Skip to content

FidelCoder/wireguard-oracle-deploy

BranchesTags

Repository files navigation

🔐 WireGuard Oracle Deploy

Production-grade, hardened WireGuard VPN deployment for Ubuntu 24.04 on Oracle Cloud Free Tier.

Fully automated deployment scripts with OS hardening, TCP BBR optimization for intercontinental routing, NAT masquerade, client config generation with QR codes, and DNS leak prevention.

⚡ Quick Start

# Clone
git clone https://github.com/FidelCoder/wireguard-oracle-deploy.git
cd wireguard-oracle-deploy

# Make executable
chmod +x *.sh

# Deploy (Phases 1-3)
sudo ./deploy.sh

# Generate a client
sudo ./04-generate-client.sh my-phone

# Check status
sudo ./status.sh

📋 Deployment Phases

Phase Script What It Does
🛡️ 1 01-harden.sh UFW firewall, SSH → port 5522, key-only auth, fail2ban
⚙️ 2 02-kernel-optimize.sh TCP BBR, IP forwarding, 16MB buffers, sysctl tuning
🔗 3 03-wireguard-install.sh WireGuard install, key gen, dual-stack NAT masquerade
📱 4 04-generate-client.sh Client configs, QR codes, DNS leak prevention
☁️ 5 DEPLOYMENT.md Oracle Cloud VCN Security List configuration guide

Bonus Utilities

Script Purpose
deploy.sh Master orchestrator — runs Phases 1-3 in sequence
05-remove-client.sh Revoke and remove a client peer
status.sh Full system diagnostics dashboard

🏗️ Architecture

┌─────────────────────────────────────────────────────────────┐
│              Oracle Cloud VPS (USA/Canada)                  │
│                                                             │
│  UFW ──▶ WireGuard (wg0:51820) ──▶ iptables MASQUERADE     │
│  SSH :5522 (key-only)               │                       │
│  fail2ban (3 tries → 1h ban)        ▼                       │
│  TCP BBR + 16MB buffers         Public NIC ──▶ Internet     │
└──────────────────────────────────────┬──────────────────────┘
                                       │
              WireGuard Tunnel (ChaCha20Poly1305)
                                       │
           ┌───────────┬───────────┬───┘
           ▼           ▼           ▼
        📱 Phone    💻 Laptop   📱 Tablet
        .2          .3          .4
        MTU 1420    MTU 1420    MTU 1420
        DNS 1.1.1.1             DNS 9.9.9.9

🔒 Security Stack

Layer Protection
Oracle VCN Infrastructure firewall — only 5522/TCP + 51820/UDP
UFW OS firewall — default deny incoming
fail2ban 3 failed SSH attempts → 1 hour ban
SSH Non-standard port, key-only, no password, no X11
WireGuard ChaCha20Poly1305, Curve25519, BLAKE2s
Preshared Keys Additional symmetric layer (post-quantum defense)
DNS Cloudflare 1.1.1.1 + Quad9 9.9.9.9 (no-log)

🌐 Performance Optimization

  • TCP BBR — Google's congestion control for 2-25x better throughput on lossy/high-latency links
  • fq (Fair Queueing) — Required by BBR for proper packet pacing
  • 16MB socket buffers — Handles high bandwidth-delay product (BDP) paths
  • MTU 1420 — Prevents fragmentation (1500 - 80 WireGuard overhead)
  • TCP Fast Open — Reduced handshake latency
  • Conntrack 262K — Large NAT table for many concurrent connections

📱 Client Generation

# Generate a new client
sudo ./04-generate-client.sh my-phone

# Outputs:
#   ✓ .conf file (import on desktop)
#   ✓ QR code in terminal (scan with mobile WireGuard app)
#   ✓ QR code as PNG image
#   ✓ Pre-shared key (post-quantum defense)

DNS Leak Prevention

Provider IP Role
Cloudflare 1.1.1.1, 1.0.0.1 Fastest, privacy-first
Quad9 9.9.9.9 Security-focused, malware blocking

Full tunnel mode (AllowedIPs = 0.0.0.0/0, ::/0) ensures all traffic goes through the VPN.

☁️ Oracle Cloud Setup

Oracle Cloud has TWO firewall layers. Ubuntu's UFW is not enough — you must also configure the VCN Security Lists.

See DEPLOYMENT.md → Phase 5 for step-by-step VCN configuration.

🔧 Maintenance

# Add client
sudo ./04-generate-client.sh laptop

# Remove client
sudo ./05-remove-client.sh laptop

# Check everything
sudo ./status.sh

# Restart WireGuard
sudo systemctl restart wg-quick@wg0

# View logs
sudo journalctl -xeu wg-quick@wg0 --no-pager -n 50

📁 Project Structure

wireguard-oracle-deploy/
├── deploy.sh                 # Master orchestrator
├── 01-harden.sh              # Phase 1: OS hardening
├── 02-kernel-optimize.sh     # Phase 2: Kernel tuning
├── 03-wireguard-install.sh   # Phase 3: WireGuard + NAT
├── 04-generate-client.sh     # Phase 4: Client generator
├── 05-remove-client.sh       # Client removal
├── status.sh                 # Diagnostics dashboard
├── DEPLOYMENT.md             # Full documentation
├── README.md                 # This file
├── LICENSE                   # MIT
└── .gitignore                # Excludes keys & client configs

⚠️ Important Notes

  1. Test SSH on port 5522 in a new terminal before closing your session after Phase 1
  2. Ensure SSH key access is configured before running — password auth will be disabled
  3. Configure Oracle VCN Security Lists (Phase 5) — UFW alone won't work on Oracle Cloud
  4. Never commit private keys or client configs (.gitignore handles this)

📄 License

MIT

About

Production-grade WireGuard VPN deployment for Ubuntu 24.04 on Oracle Cloud Free Tier. Automated OS hardening (UFW, fail2ban, SSH key-only), TCP BBR optimization for intercontinental routing, NAT masquerade, client config generation with QR codes, DNS leak prevention (Cloudflare + Quad9), and Oracle VCN Security List documentation.

Topics

security devops networking ubuntu vpn oracle-cloud wireguard tcp-bbr

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages