Skip to content

Instantly share code, notes, and snippets.

@Sherex
Last active May 6, 2024 06:26
Show Gist options
  • Save Sherex/78f6d8d8ed4223f8995d1d01f790a11b to your computer and use it in GitHub Desktop.
Save Sherex/78f6d8d8ed4223f8995d1d01f790a11b to your computer and use it in GitHub Desktop.
A script for the Wireguard config options PostUp/PostDown entries. It will allow peers to connect to the Wireguard interface and do IP forwarding (port forwarding will be added later)

IfScript

Hi, I made this for my use-case, but feel free to use it :)
This is currently only handling the NAT side of things, not PAT!
The from-to port options is just a placeholder it will use the first port specified.

route_port 80 80 tcp $vpn_ip $server_ip

How to use?

Download and make executable

$ wget https://gist.githubusercontent.com/Sherex/78f6d8d8ed4223f8995d1d01f790a11b/raw/c0a87d74ed412e9934bab1e1cfde3aee5957bff7/ifscript.sh -O /etc/wireguard/ifscript.sh

$ chmod +x /etc/wireguard/ifscript.sh

Edit ifscript.sh to suit your needs, I recommend double checking these variables at the top of the file:

Variable Example value Description
int_interface "eth0" Make sure this matches the interface, packets should be directed from! (common interfaces are "eth0" and "ens18")
vpn_ip "10.50.0.1" This should be the IP your server the packets will be sent from after the forward
server_ip "10.50.0.249" This should be the IP the server that should receive the packets

Note: This can easily be configured to route traffic out from the wg0 interface and to a server on the same network. Just set vpn_ip to the IP of the interface on the local network and server_ip to the server that should receive the packets.
And swap the values of the variables int_interface and interface

Change the lines in your /etc/wireguard/wg0.conf to:

...
PostUp = /etc/wireguard/ifscript.sh up %i
PostDown = /etc/wireguard/ifscript.sh down %i
...

Enable IP forwarding

Temporary (until next reboot)

Run this:

$ sysctl -w net.ipv4.ip_forward=1

Permanent

And last, but just as important, in the file /etc/sysctl.conf uncomment the line

net.ipv4.ip_forward = 1

Then run this to reload sysctl configuration:

$ sysctl -p

My use-case

As I don't have access to the external facing router on my network ( Renting is fun :) ), I set this up.

A VPS routes traffic from specified ports (80 and 443) to a local VM behind NAT.
Then that VM routes the traffic to another VM on it's local network.

Internet -> VPS [wireguard tunnel -> network-VM] --> docker-VM

#!/bin/bash
action=$1
interface=$2
int_interface="eth0"
vpn_ip="10.50.0.1"
server_ip="10.50.0.249"
[[ "$action" = "up" ]] && action_arg="A" || action_arg="D"
log () {
[[ "$action" = "up" ]] && local cmd_action="Enabling" || local cmd_action="Disabling"
echo "[ifscript.sh] $cmd_action $@"
}
route_port () {
local from_port=$1
local to_port=$2
local protocol=$3
local src_ip=$4
local dest_ip=$5
log "routes from $src_ip:$from_port/$protocol to $dest_ip:$from_port/$protocol through vpn"
iptables -P FORWARD DROP
iptables -$action_arg FORWARD -i $int_interface -o $interface -p $protocol -m state --state NEW --dport $from_port -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -$action_arg PREROUTING -i $int_interface -p $protocol --dport $from_port -j DNAT --to-destination $dest_ip
iptables -t nat -$action_arg POSTROUTING -o $interface -p $protocol --dport $from_port -d $dest_ip -j SNAT --to-source $src_ip
}
log "iptables rules for ${interface}"
# Allow peers to connect to the wireguard interface
iptables -$action_arg FORWARD -i $interface -j ACCEPT
iptables -t nat -$action_arg POSTROUTING -o $int_interface -j MASQUERADE
# Route "ESTABLISHED,RELATED" traffic to and from the vpn tunnel
iptables -$action_arg FORWARD -i $int_interface -o $interface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -$action_arg FORWARD -i $interface -o $int_interface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
route_port 80 80 tcp $vpn_ip $server_ip
route_port 443 443 tcp $vpn_ip $server_ip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment