| # ------------------------------------------------ | |
| # Config files are located in /etc/wireguard/wg0 | |
| # ------------------------------------------------ | |
| # ---------- Server Config ---------- | |
| [Interface] | |
| Address = 10.10.0.1/24 # IPV4 CIDR | |
| Address = fd86:ea04:1111::1/64 # IPV6 CIDR | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add forwarding when VPN is started | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Remove forwarding when VPN is shutdown | |
| PrivateKey = # Put server private key here | |
| ListenPort = 51820 # Port server should be listening on | |
| [Peer] | |
| PublicKey = B1Oyq4HertWCcK8YBWETfoHICnFN4+tCfyouxsdhWhs= # Client public key | |
| AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128 # IPs client can connect as | |
| # ---------- Client Config ---------- | |
| [Interface] | |
| Address = 10.10.0.2/32 # IPV4 address client is allowed to connect as | |
| Address = fd86:ea04:1111::2/128 # IPV6 address client is allowed to connect as | |
| PrivateKey = # Client private key goes here | |
| DNS = 1.1.1.1 # DNS client should use for resolution (Cloudflare here) | |
| [Peer] | |
| PublicKey = WI6KwPohbGqsJUZ/FpZup2zGTaBFdeHeJCq2dtT1KBU= # Server public key | |
| Endpoint = YOUR_SERVER:51820 # Where the server is at + the listening port | |
| AllowedIPs = 0.0.0.0/0, ::/0 # Forward all traffic to server | |
| # ------------------------------------------------ | |
| # Commands | |
| # ------------------------------------------------ | |
| sudo wg-quick up wg0 # Starting wireguard | |
| sudo wg-quick down wg0 # Shutting down wireguard | |
| sudo wg # to see status | |
| # ------------------------------------------------ | |
| # Watch traffic | |
| # ------------------------------------------------ | |
| # https://nbsoftsolutions.com/blog/viewing-wireguard-traffic-with-tcpdump | |
| # View encrypted traffic from wireless card to VPN server | |
| sudo tcpdump -n -X -i wlp1s0 host YOUR_SERVER | |
| # View http traffic going to tunnel | |
| sudo tcpdump -n -v -i wg0 port 80 | |
| # ------------------------------------------------ | |
| # Misc | |
| # ------------------------------------------------ | |
| # Start wireguard on system boot | |
| sudo systemctl enable wg-quick@wg0 | |
| # Ensure forwarding is allowed by adding below to /etc/sysctl.conf on server | |
| net.ipv4.ip_forward=1 | |
| net.ipv6.conf.all.forwarding=1 | |
| # Or use this | |
| echo "net.ipv4.ip_forward = 1 | |
| net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf | |
| sysctl --system |
This comment has been minimized.
This comment has been minimized.
Were you able to work around that? |
This comment has been minimized.
This comment has been minimized.
Yes I can achieve my goal by putting "::/1, 8000::/1" in the allowed ips field. |
This comment has been minimized.
This comment has been minimized.
|
I can't get the client to forward all the traffic to the server. It keeps using eth0. |
This comment has been minimized.
Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.Solved, thanks, it appears a macos version wireguard bug.