From 732c96fbed1d1106a48654bf74feeea187095950 Mon Sep 17 00:00:00 2001 From: bodane <49066403+bodane@users.noreply.github.com> Date: Sun, 12 Jan 2025 01:23:08 +1100 Subject: [PATCH] add firewalling section and further minor readme updates --- README.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1d769cb..8a51421 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ The following process utilises docker containers to quickly provision a Wireguard VPN server. +An additional container is created alongside Wireguard called [Traefik](https://doc.traefik.io/traefik/), which is a open-source application proxy. It allows for flexibility, visualisation and control when choosing to expand on the current configuration. + ## Information Gathering Have the following known before proceeding. @@ -61,15 +63,25 @@ Have the following known before proceeding. docker compose up -d ``` +## Basic Firewalling + +Configure some basic +| Port | Server-Side or Cloud Service Inbound Policy | +|--------------|-------------------------------------------------| +| TCP 22 | Server admin. Whitelist admin source IP's only | +| TCP 80, 443 | Traefik admin. Whitelist admin source IP's only | +| UDP 51820 | Wireguard VPN | +| ANY | Block and Log (if possible) | + ## User Profile Location -While in the `vpn-wireguard` folder path. The user VPN profiles are located in the `config/` folder path. +While in the `vpn-wireguard` folder path. The user VPN profiles are located in the `config` folder path. ## Optional Improvements There are almost an infinite amount of configurations, however one great addition could be that we do block unsafe domains or known malicous domain names being accessed by users. -The basic script and Corefile included will assist with this configuration. We'll also use a couple of known public threat intel feeds to develop our own blacklist for use locally. How it works is, if the user were to perform a DNS query to resolve an unsafe domain, the CoreDNS server returns a DNS response of `0.0.0.0` back to the user for the target domain. This effectively prevents a request taking place to the remote host. +The basic script and Corefile included will assist with this configuration. We'll also use a couple of known public threat intel feeds to develop our own blacklist for use locally. How it works is, if the user were to perform a DNS query to resolve an unsafe domain, the CoreDNS server returns a DNS response of `0.0.0.0` back to the user device for the target domain. This effectively prevents a request taking place to the remote host. ### Linux @@ -85,7 +97,6 @@ The basic script and Corefile included will assist with this configuration. We'l cp config/coredns/Corefile config/coredns/Corefile.bak cp optional-config/Corefile config/coredns/Corefile cp blacklist.txt config/coredns/blacklist.txt - ``` 1. Restart your Wireguard VPN server to have the changes all take effect.