Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Wireguard VPN - Forward all traffic to server
# ------------------------------------------------
# Config files are located in /etc/wireguard/wg0
# ------------------------------------------------
# ---------- Server Config ----------
[Interface]
Address = 10.10.0.1/24 # IPV4 CIDR
Address = fd86:ea04:1111::1/64 # IPV6 CIDR
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add forwarding when VPN is started
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Remove forwarding when VPN is shutdown
PrivateKey = # Put server private key here
ListenPort = 51820 # Port server should be listening on
[Peer]
PublicKey = B1Oyq4HertWCcK8YBWETfoHICnFN4+tCfyouxsdhWhs= # Client public key
AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128 # IPs client can connect as
# ---------- Client Config ----------
[Interface]
Address = 10.10.0.2/32 # IPV4 address client is allowed to connect as
Address = fd86:ea04:1111::2/128 # IPV6 address client is allowed to connect as
PrivateKey = # Client private key goes here
DNS = 1.1.1.1 # DNS client should use for resolution (Cloudflare here)
[Peer]
PublicKey = WI6KwPohbGqsJUZ/FpZup2zGTaBFdeHeJCq2dtT1KBU= # Server public key
Endpoint = YOUR_SERVER:51820 # Where the server is at + the listening port
AllowedIPs = 0.0.0.0/0, ::/0 # Forward all traffic to server
# ------------------------------------------------
# Commands
# ------------------------------------------------
sudo wg-quick up wg0 # Starting wireguard
sudo wg-quick down wg0 # Shutting down wireguard
sudo wg # to see status
# ------------------------------------------------
# Watch traffic
# ------------------------------------------------
# https://nbsoftsolutions.com/blog/viewing-wireguard-traffic-with-tcpdump
# View encrypted traffic from wireless card to VPN server
sudo tcpdump -n -X -i wlp1s0 host YOUR_SERVER
# View http traffic going to tunnel
sudo tcpdump -n -v -i wg0 port 80
# ------------------------------------------------
# Misc
# ------------------------------------------------
# Start wireguard on system boot
sudo systemctl enable wg-quick@wg0
# Ensure forwarding is allowed by adding below to /etc/sysctl.conf on server
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
# Or use this
echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
sysctl --system
@mcao2

This comment has been minimized.

Copy link

@mcao2 mcao2 commented Aug 20, 2020

Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.

Solved, thanks, it appears a macos version wireguard bug.

@jagger27

This comment has been minimized.

Copy link

@jagger27 jagger27 commented Sep 26, 2020

Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.

Solved, thanks, it appears a macos version wireguard bug.

Were you able to work around that?

@mcao2

This comment has been minimized.

Copy link

@mcao2 mcao2 commented Sep 26, 2020

Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.
Solved, thanks, it appears a macos version wireguard bug.

Were you able to work around that?

Yes I can achieve my goal by putting "::/1, 8000::/1" in the allowed ips field.

@gaby

This comment has been minimized.

Copy link

@gaby gaby commented Sep 9, 2021

I can't get the client to forward all the traffic to the server. It keeps using eth0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment