Last active
June 15, 2024 10:58
-
-
Save nealfennimore/92d571db63404e7ddfba660646ceaf0d to your computer and use it in GitHub Desktop.
Wireguard VPN - Forward all traffic to server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ------------------------------------------------ | |
| # Config files are located in /etc/wireguard/wg0 | |
| # ------------------------------------------------ | |
| # ---------- Server Config ---------- | |
| [Interface] | |
| Address = 10.10.0.1/24 # IPV4 CIDR | |
| Address = fd86:ea04:1111::1/64 # IPV6 CIDR | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add forwarding when VPN is started | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE # Remove forwarding when VPN is shutdown | |
| PrivateKey = # Put server private key here | |
| ListenPort = 51820 # Port server should be listening on | |
| [Peer] | |
| PublicKey = B1Oyq4HertWCcK8YBWETfoHICnFN4+tCfyouxsdhWhs= # Client public key | |
| AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128 # IPs client can connect as | |
| # ---------- Client Config ---------- | |
| [Interface] | |
| Address = 10.10.0.2/32 # IPV4 address client is allowed to connect as | |
| Address = fd86:ea04:1111::2/128 # IPV6 address client is allowed to connect as | |
| PrivateKey = # Client private key goes here | |
| DNS = 1.1.1.1 # DNS client should use for resolution (Cloudflare here) | |
| [Peer] | |
| PublicKey = WI6KwPohbGqsJUZ/FpZup2zGTaBFdeHeJCq2dtT1KBU= # Server public key | |
| Endpoint = YOUR_SERVER:51820 # Where the server is at + the listening port | |
| AllowedIPs = 0.0.0.0/0, ::/0 # Forward all traffic to server | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ------------------------------------------------ | |
| # Commands | |
| # ------------------------------------------------ | |
| sudo wg-quick up wg0 # Starting wireguard | |
| sudo wg-quick down wg0 # Shutting down wireguard | |
| sudo wg # to see status | |
| # ------------------------------------------------ | |
| # Watch traffic | |
| # ------------------------------------------------ | |
| # https://nbsoftsolutions.com/blog/viewing-wireguard-traffic-with-tcpdump | |
| # View encrypted traffic from wireless card to VPN server | |
| sudo tcpdump -n -X -i wlp1s0 host YOUR_SERVER | |
| # View http traffic going to tunnel | |
| sudo tcpdump -n -v -i wg0 port 80 | |
| # ------------------------------------------------ | |
| # Misc | |
| # ------------------------------------------------ | |
| # Start wireguard on system boot | |
| sudo systemctl enable wg-quick@wg0 | |
| # Ensure forwarding is allowed by adding below to /etc/sysctl.conf on server | |
| net.ipv4.ip_forward=1 | |
| net.ipv6.conf.all.forwarding=1 | |
| # Or use this | |
| echo "net.ipv4.ip_forward = 1 | |
| net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf | |
| sysctl --system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can exclude it if you're not wanting to use IPv6. It might be a better solution to use a private IPv6 ULA here though if you do end up using iPv6