Gateway/README.md

# Quick Setup Guide

The following process utilises docker containers to quickly provision a Wireguard VPN server.

An additional container is created alongside Wireguard called [Traefik](https://doc.traefik.io/traefik/), which is a open-source application proxy. It allows for flexibility, visualisation and control when choosing to expand on the current configuration.

## Information Gathering

Have the following known before proceeding.

- User account used to run the server.
- List of user(s) which will be VPN users (not essential, however less touches required later).
- Domain name DNS record for the server.

## Basic Setup

### Linux

1. Clone repository at your proposed server location.

    ```
    git clone https://github.com/bodane/vpn-wireguard.git && cd vpn-wireguard
    ```

1. Run `vanilla-setup.sh`.

   This script will:

   - Create a new user.
     - User will manage the VPN server components.
   - Add user to sudo group.
   - Install git, nano, and Docker
   - Add user to Docker group.

1. Create your list of VPN users.

   - Edit your `.env` file.
     - Update `NODE_HOSTNAME=my.domain.name` and `SERVER_CNAME_NAMESPACE=my.domain.name` with your server DNS record.
     - Update `PEERS` with your list of users, separated by commas.

   **NOTE**: The user list can be updated later if not known and the container re-created without user impact. Will however disconnect users during this operation.

1. Build your Wireguard VPN server with one command.

   ```
   docker compose up -d
   ```

## Add additional VPN users

1. Edit existing list of VPN users.

     - Update `.env` file with your list of users.
       - Add or remove users.
       - All must be separated by commas.

1. Start up a new container. All past changes will persist due to the docker volumes being used.

    This will setup new user VPN profiles while also leaving any present peers in-place.

   ```
   docker compose down
   docker compose up -d
   ```

## Basic Firewalling

Configure some basic firewall policy.

|     Port     |  Server-Side or Cloud Service Inbound Policy    |
|--------------|-------------------------------------------------|
| TCP 22       | Server admin. Whitelist admin source IP's only  |
| TCP 80, 443  | Traefik admin. Whitelist admin source IP's only |
| UDP 51820    | Wireguard VPN                                   |
| ANY          | Block and Log (if possible)                     |

## User Profile Location

While in the `vpn-wireguard` folder path. The user VPN profiles are located in the `config` folder path.

## Optional Improvements

There are almost an infinite amount of configurations, however one great addition could be that we do block unsafe domains or known malicous domain names being accessed by users.

The basic script and Corefile included will assist with this configuration. We'll also use a couple of known public threat intel feeds to develop our own blacklist for use locally. How it works is, if the user were to perform a DNS query to resolve an unsafe domain, the CoreDNS server returns a DNS response of `0.0.0.0` back to the user device for the target domain. This effectively prevents a request taking place to the remote host.

### Linux

1. Run `blacklist.sh` on your server endpoint. A `blacklist.txt` file will be created locally.

    ```
    ./optional-config/blacklist.sh
    ```

1. Backup your current Corefile, place it in a easy to find path related to CoreDNS, and update the CoreDNS file to reference the newly created `blacklist.txt` file.

    ```
    cp config/coredns/Corefile config/coredns/Corefile.bak
    cp optional-config/Corefile config/coredns/Corefile
    cp blacklist.txt config/coredns/blacklist.txt
    ```

1. Restart your Wireguard VPN server to have the changes all take effect.

   **NOTE:** The below assumes your container name is `lthn-vpn-wireguard-1`. Validate what your container name is by using the `docker ps` command.

   ```
   docker restart lthn-vpn-wireguard-1
   ```

## Further improvements for consideration.

- Creating a cron schedule or similar to maintain a better active list of unsafe domains.
create a wireguard vpn server setup with optional tweaks 2025-01-12 00:29:25 +11:00			`# Quick Setup Guide`

			`The following process utilises docker containers to quickly provision a Wireguard VPN server.`

add firewalling section and further minor readme updates 2025-01-12 01:23:08 +11:00			`An additional container is created alongside Wireguard called [Traefik](https://doc.traefik.io/traefik/), which is a open-source application proxy. It allows for flexibility, visualisation and control when choosing to expand on the current configuration.`

create a wireguard vpn server setup with optional tweaks 2025-01-12 00:29:25 +11:00			`## Information Gathering`

			`Have the following known before proceeding.`

			`- User account used to run the server.`
			`- List of user(s) which will be VPN users (not essential, however less touches required later).`
			`- Domain name DNS record for the server.`

			`## Basic Setup`

			`### Linux`

			`1. Clone repository at your proposed server location.`

			```
			`git clone https://github.com/bodane/vpn-wireguard.git && cd vpn-wireguard`
			```

			1. Run `vanilla-setup.sh`.

			`This script will:`

			`- Create a new user.`
			`- User will manage the VPN server components.`
			`- Add user to sudo group.`
			`- Install git, nano, and Docker`
			`- Add user to Docker group.`

			`1. Create your list of VPN users.`

			- Edit your `.env` file.
			- Update `NODE_HOSTNAME=my.domain.name` and `SERVER_CNAME_NAMESPACE=my.domain.name` with your server DNS record.
			- Update `PEERS` with your list of users, separated by commas.

			`NOTE: The user list can be updated later if not known and the container re-created without user impact. Will however disconnect users during this operation.`

			`1. Build your Wireguard VPN server with one command.`

			```
			`docker compose up -d`
			```

			`## Add additional VPN users`

			`1. Edit existing list of VPN users.`

			- Update `.env` file with your list of users.
			`- Add or remove users.`
			`- All must be separated by commas.`

			`1. Start up a new container. All past changes will persist due to the docker volumes being used.`

			`This will setup new user VPN profiles while also leaving any present peers in-place.`

			```
			`docker compose down`
			`docker compose up -d`
			```

add firewalling section and further minor readme updates 2025-01-12 01:23:08 +11:00			`## Basic Firewalling`

minor readme updates 2025-01-12 01:24:44 +11:00			`Configure some basic firewall policy.`

add firewalling section and further minor readme updates 2025-01-12 01:23:08 +11:00			`\| Port \| Server-Side or Cloud Service Inbound Policy \|`
			`\|--------------\|-------------------------------------------------\|`
			`\| TCP 22 \| Server admin. Whitelist admin source IP's only \|`
			`\| TCP 80, 443 \| Traefik admin. Whitelist admin source IP's only \|`
			`\| UDP 51820 \| Wireguard VPN \|`
			`\| ANY \| Block and Log (if possible) \|`

create a wireguard vpn server setup with optional tweaks 2025-01-12 00:29:25 +11:00			`## User Profile Location`

add firewalling section and further minor readme updates 2025-01-12 01:23:08 +11:00			While in the `vpn-wireguard` folder path. The user VPN profiles are located in the `config` folder path.
create a wireguard vpn server setup with optional tweaks 2025-01-12 00:29:25 +11:00
			`## Optional Improvements`

			`There are almost an infinite amount of configurations, however one great addition could be that we do block unsafe domains or known malicous domain names being accessed by users.`

add firewalling section and further minor readme updates 2025-01-12 01:23:08 +11:00			The basic script and Corefile included will assist with this configuration. We'll also use a couple of known public threat intel feeds to develop our own blacklist for use locally. How it works is, if the user were to perform a DNS query to resolve an unsafe domain, the CoreDNS server returns a DNS response of `0.0.0.0` back to the user device for the target domain. This effectively prevents a request taking place to the remote host.
create a wireguard vpn server setup with optional tweaks 2025-01-12 00:29:25 +11:00
			`### Linux`

			1. Run `blacklist.sh` on your server endpoint. A `blacklist.txt` file will be created locally.

			```
			`./optional-config/blacklist.sh`
			```

			1. Backup your current Corefile, place it in a easy to find path related to CoreDNS, and update the CoreDNS file to reference the newly created `blacklist.txt` file.

			```
			`cp config/coredns/Corefile config/coredns/Corefile.bak`
			`cp optional-config/Corefile config/coredns/Corefile`
			`cp blacklist.txt config/coredns/blacklist.txt`
			```

			`1. Restart your Wireguard VPN server to have the changes all take effect.`

minor readme updates 2025-01-12 01:34:41 +11:00			NOTE: The below assumes your container name is `lthn-vpn-wireguard-1`. Validate what your container name is by using the `docker ps` command.

create a wireguard vpn server setup with optional tweaks 2025-01-12 00:29:25 +11:00			```
			`docker restart lthn-vpn-wireguard-1`
			```

			`## Further improvements for consideration.`

			`- Creating a cron schedule or similar to maintain a better active list of unsafe domains.`