-sudo pacman -S ddclient --noconfirm && sudo nano /etc/ddclient/ddclient.conf
1120
+su
1124 1121
```
1125 1122
1126
1127
-
1128
-### 19.1.1. Input required:
1129
-Add following lines and change the "login=","password=", and the domain at the bottom.
1130
-```
1131
-For noip
1132
-protocol=dyndns2
1133
-use=web, if=eth0
1134
-server=dynupdate.no-ip.com
1135
-login=your-@emailaddress.com
1136
-password='your-password'
1137
-your-dyndns_domain
1138
-```
1123
+### 19.1.1. Packages
1139 1124
```
1140
-sudo crontab -e
1125
+pacman -S wireguard-tools
1141 1126
```
1142 1127
1143
-add
1128
+ 
1144 1129
1130
+### 19.1.2. Keys
1145 1131
```
1146
-#######################DDClient
1147
-45 04 * * * /usr/sbin/ddclient --force
1148
-##################################
1132
+cd /etc/wireguard/
1133
+umask 077; wg genkey | tee privatekey | wg pubkey > publickey
1149 1134
```
1150 1135
1151
1136
+ 
1152 1137
1153
-## 19.2. Easy-RSA
1154
-```
1155
-sudo pacman -S openvpn easy-rsa --noconfirm && sudo su
1156
-cd /etc/easy-rsa
1157
-export EASYRSA=$(pwd)
1158
-easyrsa init-pki
1159
-easyrsa build-ca nopass
1160
-```
1161
-
1162
1163
-
1164
-### 19.2.1. Input required:
1165
-<<Note("Change <code>your-dyndns_domain</code> to your domain.")>>
1138
+### 19.1.3. Config (wg0.conf)
1166 1139
1140
+#### 19.1.3.1. Interface
1141
+Copy the private key number.
1167 1142
```
1168
-Common Name (eg: your user, host, or server name) [Easy-RSA CA]:your-dyndns_domain
1169
-Your new CA certificate file for publishing is at:/etc/easy-rsa/pki/ca.crt
1170
-cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/
1171
-easyrsa gen-req ArchServer nopass
1172
-your-dyndns_domain
1143
+cat privatekey
1173 1144
```
1174
-
1175
-Enter
1176
-
1177 1145
```
1178
-cp /etc/easy-rsa/pki/private/ArchServer.key /etc/openvpn/server/
1179
-openssl dhparam -out /etc/openvpn/server/dh.pem 2048
1146
+nano wg0.conf
1180 1147
```
1181
-
1182
-<<Note("This takes around 20 minutes")>>
1183
-
1184
1185
-
1186
-### 19.2.2. Input required:
1187
-<<Note("Change <code>your-device</code> like Smartphone / Laptop etc.")>>
1188
-
1189 1148
```
1190
-openvpn --genkey --secret /etc/openvpn/server/ta.key
1191
-easyrsa gen-req your-device
1149
+[Interface]
1150
+PrivateKey = <Private Key>
1151
+Address = 10.0.0.1/24, fd86:ea04:1115::1/64
1152
+ListenPort = 51820
1153
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
1154
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
1155
+SaveConfig = true
1192 1156
```
1193 1157
1194
-Enter your-password and _NO COMMON NAME_!!
1195
-Hit enter
1196
-
1197
-```
1198
-easyrsa sign-req server ArchServer
1199
-```
1158
+<<Note("Change your interface <code>eth0</code> to your interface.")>>
1200 1159
1201
-yes
1160
+&nbsp;
1202 1161
1203
1162
+#### 19.1.3.2. Peer
1163
+1. [Go to clients](#19-2-clients) first and follow the instructions.
1204 1164
1205
-### 19.2.3. Input required:
1206
-<<Note("Change <code>your-device</code> like Smartphone / Laptop etc.")>>
1165
+2. Copy the __publickey__ and __presharedkey__ of your client.
1207 1166
```
1208
-easyrsa sign-req client your-device
1167
+cat /etc/wireguard/clients/phones/pinephone/publickey && cat /etc/wireguard/clients/phones/pinephone/presharedkey
1209 1168
```
1210
-
1211
-yes
1212
-
1169
+3. Add the peer
1213 1170
```
1214
-mv /etc/easy-rsa/pki/issued/ArchServer.crt /etc/openvpn/server/
1215
-mkdir /etc/easy-rsa/pki/signed
1216
-mv /etc/easy-rsa/pki/issued/your-device.crt /etc/easy-rsa/pki/signed
1217
-exit
1171
+nano /etc/wireguard/wg0.conf
1218 1172
```
1219
-
1220
1221
-
1222
-## 19.3. Client config &amp; ovpngen AUR
1223 1173
```
1224
-cd && pikaur -S ovpngen --noconfirm
1174
+[Peer]
1175
+# PinePhone
1176
+PublicKey = <client public key>
1177
+PresharedKey = <preshared key>
1178
+AllowedIPs = 10.0.0.2/32
1225 1179
```
1226 1180
1227
1181
+&nbsp;
1228 1182
1229
-### 19.3.1. Input required:
1230
-<<Note("Change <code>your-dyndns_domain</code> to your domain. Change <code>your-device</code> like Smartphone / Laptop etc.")>>
1183
+## 19.2. Clients
1231 1184
1185
+### 19.2.1. Folder structure
1186
+Create clients for _laptop_, _desktop_, _phones_ etc.. Whatever you prefer.
1232 1187
```
1233
-sudo ovpngen your-dyndns_domain /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/your-device.crt /etc/easy-rsa/pki/private/your-device.key /etc/openvpn/server/ta.key > your-device.ovpn
1234
-sudo nano your-device.ovpn
1188
+mkdir -p /etc/wireguard/clients/phones/pinephone/
1235 1189
```
1236 1190
1237
1238
-
1239
-### 19.3.2. Input required:
1240
-<<Note("Change <code>your-dyndns_domain</code> to your domain.")>>
1191
+&nbsp;
1241 1192
1193
+### 19.2.2. Keys
1242 1194
```
1243
-remote your-dyndns_domain 1194 udp
1195
+cd /etc/wireguard/clients/phones/pinephone/
1196
+umask 077; wg genkey | tee privatekey | wg pubkey > publickey | wg genpsk > presharedkey
1244 1197
```
1245
-and add behind ‘verb 3’
1246
-
1247 1198
```
1248
-cipher AES-256-CBC
1249
-auth SHA512
1250
-resolv-retry infinite
1251
-tls-version-min 1.2
1252
-auth-nocache
1253
-remote-cert-tls server
1254
-comp-lzo
1199
+cat privatekey && cat presharedkey && cat /etc/wireguard/publickey
1255 1200
```
1256
-ctrl + x
1257
-yes
1258
-
1259
1260
-
1261
-### 19.3.3. Input required:
1262
-Copy the file to your Phone and import the file to the “OpenVPN for Android” application or to your computer.
1263 1201
```
1264
-sudo scp your-device.ovpn your-copmputer/your-user@192.168.1.xxx:/home/your-user/
1202
+nano pinephone.conf
1265 1203
```
1266
-
1267
1268
-
1269
-## 19.4. Server config
1270
-```
1271
-sudo nano /etc/openvpn/server/server.conf
1272 1204
```
1205
+[Interface]
1206
+PrivateKey = <pinephones-privatekey>
1207
+Address = 10.0.0.2/24,fd42:42:42::2/64
1273 1208
1274
-<<Note("Change the IP to your home network if it’s necessary.")>>
1209
+## Optional. Leave it like it is if you want to use your server DNS.
1210
+# DNS =
1275 1211
1276
-```
1277
-# your local subnet
1278
-push "route 192.168.1.0 255.255.255.0"
1212
+[Peer]
1213
+#Home server
1214
+PublicKey = <server public key>
1215
+PresharedKey = <preshared key>
1216
+Endpoint = <server public IP or domain>:51820
1217
+AllowedIPs = 0.0.0.0/0,::/0
1279 1218
```
1280 1219
1281
-Change the client's number depends on your needs.
1220
+&nbsp;
1282 1221
1222
+### 19.2.3. Permissions
1223
+Set the right permissions.
1283 1224
```
1284
-max-clients 2
1285
-```
1225
+chmod -R 600 /etc/wireguard/clients/
1286 1226
```
1287
-port 1194
1288
-proto udp
1289
-dev tun
1290
-ca /etc/openvpn/server/ca.crt
1291
-cert /etc/openvpn/server/ArchServer.crt
1292
-key /etc/openvpn/server/ArchServer.key
1293
-dh /etc/openvpn/server/dh.pem
1294
-server 10.8.0.0 255.255.255.0
1295
-# server and remote endpoints
1296
-ifconfig 10.8.0.1 10.8.0.2
1297
-# Add route to Client routing table for the OpenVPN Server
1298
-push "route 10.8.0.1 255.255.255.255"
1299
-# Add route to Client routing table for the OPenVPN Subnet
1300
-push "route 10.8.0.0 255.255.255.0"
1301
-# your local subnet
1302
-push "route 192.168.1.0 255.255.255.0"
1303
-# Set your primary domain name server address for clients
1304 1227
1305
-########################Pi-hole
1306
-push "dhcp-option DNS 192.168.1.76"
1307
-###############################
1228
+&nbsp;
1308 1229
1309
-###### https://dns.watch/
1310
-#push "dhcp-option DNS 84.200.69.80"
1311
-#push "dhcp-option DNS 84.200.70.40"
1312
-# Override the Client default gateway by using 0.0.0.0/1 and
1313
-# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
1314
-# overriding but not wiping out the original default gateway.
1315
-#push "redirect-gateway def1"
1316
-push "redirect-gateway def1 bypass-dhcp"
1317
-
1318
-client-to-client
1319
-duplicate-cn
1320
-keepalive 10 120
1321
-tls-version-min 1.2
1322
-tls-auth /etc/openvpn/server/ta.key 0
1323
-cipher AES-256-CBC
1324
-auth SHA512
1325
-#comp-lzo
1326
-compress lz4-v2
1327
-push "compress lz4-v2"
1328
-user nobody
1329
-group nogroup
1330
-persist-key
1331
-persist-tun
1332
-max-clients 2
1333
-remote-cert-tls client
1334
-#client-connect /etc/openvpn/vpn-connect.sh
1335
-#client-disconnect /etc/openvpn/vpn-disconnect.sh
1336
-#script-security 2
1337
-#crl-verify /etc/openvpn/crl.pem
1338
-status /var/log/openvpn-status.log 20
1339
-status-version 3
1340
-log /var/log/openvpn.log
1341
-verb 3
1342
-ifconfig-pool-persist ipp.txt
1343
-log-append /var/log/openvpn
1344
-status /tmp/vpn.status 10
1230
+### 19.2.4. Copy file
1231
+Copy your `.conf` file to your device.
1345 1232
```
1346
-ctrl + x
1347
-yes
1348
-
1349
-```
1350
-sudo systemctl enable openvpn-server@server.service && sudo systemctl start openvpn-server@server.service
1233
+scp pinephone.conf dan@192.168.1.248:~/
1351 1234
```
1352 1235
1353
1354
-
1355
-## 19.5. New clients
1356
-
1357
1358
-
1359
-### 19.5.1. Input required:
1360
-<<Note("Change <code>your-device</code> like Smartphone / Laptop etc.")>>
1236
+&nbsp;
1361 1237
1238
+#### 19.2.4.1. Generate QR Code
1239
+You can also create an QR code.
1362 1240
```
1363
-sudo su && cd /etc/easy-rsa
1364
-easyrsa gen-req your-device
1241
+pacman -S qrencode
1365 1242
```
1366
-
1367
-Enter your password and _NO COMMON NAME_!!
1368
-Hit enter
1369
-
1370
1371
-
1372
-### 19.5.2. Input required:
1373 1243
```
1374
-easyrsa sign-req client your-device
1244
+qrencode -t ansiutf8 < pinephone.conf
1375 1245
```
1376 1246
1377
-yes
1247
+&nbsp;
1378 1248
1379
1249
+### 19.2.5. Back to peer
1250
+[Click](#19-1-3-2-peer)
1380 1251
1381
-### 19.5.3. Input required:
1382
-<<Note("Change <code>your-dyndns_domain</code> to your domain. Change <code>your-device</code> like Smartphone / Laptop etc.")>>
1252
+&nbsp;
1383 1253
1384
-```
1385
-mv /etc/easy-rsa/pki/issued/your-device.crt /etc/easy-rsa/pki/signed
1386
-```
1387
-```
1388
-sudo ovpngen yourDYNDNSdomain.com /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/your-device.crt /etc/easy-rsa/pki/private/your-device.key /etc/openvpn/server/ta.key > your-device.ovpn
1389
-sudo nano your-device.ovpn
1390
-```
1254
+### 19.2.6. More clients
1255
+If you need more clients, just follow the [clients](#19-2-clients) process again and add the [peer](#19-1-3-2-peer) to your server among your other clients.
1391 1256
1392
1393
-
1394
-### 19.5.4. Input required:
1395
-<<Note("Change <code>your-dyndns_domain</code> to your domain.")>>
1257
+&nbsp;
1396 1258
1259
+## 19.3. Start service
1397 1260
```
1398
-remote your-dyndns_domain 1194 udp
1261
+systemctl enable wg-quick@wg0.service && systemctl start wg-quick@wg0.service
1399 1262
```
1400
-and add behind ‘verb 3’
1401 1263
1402
-```
1403
-cipher AES-256-CBC
1404
-auth SHA512
1405
-resolv-retry infinite
1406
-tls-version-min 1.2
1407
-auth-nocache
1408
-remote-cert-tls server
1409
-comp-lzo
1410
-```
1411
-ctrl + x
1412
-yes
1413
-
1414
1415
-
1416
-### 19.5.5. Input required:
1417
-Copy the file to your Phone and import the file to the “OpenVPN for Android” application or to your computer.
1418
-```
1419
-sudo scp your-device.ovpn your-copmputer/your-user@192.168.1.xxx:/home/your-user/
1420
-```
1421
-
1422
1264
+&nbsp;
1423 1265
1424 1266
# 20. UFW
1425 1267
```
1426
-sudo pacman -S ufw --noconfirm && sudo nano /etc/default/ufw
1427
-```
1428
-
1429
-Change:
1430
-
1431
-```
1432
-DEFAULT_FORWARD_POLICY="DROP"
1433
-```
1434
-
1435
-to
1436
-
1437
-```
1438
-DEFAULT_FORWARD_POLICY="ACCEPT"
1268
+sudo pacman -S ufw --noconfirm
1439 1269
```
1440 1270
```
1441
-sudo nano /etc/ufw/before.rules
1442
-```
1443
-
1444
1445
-
1446
-### 20.0.6. Input required:
1447
-Add after header (# ufw-before-forward) and before (# Don't delete these required lines, otherwise there will be errors and change the '_your-interface_'
1448
-
1449
-```
1450
-# NAT (Network Address Translation) table rules
1451
-*nat
1452
-:POSTROUTING ACCEPT [0:0]
1453
-
1454
-# Allow traffic from clients to the interface
1455
--A POSTROUTING -s 10.8.0.0/24 -o your-interface -j MASQUERADE
1456
-
1457
-# do not delete the "COMMIT" line or the NAT table rules above will not be processed
1458
-COMMIT
1459
-```
1460
-ctrl + x
1461
-yes
1462
-
1463
-```
1464
-sudo ufw allow ssh && sudo ufw allow 1194/udp && sudo ufw allow 8001/tcp && sudo ufw allow 8080/tcp && sudo ufw allow 8082/tcp && sudo ufw allow 5232/tcp
1271
+sudo ufw allow ssh && sudo ufw allow 51820/udp && sudo ufw allow 8001/tcp && sudo ufw allow 8080/tcp && sudo ufw allow 8082/tcp && sudo ufw allow 5232/tcp
1465 1272
```
1466 1273
1467 1274
y
... ...
@@ -1560,7 +1367,7 @@ listen.acl_groups = http
1560 1367
1561 1368
 
1562 1369
1563
-### 23.0.7. Input required:
1370
+### 23.0.1. Input required:
1564 1371
Uncomment the following lines in /etc/php/php.ini: (Delete ; )
1565 1372
1566 1373
```
... ...
@@ -1656,7 +1463,7 @@ sudo pacman -S msmtp msmtp-mta --noconfirm && sudo nano /etc/msmtprc
1656 1463
1657 1464
 
1658 1465
1659
-### 25.0.8. Input required:
1466
+### 25.0.2. Input required:
1660 1467
Add and change all `PwOSS`, `your-@emailaddress.com` and `your-password` settings to your provider.
1661 1468
1662 1469
```
... ...
@@ -1706,7 +1513,7 @@ sudo systemctl daemon-reload && sudo systemctl restart cronie.service
1706 1513
1707 1514
 
1708 1515
1709
-### 25.0.9. Input required:
1516
+### 25.0.3. Input required:
1710 1517
Test it:
1711 1518
<<Note("Change email")>>
1712 1519
... ...
@@ -1815,7 +1622,7 @@ yes
1815 1622
1816 1623
 
1817 1624
1818
-### 26.0.10. Input required:
1625
+### 26.0.4. Input required:
1819 1626
Set a password:
1820 1627
```
1821 1628
pihole -a -p
... ...
@@ -1873,7 +1680,7 @@ push "dhcp-option DNS 192.168.1.76" # (< change the IP to your server IP)
1873 1680
ctrl + x
1874 1681
yes
1875 1682
1876
-### 26.0.11. Input required:
1683
+### 26.0.5. Input required:
1877 1684
Change the home network IP (_192.168.1.0_)!!
1878 1685
1879 1686
```