Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Wireguard VPN - Forward all traffic to server
# ------------------------------------------------
# Config files are located in /etc/wireguard/wg0
# ------------------------------------------------
# ---------- Server Config ----------
[Interface]
Address = 10.10.0.1/24 # IPV4 CIDR
Address = fd86:ea04:1111::1/64 # IPV6 CIDR
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add forwarding when VPN is started
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Remove forwarding when VPN is shutdown
PrivateKey = # Put server private key here
ListenPort = 51820 # Port server should be listening on
[Peer]
PublicKey = B1Oyq4HertWCcK8YBWETfoHICnFN4+tCfyouxsdhWhs= # Client public key
AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128 # IPs client can connect as
# ---------- Client Config ----------
[Interface]
Address = 10.10.0.2/32 # IPV4 address client is allowed to connect as
Address = fd86:ea04:1111::2/128 # IPV6 address client is allowed to connect as
PrivateKey = # Client private key goes here
DNS = 1.1.1.1 # DNS client should use for resolution (Cloudflare here)
[Peer]
PublicKey = WI6KwPohbGqsJUZ/FpZup2zGTaBFdeHeJCq2dtT1KBU= # Server public key
Endpoint = YOUR_SERVER:51820 # Where the server is at + the listening port
AllowedIPs = 0.0.0.0/0, ::/0 # Forward all traffic to server
# ------------------------------------------------
# Commands
# ------------------------------------------------
sudo wg-quick up wg0 # Starting wireguard
sudo wg-quick down wg0 # Shutting down wireguard
sudo wg # to see status
# ------------------------------------------------
# Watch traffic
# ------------------------------------------------
# https://nbsoftsolutions.com/blog/viewing-wireguard-traffic-with-tcpdump
# View encrypted traffic from wireless card to VPN server
sudo tcpdump -n -X -i wlp1s0 host YOUR_SERVER
# View http traffic going to tunnel
sudo tcpdump -n -v -i wg0 port 80
# ------------------------------------------------
# Misc
# ------------------------------------------------
# Start wireguard on system boot
sudo systemctl enable wg-quick@wg0
# Ensure forwarding is allowed by adding below to /etc/sysctl.conf on server
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
# Or use this
echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
sysctl --system
@mcao2

This comment has been minimized.

Copy link

@mcao2 mcao2 commented Aug 20, 2020

Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.

Solved, thanks, it appears a macos version wireguard bug.

@jagger27

This comment has been minimized.

Copy link

@jagger27 jagger27 commented Sep 26, 2020

Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.

Solved, thanks, it appears a macos version wireguard bug.

Were you able to work around that?

@mcao2

This comment has been minimized.

Copy link

@mcao2 mcao2 commented Sep 26, 2020

Nice work! Do you know how to route all IPv6 traffic through WireGuard and keep IPv4 traffic untouched? I tried to use "10.10.0.2/32,::/0" for the allowed IPs field, but then only IPv6 sites can be reached... Thanks.
Solved, thanks, it appears a macos version wireguard bug.

Were you able to work around that?

Yes I can achieve my goal by putting "::/1, 8000::/1" in the allowed ips field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment