Updated README and file cleanup

README.md

@@ -1,2 +1,66 @@
 # wg-pihole-docker
  Tutorial in order to setup a VPN and a DNS sinkhole on a Debian server, using Wireguard, Pi-hole and Docker.
+
+ These instructions are meant for setting up a Debian server and assume that you are using Linux or macOS.
+
+## Server configuration
+
+### User setup
+
+- SSH into the server using `ssh root@serverip` and run `apt-get update && apt-get upgrade`.
+- Create a new user with `useradd -m username` and set a password for this user with `passwd username`.
+- Add the newly created user to the `sudo` group with `adduser username sudo`.
+- Use `su username` to connect as the user you have just created.
+- By default Debian does not use `bash` which means you won't have tab completion or syntax colouring. To remedy that use `chsh -s /bin/bash` then log out and log back in with `exit` and then `su username`.
+- If you get this error message :
+
+```
+perl: warning: Setting locale failed.
+perl: warning: Please check that your locale settings:
+    LANGUAGE = (unset),
+    LC_ALL = (unset),
+    LANG = "en_US.UTF-8"
+are supported and installed on your system.
+perl: warning: Falling back to the standard locale ("C").
+```
+
+You can add the following lines to your `.bashrc` :
+
+```
+export LANGUAGE=en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+export LANG=en_US.UTF-8
+export LC_CTYPE=en_US.UTF-8
+```
+
+- In you home directory create a `.ssh` folder as well as a file named `authorized_keys` in it with `mkdir ~/.ssh && touch ~/.ssh/authorized_keys`.
+
+### SSH
+
+- On your computer, go into you `.ssh` folder with `cd ~/.ssh`. If the folder does not exist create it using `mkdir ~/.ssh`.
+- Use `ssh-keygen -t rsa -b 4096` to generate a key pair. It is recommended that you name the key so that you can keep track of them.
+- You need to copy the public key you have just created to your server. To do that use `scp yourkey.pub username@serverip:`.
+- In order to be able to connect to the server using your SSH key, you need to add it to the `authorized_keys` file using `cat yourkey.pub >> .ssh/authorized_keys`. You can then delete the public key from the server using `rm yourkey.pub`.
+- You then need to edit the content of the SSH daemon configuration using `sudo nano /etc/ssh/sshd_config`.
+- Here is an configuration example with some security hardening :
+
+- You can find information about the different parameters in this file with `man sshd_config`.
+- Once you have made changes in the `sshd_config` file restart the daemon using `sudo systemctl restart sshd`.
+- From now on, in order to log back into your server you will have to use the following command `ssh -2 -i ~/.ssh/yourkey username@serverip -p portnumber`.
+
+### Security hardening
+
+### Firewall configuration
+
+https://docs.pi-hole.net/guides/vpn/openvpn/firewall/
+https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/
+
+## Docker and Docker-compose installation
+
+## Wireguard configuration
+
+https://github.com/WeeJeWel/wg-easy/
+
+## Pi-hole configuration
+
+https://github.com/pi-hole/docker-pi-hole

docker-compose.yml

@@ -0,0 +1,62 @@
+version: "3.8"
+services:
+  wg-easy:
+    environment:
+      # ⚠️ Required:
+      # Change this to your host's public address
+      - WG_HOST=raspberrypi.local
+
+       Optional:
+       - PASSWORD=foobar123
+      # - WG_PORT=51820
+      # - WG_DEFAULT_ADDRESS=10.8.0.x
+       - WG_DEFAULT_DNS=1.1.1.1
+      # - WG_MTU=1420
+      # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
+      
+    image: weejewel/wg-easy
+    container_name: wg-easy
+            networks:
+            testing_net:
+                ipv4_address: 172.28.1.3
+    volumes:
+      - .:/etc/wireguard
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+version: "3"
+
+# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
+
+services:
+  pihole:
+    container_name: pihole
+    image: pihole/pihole:latest
+            networks:
+            testing_net:
+                ipv4_address: 172.28.1.3
+    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+      - "67:67/udp"
+      - "80:80/tcp"
+    environment:
+      TZ: 'America/Chicago'
+      # WEBPASSWORD: 'set a secure password here or it will be random'
+    # Volumes store your data between container upgrades
+    volumes:
+      - './etc-pihole:/etc/pihole'
+      - './etc-dnsmasq.d:/etc/dnsmasq.d'
+    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+    cap_add:
+      - NET_ADMIN
+    restart: unless-stopped # Recommended but not required (DHCP needs NET_ADMIN)

example-ssh_config

@@ -0,0 +1,126 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Protocol 2
+
+Port 2222
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+MaxAuthTries 3
+MaxSessions 1
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+# AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+PasswordAuthentication no

firewall-reset.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Clear out the entire firewall
+
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+iptables -t nat -F
+iptables -t mangle -F
+iptables -F
+iptables -X
+
+ip6tables -P INPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -t nat -F
+ip6tables -t mangle -F
+ip6tables -F
+ip6tables -X
+
+iptables-legacy -P INPUT ACCEPT
+iptables-legacy -P FORWARD ACCEPT
+iptables-legacy -P OUTPUT ACCEPT
+iptables-legacy -t nat -F
+iptables-legacy -t mangle -F
+iptables-legacy -F
+iptables-legacy -X
+
+# Add rules for IPv4
+
+iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT
+iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
+iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
+iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT # Change the port to match the one you chose in sshd_config
+iptables -A INPUT -p tcp --destination-port 51821 -j ACCEPT
+iptables -A INPUT -p udp --destination-port 51820 -j ACCEPT
+iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -I INPUT -i lo -j ACCEPT
+iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
+iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
+iptables -P INPUT DROP
+
+# Add rules for IPv6
+
+ip6tables -A INPUT -p tcp --destination-port 53 -j ACCEPT
+ip6tables -A INPUT -p udp --destination-port 53 -j ACCEPT
+ip6tables -A INPUT -p tcp --destination-port 80 -j ACCEPT
+ip6tables -A INPUT -p tcp --destination-port 22 -j ACCEPT # Change the port to match the one you chose in sshd_config
+ip6tables -A INPUT -p tcp --destination-port 51821 -j ACCEPT
+ip6tables -A INPUT -p udp --destination-port 51820 -j ACCEPT
+ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ip6tables -I INPUT -i lo -j ACCEPT
+ip6tables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp6-port-unreachable
+ip6tables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
+ip6tables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp6-port-unreachable
+ip6tables -P INPUT DROP
+
+# Restart Docker in order to re-create the Docker iptables rules
+
+service docker restart
+
+# Print iptables and ip6tables
+
+iptables -L --line-numbers && ip6tables -L --line-numbers

pi-docker.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md
+
+docker stop pihole && \
+docker rm pihole && \
+docker pull pihole/pihole:latest && \
+PIHOLE_BASE="${PIHOLE_BASE:-$(pwd)}"
+[[ -d "$PIHOLE_BASE" ]] || mkdir -p "$PIHOLE_BASE" || { echo "Couldn't create storage directory: $PIHOLE_BASE"; exit 1; }
+
+# Note: ServerIP should be replaced with your external ip.
+docker run -d \
+    --name pihole \
+    -p 53:53/tcp -p 53:53/udp \
+    -p :80:80 \
+    -e TZ="Europe/Paris" \
+    -e WEBPASSWORD="LxAyDgAw" \
+    -v "${PIHOLE_BASE}/etc-pihole:/etc/pihole" \
+    -v "${PIHOLE_BASE}/etc-dnsmasq.d:/etc/dnsmasq.d" \
+    --ip 172.17.0.3 \
+    --dns=127.0.0.1 --dns=1.1.1.1 \
+    --restart=unless-stopped \
+    --hostname pi.hole \
+    -e VIRTUAL_HOST="pi.hole" \
+    -e PROXY_LOCATION="pi.hole" \
+    -e ServerIP="199.247.12.9" \
+    pihole/pihole:latest
+
+printf 'Starting up pihole container '
+for i in $(seq 1 20); do
+    if [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" == "healthy" ] ; then
+        printf ' OK'
+        echo -e "\n$(docker logs pihole 2> /dev/null | grep 'password:') for your pi-hole: https://${IP}/admin/"
+        exit 0
+    else
+        sleep 3
+        printf '.'
+    fi
+
+    if [ $i -eq 20 ] ; then
+        echo -e "\nTimed out waiting for Pi-hole start, consult your container logs for more info (\`docker logs pihole\`)"
+        exit 1
+    fi
+done;

wg-docker.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+docker stop wg-easy && \
+docker rm wg-easy && \
+docker pull weejewel/wg-easy && \
+docker run -d \
+  --name=wg-easy \
+  -e WG_HOST=199.247.12.9 \
+  -e PASSWORD=nDWuUylpKJ5fRwgiT9NCfND6ZMIAIaxf \
+  -e WG_DEFAULT_DNS=172.17.0.3 \
+  -v ~/wg-easy:/etc/wireguard \
+  -p 51820:51820/udp \
+  -p 51821:51821/tcp \
+  --ip 172.17.0.2 \
+  --cap-add=NET_ADMIN \
+  --cap-add=SYS_MODULE \
+  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
+  --sysctl="net.ipv4.ip_forward=1" \
+  --restart unless-stopped \
+  weejewel/wg-easy