Wireguard VPN - Forward all traffic to server
# ------------------------------------------------ | |
# Config files are located in /etc/wireguard/wg0 | |
# ------------------------------------------------ | |
# ---------- Server Config ---------- | |
[Interface] | |
Address = 10.10.0.1/24 # IPV4 CIDR | |
Address = fd86:ea04:1111::1/64 # IPV6 CIDR | |
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add forwarding when VPN is started | |
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Remove forwarding when VPN is shutdown | |
PrivateKey = # Put server private key here | |
ListenPort = 51820 # Port server should be listening on | |
[Peer] | |
PublicKey = B1Oyq4HertWCcK8YBWETfoHICnFN4+tCfyouxsdhWhs= # Client public key | |
AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128 # IPs client can connect as | |
# ---------- Client Config ---------- | |
[Interface] | |
Address = 10.10.0.2/32 # IPV4 address client is allowed to connect as | |
Address = fd86:ea04:1111::2/128 # IPV6 address client is allowed to connect as | |
PrivateKey = # Client private key goes here | |
DNS = 1.1.1.1 # DNS client should use for resolution (Cloudflare here) | |
[Peer] | |
PublicKey = WI6KwPohbGqsJUZ/FpZup2zGTaBFdeHeJCq2dtT1KBU= # Server public key | |
Endpoint = YOUR_SERVER:51820 # Where the server is at + the listening port | |
AllowedIPs = 0.0.0.0/0, ::/0 # Forward all traffic to server | |
# ------------------------------------------------ | |
# Commands | |
# ------------------------------------------------ | |
sudo wg-quick up wg0 # Starting wireguard | |
sudo wg-quick down wg0 # Shutting down wireguard | |
sudo wg # to see status | |
# ------------------------------------------------ | |
# Watch traffic | |
# ------------------------------------------------ | |
# https://nbsoftsolutions.com/blog/viewing-wireguard-traffic-with-tcpdump | |
# View encrypted traffic from wireless card to VPN server | |
sudo tcpdump -n -X -i wlp1s0 host YOUR_SERVER | |
# View http traffic going to tunnel | |
sudo tcpdump -n -v -i wg0 port 80 | |
# ------------------------------------------------ | |
# Misc | |
# ------------------------------------------------ | |
# Start wireguard on system boot | |
sudo systemctl enable wg-quick@wg0 | |
# Ensure forwarding is allowed by adding below to /etc/sysctl.conf on server | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.forwarding=1 | |
# Or use this | |
echo "net.ipv4.ip_forward = 1 | |
net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf | |
sysctl --system |
This comment has been minimized.
This comment has been minimized.
Were you able to work around that? |
This comment has been minimized.
This comment has been minimized.
Yes I can achieve my goal by putting "::/1, 8000::/1" in the allowed ips field. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.Solved, thanks, it appears a macos version wireguard bug.