add auto fetch ssl certs

2021-08-26 12:11:25 +08:00
parent 11ca254bed
commit 509ac048fc
237 changed files with 4968 additions and 7406 deletions
--- a/public/post/wireguard-pihole-in-ubuntu-20.04/index.html
+++ b/public/post/wireguard-pihole-in-ubuntu-20.04/index.html
@@ -13,7 +13,7 @@
        "articleSection" : "post",
        "name" : "[筆記] 在 ubuntu 20.04 上安裝 wireguard \x2b pihole 作 AD Blocking\/install wireguard and pihole to do ad block in ubuntu 20.04 ",
        "headline" : "[筆記] 在 ubuntu 20.04 上安裝 wireguard \x2b pihole 作 AD Blocking\/install wireguard and pihole to do ad block in ubuntu 20.04 ",
-        "description" : "\x3cp\x3e手機上的廣告越來越討厭了\x3c\/p\x3e\n\n\x3cp\x3e但是用手機看頁面、影片的機會越來越高\x3c\/p\x3e\n\n\x3cp\x3e所以一直想看看有沒有什麼方式可以解決這個問題\x3c\/p\x3e\n\n\x3cp\x3e不只可以用在safari 上，連APP 裡面的廣告最好都能夠擋掉\x3c\/p\x3e\n\n\x3cp\x3e在github上面看到有個專案是 wireguard \x2b pihole\x3c\/p\x3e\n\n\x3cp\x3e滿有趣的，就來研究一下\x3c\/p\x3e",
+        "description" : "\x3cp\x3e手機上的廣告越來越討厭了\x3c\/p\x3e\n\x3cp\x3e但是用手機看頁面、影片的機會越來越高\x3c\/p\x3e\n\x3cp\x3e所以一直想看看有沒有什麼方式可以解決這個問題\x3c\/p\x3e\n\x3cp\x3e不只可以用在safari 上，連APP 裡面的廣告最好都能夠擋掉\x3c\/p\x3e\n\x3cp\x3e在github上面看到有個專案是 wireguard \x2b pihole\x3c\/p\x3e\n\x3cp\x3e滿有趣的，就來研究一下\x3c\/p\x3e",
        "inLanguage" : "en",
        "author" : "Eric Chang",
        "creator" : "Eric Chang",
@@ -45,9 +45,9 @@

 <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css" integrity="sha384-mzrmE5qonljUremFsqc01SB46JvROS7bZs3IO2EmfFsd15uHvIt+Y8vEf7N7fWAU" crossorigin="anonymous">

-<link href="https://h.cowbay.org/css/style.css?v=1626744134" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>
+<link href="https://h.cowbay.org/css/style.css?v=1629951055" rel="stylesheet" id="theme-stylesheet" type='text/css' media='all'>

-<link href="https://h.cowbay.org/css/custom.css?v=1626744134" rel="stylesheet" type='text/css' media='all'>
+<link href="https://h.cowbay.org/css/custom.css?v=1629951055" rel="stylesheet" type='text/css' media='all'>
 <link rel="shortcut icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">
 <link rel="icon" href="https://h.cowbay.org/img/favicon.ico" type="image/x-icon">

