-
-
Save nealfennimore/92d571db63404e7ddfba660646ceaf0d to your computer and use it in GitHub Desktop.
| # ------------------------------------------------ | |
| # Config files are located in /etc/wireguard/wg0 | |
| # ------------------------------------------------ | |
| # ---------- Server Config ---------- | |
| [Interface] | |
| Address = 10.10.0.1/24 # IPV4 CIDR | |
| Address = fd86:ea04:1111::1/64 # IPV6 CIDR | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add forwarding when VPN is started | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Remove forwarding when VPN is shutdown | |
| PrivateKey = # Put server private key here | |
| ListenPort = 51820 # Port server should be listening on | |
| [Peer] | |
| PublicKey = B1Oyq4HertWCcK8YBWETfoHICnFN4+tCfyouxsdhWhs= # Client public key | |
| AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128 # IPs client can connect as | |
| # ---------- Client Config ---------- | |
| [Interface] | |
| Address = 10.10.0.2/32 # IPV4 address client is allowed to connect as | |
| Address = fd86:ea04:1111::2/128 # IPV6 address client is allowed to connect as | |
| PrivateKey = # Client private key goes here | |
| DNS = 1.1.1.1 # DNS client should use for resolution (Cloudflare here) | |
| [Peer] | |
| PublicKey = WI6KwPohbGqsJUZ/FpZup2zGTaBFdeHeJCq2dtT1KBU= # Server public key | |
| Endpoint = YOUR_SERVER:51820 # Where the server is at + the listening port | |
| AllowedIPs = 0.0.0.0/0, ::/0 # Forward all traffic to server | |
| # ------------------------------------------------ | |
| # Commands | |
| # ------------------------------------------------ | |
| sudo wg-quick up wg0 # Starting wireguard | |
| sudo wg-quick down wg0 # Shutting down wireguard | |
| sudo wg # to see status | |
| # ------------------------------------------------ | |
| # Watch traffic | |
| # ------------------------------------------------ | |
| # https://nbsoftsolutions.com/blog/viewing-wireguard-traffic-with-tcpdump | |
| # View encrypted traffic from wireless card to VPN server | |
| sudo tcpdump -n -X -i wlp1s0 host YOUR_SERVER | |
| # View http traffic going to tunnel | |
| sudo tcpdump -n -v -i wg0 port 80 | |
| # ------------------------------------------------ | |
| # Misc | |
| # ------------------------------------------------ | |
| # Start wireguard on system boot | |
| sudo systemctl enable wg-quick@wg0 | |
| # Ensure forwarding is allowed by adding below to /etc/sysctl.conf on server | |
| net.ipv4.ip_forward=1 | |
| net.ipv6.conf.all.forwarding=1 | |
| # Or use this | |
| echo "net.ipv4.ip_forward = 1 | |
| net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf | |
| sysctl --system |
Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.Solved, thanks, it appears a macos version wireguard bug.
Were you able to work around that?
Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.
Solved, thanks, it appears a macos version wireguard bug.Were you able to work around that?
Yes I can achieve my goal by putting "::/1, 8000::/1" in the allowed ips field.
I can't get the client to forward all the traffic to the server. It keeps using eth0.
---------- Client Config ----------
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0 # u meyan does not work in principle with this "::/0" only "0.0.0.0/0"
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0 # u meyan does not work in principle with this "::/0" only "0.0.0.0/0"
It will forward any IPv4 (0.0.0.0/0) or IPv6 (::/0) connection to the server. You can exclude either if you only want to use a single IP version.
I wanted all traffic to be through the server, and to have the server's IP when determining
In the Client config > Interface section shouldn't the address have the netmask set to /24?
In the Client config > Interface section shouldn't the address have the netmask set to
/24?
In this case, we're specifying that we want to connect to a server as the IP of 10.10.0.2. The server also allows a peer (us the client) to connect as 10.10.0.2. Since we have the client private key and the server has our matching client public key, it allows us to connect as 10.10.0.2. We don't want necessarily want to connect from a range of IPs, hence why we're doing the /32 here.
I've been having a consistent problem & I've tried many configurations to solve it without any success.
Setup: I have a digital ocean VPS as server & my windows 10 PC as client. I've tried my Android phone as client too but the problem persists.
The Issue: After a minute of successful speedy connection via wireguard, the connection drops & no longer works. I have to reconnect & then the same happens. And after 10-20 retries, I get a stable connection which then runs perfectly.
I have done everything described here and on multiple gists, forums, & everything I could find on google, but without any success.
I have tried DNSs, POSTUP POSTDOWN configs etc.
I've been having a consistent problem & I've tried many configurations to solve it without any success.
Setup: I have a digital ocean VPS as server & my windows 10 PC as client. I've tried my Android phone as client too but the problem persists.
The Issue: After a minute of successful speedy connection via wireguard, the connection drops & no longer works. I have to reconnect & then the same happens. And after 10-20 retries, I get a stable connection which then runs perfectly.
I have done everything described here and on multiple gists, forums, & everything I could find on google, but without any success. I have tried DNSs, POSTUP POSTDOWN configs etc.
Not sure that is the culprit but did you having the persistent keep alive settings in your client config so that a stateful firewall does not reset the connection after there was no traffic for a while. As it defaults to 0 / off, this could be what trips you up.
From the wireguard quick start guide:
NAT and Firewall Traversal Persistence
By default, WireGuard tries to be as silent as possible when not being used; it is not a chatty protocol. For the most part, it only transmits data when a peer wishes to send packets. When it's not being asked to send packets, it stops sending packets until it is asked again. In the majority of configurations, this works well. However, when a peer is behind NAT or a firewall, it might wish to be able to receive incoming packets even when it is not sending any packets. Because NAT and stateful firewalls keep track of "connections", if a peer behind NAT or a firewall wishes to receive incoming packets, he must keep the NAT/firewall mapping valid, by periodically sending keepalive packets. This is called persistent keepalives. When this option is enabled, a keepalive packet is sent to the server endpoint once every interval seconds. A sensible interval that works with a wide variety of firewalls is 25 seconds. Setting it to 0 turns the feature off, which is the default, since most users will not need this, and it makes WireGuard slightly more chatty. This feature may be specified by adding the PersistentKeepalive = field to a peer in the configuration file, or setting persistent-keepalive at the command line. If you don't need this feature, don't enable it. But if you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent, this option will keep the "connection" open in the eyes of NAT.
Excellent scripts! Just want to point out that Docker complicates iptables setup. In that case, replace -A FORWARD with -I DOCKER-USER.
Also it is a good idea to include the following rule irrespective of Docker's presence-
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Ref:
Should I copy your ipv6? I really don't understand how ipv6 works yet.
Should I copy your ipv6? I really don't understand how ipv6 works yet.
You can exclude it if you're not wanting to use IPv6. It might be a better solution to use a private IPv6 ULA here though if you do end up using iPv6
Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.Solved, thanks, it appears a macos version wireguard bug.