From 7b21a62ac120393c296b15d4337a4a479cc25f55 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Thu, 6 Jun 2024 14:57:36 +0200 Subject: [PATCH] Connect servers with WireGuard --- README.md | 29 +++++++++++++++++++++++++++++ etc/nginx/sites-enabled/mail | 2 +- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ea061d9..fbc9789 100644 --- a/README.md +++ b/README.md @@ -82,12 +82,27 @@ Install [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https nano /etc/prosody/prosody.cfg.lua /etc/dovecot/dovecot.conf /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/nginx/sites-enabled/mail /etc/nginx/sites-enabled/openpgpkey ``` +Add your other servers IP under `unrestricted access to these IPs` in `/etc/rc.local` + Create database tables, activate firewall and enable cron: ``` postmap /etc/postfix/header_checks cd /var/www/mail && php setup.php && chmod +x /etc/rc.local && /etc/rc.local && systemctl enable mail-cron.timer ``` +Generate a wireguard keypair and add the public key generated here to the primary mail server wireguard config: +``` +export PRIV=$(wg genkey) +sed -i "s~YOUR_PRIVATE_KEY~$PRIV~g" /etc/wireguard/wg0.conf +echo $PRIV | wg pubkey +``` + +Replace `YOUR_IP` with the IP of your other server, then enable and start wireguard: +``` +nano /etc/wireguard/wg0.conf +systemctl enable wg-quick@wg0 && systemctl start wg-quick@wg0 +``` + Final step is to reboot the server and check that everything is working. ### Proxy server: @@ -124,6 +139,20 @@ Install [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https nano /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/turnserver.conf ``` +Generate a wireguard keypair and add the public key generated here to the primary mail server wireguard config: +``` +export PRIV=$(wg genkey) +sed -i "s~YOUR_PRIVATE_KEY~$PRIV~g" /etc/wireguard/wg0.conf +echo $PRIV | wg pubkey +``` + +Replace `YOUR_IP` with the IP of your other server and `ens3` with your network interface name, then enable and start wireguard: +``` +nano /etc/wireguard/wg0.conf +systemctl enable wg-quick@wg0 && systemctl start wg-quick@wg0 +``` + +Final step is to reboot the server and check that everything is working. ### General Domain settings diff --git a/etc/nginx/sites-enabled/mail b/etc/nginx/sites-enabled/mail index 9e77fef..5ea0cbe 100644 --- a/etc/nginx/sites-enabled/mail +++ b/etc/nginx/sites-enabled/mail @@ -49,7 +49,7 @@ server { add_header Cross-Origin-Embedder-Policy require-corp always; add_header Cross-Origin-Opener-Policy same-origin always; add_header Cross-Origin-Resource-Policy same-origin always; - listen [::]:443 ssl http2; + listen [::]:443 ssl http2 fastopen=100 backlog=2048 ipv6only=off default_server; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; root /var/www/html;