@@ -81,10 +81,6 @@ if (!doNotTrack) {

      <ul id="menu-secondary-items" class="menu-secondary-items">
        
-        <li class="menu-item menu-item-type-taxonomy menu-item-object-category">
-          <a href="/categories/"></a>
-        </li>
-        
        <li class="menu-item menu-item-type-taxonomy menu-item-object-category">
          <a href="/categories/ansible">ansible</a>
        </li>
@@ -309,121 +305,62 @@ if (!doNotTrack) {
          <div class="entry-content">
            <article>
              <p>手機上的廣告越來越討厭了</p>
-
 <p>但是用手機看頁面、影片的機會越來越高</p>
-
 <p>所以一直想看看有沒有什麼方式可以解決這個問題</p>
-
 <p>不只可以用在safari 上，連APP 裡面的廣告最好都能夠擋掉</p>
-
 <p>在github上面看到有個專案是 wireguard + pihole</p>
-
 <p>滿有趣的，就來研究一下</p>
-
 <p>我在google cloud console 申請了一台free tier 的 google compute engine (真難念，就叫VPS吧)</p>
-
 <p>免費的Google VPS 只能選擇美洲地區的機房，有點可惜，多少還是會有點影響</p>
-
 <p>作業系統選 ubuntu 20.04 minimal</p>
-
 <p>然後因為我習慣wireguard 的port 都設定在 12000</p>
-
 <p>所以要記得去開啟firewall 的 UDP 12000，然後套用在這台VPS上</p>
-
 <p>還有要設定 ssh 金鑰 這些都算是google compute engine 的基本設定，就不多說了</p>
-
 <p>系統的基本安裝完成後，接下來要用人家寫好的 script 來安裝 wireguard + pihole</p>
-
-<hr />
-
+<hr>
 <h4 id="安裝基本套件">安裝基本套件</h4>
-
 <p>因為是選擇 ubuntu 20.04 minimal 所以有很多套件都沒有，要先安裝這些基本套件</p>
-
 <pre><code>sudo apt update &amp;&amp; sudo apt install -y vim git net-tools software-properties-common iptables python3-pip qrencode
-</code></pre>
-
-<h4 id="取得安裝script">取得安裝script</h4>
-
+</code></pre><h4 id="取得安裝script">取得安裝script</h4>
 <pre><code>mkdir git &amp;&amp; cd git
 git clone https://github.com/racbart/wireguard-pihole
-</code></pre>
-
-<h4 id="修改-install-sh">修改 install.sh</h4>
-
+</code></pre><h4 id="修改-installsh">修改 install.sh</h4>
 <p>因為我的目的是只想要把DNS 查詢透過wireguard 丟去 pihole</p>
-
 <p>而不是把所有流量都轉給wireguard</p>
-
 <p>所以要修改一下剛剛clone 下來的 script</p>
-
 <pre><code>cd wireguard-pihole
 vim install.sh
-</code></pre>
-
-<p>有點忘了改了哪些東西，就大概說一下吧</p>
-
-<h5 id="ipv4-address">IPV4_ADDRESS</h5>
-
+</code></pre><p>有點忘了改了哪些東西，就大概說一下吧</p>
+<h5 id="ipv4_address">IPV4_ADDRESS</h5>
 <p>原本的判斷VPS WAN IP 的指令在GCE上會抓到private ip</p>
-
 <p>所以要改一下，在 install.sh 中找到底下這行註解掉，並修改成其他指令</p>
-
 <pre><code>#IPV4_ADDRESS=$(ip addr list &quot;$INTERFACE&quot; | grep &quot;inet &quot; | xargs | cut -d &quot; &quot; -f 2)
 IPV4_ADDRESS=$(dig +short myip.opendns.com @resolver1.opendns.com)
-</code></pre>
-
-<h5 id="install-wireguard-in-ubuntu-20-04">install wireguard in ubuntu 20.04</h5>
-
+</code></pre><h5 id="install-wireguard-in-ubuntu-2004">install wireguard in ubuntu 20.04</h5>
 <p>ubuntu 20.04 安裝wireguard 的方式和 18.04 有點差別，需要多裝一個 wireguard-dkms</p>
-
 <p>找到底下這行，註解掉，改成我們要的指令，python-pip 我們用 python3-pip 取代</p>
-
 <p>在一開始就已經先裝了，所以這邊不需要再裝一次</p>
-
 <pre><code>#apt install -y wireguard python-pip
 apt install -y wireguard wireguard-dkms
-</code></pre>
-
-<h5 id="啟用query-logging">啟用query logging</h5>
-
+</code></pre><h5 id="啟用query-logging">啟用query logging</h5>
 <p>找到底下這行，註解掉，改成啟用 query logging</p>
-
 <pre><code>#QUERY_LOGGING=false
 QUERY_LOGGING=true
-</code></pre>
-
-<p>存檔後離開</p>
-
+</code></pre><p>存檔後離開</p>
 <p>然後執行</p>
-
 <pre><code>sudo ./install.sh
-</code></pre>
-
-<p>開始進行安裝，基本上是全自動的，應該沒有錯誤，可以順利跑完 (應該啦&hellip;)</p>
-
-<hr />
-
+</code></pre><p>開始進行安裝，基本上是全自動的，應該沒有錯誤，可以順利跑完 (應該啦&hellip;)</p>
+<hr>
 <p>接著來依照我自己的需求來修改一下 add-client.sh</p>
-
-<h5 id="修改-ipv4-address">修改 IPV4_ADDRESS</h5>
-
+<h5 id="修改-ipv4_address">修改 IPV4_ADDRESS</h5>
 <p>找到底下這行註解掉，並修改成其他指令</p>
-
 <pre><code>#IPV4_ADDRESS=$(ip addr list &quot;$INTERFACE&quot; | grep &quot;inet &quot; | xargs | cut -d &quot; &quot; -f 2)
 IPV4_ADDRESS=$(dig +short myip.opendns.com @resolver1.opendns.com)
-</code></pre>
-
-<h5 id="改一下-port">改一下 port</h5>
-
+</code></pre><h5 id="改一下-port">改一下 port</h5>
 <pre><code>#SERVER_PORT=$(cat /etc/wireguard/wg0.conf | grep ListenPort | rev | cut -d &quot; &quot; -f 1 | rev)
 SERVER_PORT=12000
-</code></pre>
-
-<h5 id="display-client-and-save-conf">display client and save conf</h5>
-
+</code></pre><h5 id="display-client-and-save-conf">display client and save conf</h5>
 <p>找到底下這一段</p>
-
 <pre><code>echo &quot;
 [Interface]
 PrivateKey = ${CLIENT_PRIVKEY}
@@ -434,10 +371,7 @@ PublicKey = ${SERVER_PUBKEY}
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = ${SERVER_ADDRESS}:${SERVER_PORT}
 &quot;
-</code></pre>
-
-<p>改成</p>
-
+</code></pre><p>改成</p>
 <pre><code># Display client config

 echo &quot;
@@ -451,29 +385,16 @@ PublicKey = ${SERVER_PUBKEY}
 #forware dns queries only,if want to forward all traffic , replace 10.10.0.1/32 to 0.0.0.0/0
 AllowedIPs = 10.10.0.1/32 
 Endpoint = ${SERVER_ADDRESS}:${SERVER_PORT}&quot;|tee ${CLIENT_NAME}.conf &amp;&amp; qrencode -t ansiutf8 -l L &lt; ${CLIENT_NAME}.conf
-</code></pre>
-
-<p>之後要新增 client</p>
-
+</code></pre><p>之後要新增 client</p>
 <p>就只要輸入</p>
-
 <pre><code>sudo bash add-client.sh &quot;CLIENT_NAME&quot;
-</code></pre>
-
-<p>就會在當前目錄底下產生 ${CLIENT_NAME}.conf 的設定檔，並顯示 qrcode</p>
-
+</code></pre><p>就會在當前目錄底下產生 ${CLIENT_NAME}.conf 的設定檔，並顯示 qrcode</p>
 <p>而且也不用去管 client ip 發到哪了，script 會自己去計算</p>
-
 <p>再次強調，這只會把手機上的 dns 查詢透過wireguard指向到 pihole</p>
-
 <p>並不會把整個流量都改從wireguard 出去</p>
-
 <p>如果要改成都走wireguard 出去，那就把最後一段的 Endpoint 後面改成 0.0.0.0/0</p>
-
 <p>PC的話，wireguard 連上之後，要去手動修改DNS</p>
-
 <p>成功的話，在PC上可以看到這樣的查詢結果</p>
-
 <pre><code>peer: mVRp+fjHKW1/n/j5Cwn9zOlLsgtHsvoiNHPSn4bHLHg=
  endpoint: 23.34.45.67:12000
  allowed ips: 10.10.0.1/32
@@ -503,100 +424,83 @@ www.google.com.tw.	297	IN	A	64.233.177.94
 ;; MSG SIZE  rcvd: 79

 2020-08-13 15:42:24 [root@hqdc039 wireguard]$ 
-</code></pre>
-
-<h3 id="update">UPDATE</h3>
-
+</code></pre><h3 id="update">UPDATE</h3>
 <p>更新一下開啟 pihole DOT (DNS Over TLS) 的方式</p>
-
 <h5 id="安裝並建立相關目錄">安裝並建立相關目錄</h5>
-
-<pre><code class="language-bash">sudo apt update
+<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">sudo apt update
 sudo apt install stubby
 sudo mkdir /var/cache/stubby
-</code></pre>
-
-<h5 id="修改-etc-stubby-stubby-yml">修改 /etc/stubby/stubby.yml</h5>
-
+</code></pre></div><h5 id="修改-etcstubbystubbyyml">修改 /etc/stubby/stubby.yml</h5>
 <p>編輯 /etc/stubby/stubby.yml 改成以下內容</p>
+<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#66d9ef">resolution_type</span>: GETDNS_RESOLUTION_STUB

-<pre><code class="language-yaml">resolution_type: GETDNS_RESOLUTION_STUB
-
-dns_transport_list:
+<span style="color:#66d9ef">dns_transport_list</span>:
  - GETDNS_TRANSPORT_TLS

-tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
+<span style="color:#66d9ef">tls_authentication</span>: GETDNS_AUTHENTICATION_REQUIRED

-tls_query_padding_blocksize: 128
+<span style="color:#66d9ef">tls_query_padding_blocksize</span>: <span style="color:#ae81ff">128</span>

-edns_client_subnet_private : 1
+<span style="color:#66d9ef">edns_client_subnet_private </span>: <span style="color:#ae81ff">1</span>

-round_robin_upstreams: 1
+<span style="color:#66d9ef">round_robin_upstreams</span>: <span style="color:#ae81ff">1</span>

-idle_timeout: 10000
+<span style="color:#66d9ef">idle_timeout</span>: <span style="color:#ae81ff">10000</span>

-tls_connection_retries: 5
+<span style="color:#66d9ef">tls_connection_retries</span>: <span style="color:#ae81ff">5</span>

-xtls_ca_path: &quot;/etc/ssl/certs/&quot;
+<span style="color:#66d9ef">xtls_ca_path</span>: <span style="color:#e6db74">&#34;/etc/ssl/certs/&#34;</span>

-################################ LISTEN ADDRESS ################################
-# Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4
-# and IPv6. It will listen on port 53 by default. Use &lt;IP_address&gt;@&lt;port&gt; to
-# specify a different port
-listen_addresses:
-  - 127.0.0.1@5453
+<span style="color:#75715e">################################ LISTEN ADDRESS ################################</span>
+<span style="color:#75715e"># Set the listen addresses for the stubby DAEMON. This specifies localhost IPv4</span>
+<span style="color:#75715e"># and IPv6. It will listen on port 53 by default. Use &lt;IP_address&gt;@&lt;port&gt; to</span>
+<span style="color:#75715e"># specify a different port</span>
+<span style="color:#66d9ef">listen_addresses</span>:
+  - <span style="color:#ae81ff">127.0.0.1</span>@<span style="color:#ae81ff">5453</span>

-appdata_dir: &quot;/var/cache/stubby&quot;
+<span style="color:#66d9ef">appdata_dir</span>: <span style="color:#e6db74">&#34;/var/cache/stubby&#34;</span>

-upstream_recursive_servers:
-   - address_data: 145.100.185.15
-     tls_auth_name: &quot;dnsovertls.sinodun.com&quot;
-   - address_data: 1.1.1.1
-     tls_auth_name: &quot;cloudflare-dns.com&quot;
+<span style="color:#66d9ef">upstream_recursive_servers</span>:
+   - <span style="color:#66d9ef">address_data</span>: <span style="color:#ae81ff">145.100.185.15</span>
+     <span style="color:#66d9ef">tls_auth_name</span>: <span style="color:#e6db74">&#34;dnsovertls.sinodun.com&#34;</span>
+   - <span style="color:#66d9ef">address_data</span>: <span style="color:#ae81ff">1.1.1.1</span>
+     <span style="color:#66d9ef">tls_auth_name</span>: <span style="color:#e6db74">&#34;cloudflare-dns.com&#34;</span>

