lthn/Gateway
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add firewalling section and further minor readme updates

Browse source
This commit is contained in:
bodane 2025-01-12 01:23:08 +11:00
parent afd90396c0
commit 732c96fbed
No known key found for this signature in database
GPG key ID: EC6CD40D2237842C
1 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -2,6 +2,8 @@
The following process utilises docker containers to quickly provision a Wireguard VPN server.
An additional container is created alongside Wireguard called [Traefik](https://doc.traefik.io/traefik/), which is a open-source application proxy. It allows for flexibility, visualisation and control when choosing to expand on the current configuration.
## Information Gathering
Have the following known before proceeding.
@ -61,15 +63,25 @@ Have the following known before proceeding.
docker compose up -d
```
## Basic Firewalling
Configure some basic
| Port | Server-Side or Cloud Service Inbound Policy |
|--------------|-------------------------------------------------|
| TCP 22 | Server admin. Whitelist admin source IP's only |
| TCP 80, 443 | Traefik admin. Whitelist admin source IP's only |
| UDP 51820 | Wireguard VPN |
| ANY | Block and Log (if possible) |
## User Profile Location
While in the `vpn-wireguard` folder path. The user VPN profiles are located in the `config/` folder path.
While in the `vpn-wireguard` folder path. The user VPN profiles are located in the `config` folder path.
## Optional Improvements
There are almost an infinite amount of configurations, however one great addition could be that we do block unsafe domains or known malicous domain names being accessed by users.
The basic script and Corefile included will assist with this configuration. We'll also use a couple of known public threat intel feeds to develop our own blacklist for use locally. How it works is, if the user were to perform a DNS query to resolve an unsafe domain, the CoreDNS server returns a DNS response of `0.0.0.0` back to the user for the target domain. This effectively prevents a request taking place to the remote host.
The basic script and Corefile included will assist with this configuration. We'll also use a couple of known public threat intel feeds to develop our own blacklist for use locally. How it works is, if the user were to perform a DNS query to resolve an unsafe domain, the CoreDNS server returns a DNS response of `0.0.0.0` back to the user device for the target domain. This effectively prevents a request taking place to the remote host.
### Linux
@ -85,7 +97,6 @@ The basic script and Corefile included will assist with this configuration. We'l
cp config/coredns/Corefile config/coredns/Corefile.bak
cp optional-config/Corefile config/coredns/Corefile
cp blacklist.txt config/coredns/blacklist.txt
```
1. Restart your Wireguard VPN server to have the changes all take effect.