WG 4G

_etc_iptables_rules.v4

# Generated by iptables-save v1.8.4 on Sun Mar 10 12:22:21 2024
*mangle
:PREROUTING ACCEPT [277:110915]
:INPUT ACCEPT [202:76357]
:FORWARD ACCEPT [75:34558]
:OUTPUT ACCEPT [303:29155]
:POSTROUTING ACCEPT [378:63713]
-A FORWARD -i ens3 -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Mar 10 12:22:21 2024
# Generated by iptables-save v1.8.4 on Sun Mar 10 12:22:21 2024
*nat
:PREROUTING ACCEPT [6447:312951]
:INPUT ACCEPT [5766:260367]
:OUTPUT ACCEPT [440:66997]
:POSTROUTING ACCEPT [981:112970]
-A PREROUTING -i ens3 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.45.34 --random
COMMIT
# Completed on Sun Mar 10 12:22:21 2024
# Generated by iptables-save v1.8.4 on Sun Mar 10 12:22:21 2024
*filter
:INPUT ACCEPT [24:1600]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1440:132939]
-A INPUT -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 1234 -m comment --comment wg -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A FORWARD -d 192.168.45.34/32 -i ens3 -o wg0 -p tcp -m multiport --dports 80,443 -m comment --comment 4g-home-server -j ACCEPT
COMMIT
# Completed on Sun Mar 10 12:22:21 2024

_etc_netplan_60-kveer-home.yaml

network:
  version: 2
  tunnels:
    wg0:
      mode: wireguard
      port: 1234
      key: eHFEbf3q6xmZquSn+OKEfnwQqTR0Z8ZDR84dO+VLZ3U=
      addresses:
        - 192.18.0.1/30 # ip tunnel vps1
      peers:
        - allowed-ips: [192.168.45.0/24] # source des paquets du tunnel
          keys:
            public: uukUgbYh0N6JxhWWjovQL3+JV2ZnrpnzJK2Jo6iRdXY=
            shared: D9saApnkNzuCWcA4zp2u8isKIcWQgAC2tfNExUjXvBA=
      routes:
        - to: 192.168.45.34 # gitlab chez moi
          metric: 10

mikrotik

[admin@MikroTik] > export
# 2024-03-10 13:56:48 by RouterOS 7.13.3
# software id = 4W6H-DFE8
#
# model = RB5009UG+S+
/interface wireguard
add listen-port=13231 mtu=1420 name=wg0
/routing table
add disabled=no fib name=rt-vps-wg0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ip.vps.x.y endpoint-port=51820 interface=wg0 \
    persistent-keepalive=10s preshared-key="D9saApnkNzuCWcA4zp2u8isKIcWQgAC2tfNExUjXvBA=" public-key=\
    "6i0nk4msccktB98W0Avb+HGongyMmO2wKZJhldYs9Fs="
/ip address
add address=192.18.0.2/30 interface=wg0 network=192.18.0.0
/ip firewall filter
add action=accept chain=input protocol=udp dst-port=1234 comment="wg"
[...]
add action=accept chain=forward comment=4g-home-server dst-address=192.168.45.34 dst-port=80,443 in-interface=wg0 \
    out-interface=kveer-home protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=connmark-vps1-wg0 connection-state=new in-interface=wg0 \
    new-connection-mark=vps1-wg0 passthrough=yes
add action=mark-routing chain=prerouting comment=rtmark-from-connmark-wg0 connection-mark=vps1-wg0 in-interface=kveer-home \
    new-routing-mark=rt-vps-wg0 passthrough=yes
/ip firewall nat

/ip route
add disabled=no dst-address=ip.vps.x.y/32 gateway=192.168.8.1 routing-table=rt-vps-wg0 suppress-hw-offload=no
add disabled=no dst-address=192.168.8.0/24 gateway=lte2 routing-table=rt-vps-wg0 suppress-hw-offload=no
add disabled=no dst-address=192.168.45.0/24 gateway=kveer-home routing-table=rt-vps-wg0 suppress-hw-offload=no
add disabled=no distance=90 dst-address=0.0.0.0/0 gateway=wg0 routing-table=rt-vps-wg0 suppress-hw-offload=no
/routing rule