-## Quad 9 'secure' service - Filters, does DNSSEC, doesn't send ECS
-#  - address_data: 9.9.9.9
-#    tls_auth_name: &quot;dns.quad9.net&quot;
-## Quad 9 'insecure' service - No filtering, does DNSSEC, may send ECS (it is
-## unclear if it honours the edns_client_subnet_private request from stubby)
-#  - address_data: 9.9.9.10
-#    tls_auth_name: &quot;dns.quad9.net&quot;
-## Cloudflare 1.1.1.1 and 1.0.0.1
-#  - address_data: 1.1.1.1
-#    tls_auth_name: &quot;cloudflare-dns.com&quot;
-#  - address_data: 1.0.0.1
-#    tls_auth_name: &quot;cloudflare-dns.com&quot;
-## The Uncensored DNS servers
-#  - address_data: 89.233.43.71
-#    tls_auth_name: &quot;unicast.censurfridns.dk&quot;
-#    tls_pubkey_pinset:
-#      - digest: &quot;sha256&quot;
-#        value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
-## Fondation RESTENA (NREN for Luxembourg)
-#  - address_data: 158.64.1.29
-#    tls_auth_name: &quot;kaitain.restena.lu&quot;
-#    tls_pubkey_pinset:
-#      - digest: &quot;sha256&quot;
-#        value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
-## Google
-#  - address_data: 8.8.8.8
-#    tls_auth_name: &quot;dns.google&quot;
-#  - address_data: 8.8.4.4
-#    tls_auth_name: &quot;dns.google&quot;
-
-</code></pre>
-
-<p>重啟 stubby service</p>
-
-<pre><code class="language-shell">sudo service tubby restart
-</code></pre>
-
-<h5 id="修改pihole-相關設定">修改pihole 相關設定</h5>
+<span style="color:#75715e">## Quad 9 &#39;secure&#39; service - Filters, does DNSSEC, doesn&#39;t send ECS</span>
+<span style="color:#75715e">#  - address_data: 9.9.9.9</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;dns.quad9.net&#34;</span>
+<span style="color:#75715e">## Quad 9 &#39;insecure&#39; service - No filtering, does DNSSEC, may send ECS (it is</span>
+<span style="color:#75715e">## unclear if it honours the edns_client_subnet_private request from stubby)</span>
+<span style="color:#75715e">#  - address_data: 9.9.9.10</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;dns.quad9.net&#34;</span>
+<span style="color:#75715e">## Cloudflare 1.1.1.1 and 1.0.0.1</span>
+<span style="color:#75715e">#  - address_data: 1.1.1.1</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;cloudflare-dns.com&#34;</span>
+<span style="color:#75715e">#  - address_data: 1.0.0.1</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;cloudflare-dns.com&#34;</span>
+<span style="color:#75715e">## The Uncensored DNS servers</span>
+<span style="color:#75715e">#  - address_data: 89.233.43.71</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;unicast.censurfridns.dk&#34;</span>
+<span style="color:#75715e">#    tls_pubkey_pinset:</span>
+<span style="color:#75715e">#      - digest: &#34;sha256&#34;</span>
+<span style="color:#75715e">#        value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=</span>
+<span style="color:#75715e">## Fondation RESTENA (NREN for Luxembourg)</span>
+<span style="color:#75715e">#  - address_data: 158.64.1.29</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;kaitain.restena.lu&#34;</span>
+<span style="color:#75715e">#    tls_pubkey_pinset:</span>
+<span style="color:#75715e">#      - digest: &#34;sha256&#34;</span>
+<span style="color:#75715e">#        value: 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=</span>
+<span style="color:#75715e">## Google</span>
+<span style="color:#75715e">#  - address_data: 8.8.8.8</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;dns.google&#34;</span>
+<span style="color:#75715e">#  - address_data: 8.8.4.4</span>
+<span style="color:#75715e">#    tls_auth_name: &#34;dns.google&#34;</span>

+</code></pre></div><p>重啟 stubby service</p>
+<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">sudo service tubby restart
+</code></pre></div><h5 id="修改pihole-相關設定">修改pihole 相關設定</h5>
 <p>開啟 pihole web 管理界面 settings -&gt; dns -&gt; 左邊預設的DNS 都不要選，在右邊的 custom 1(IPV4) 填入</p>
-
 <p>存檔後離開</p>
-
 <pre><code>127.0.0.1#5453
 </code></pre>
            </article>
@@ -877,7 +781,7 @@ title="pinterest icon"></i>

 				</ul>	<div class="design-credit">
 		
-		<p>&copy; 2018 Göran Svensson</p>
+		<p>© 2018 Göran Svensson</p>
 		
 		<p>Nederburg Hugo Theme by <a href="https://appernetic.io">Appernetic</a>.</p>
 		
@@ -889,7 +793,7 @@ title="pinterest icon"></i>
  </div>
  <script src="https://h.cowbay.org/js/jquery.min.js"></script>
 <script src="https://h.cowbay.org/js/jquerymigrate.js"></script>
-<script src="https://h.cowbay.org/js/production.min.js?v=1626744134"></script>
+<script src="https://h.cowbay.org/js/production.min.js?v=1629951055"></script>

 </body>
 </html>