Last active
January 17, 2024 22:28
-
-
Save pojntfx/7410e6e4a26eabe02da2c3a3cfb2fdef to your computer and use it in GitHub Desktop.
Setup a WireGuard (Mullvad) VPN Gateway for a LAN/WLAN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IPv6 is currently broken - use a double VPN if you need it. In the future, using NAT6 will fix this. | |
| # You can also use this to bridge e.g. a WLAN network into a LAN network - simply skip the WireGuard/Mullvad setup and | |
| # use your WLAN adapter (e.g. wlp3s0) as instead of de-fra-wg-001. | |
| # Setup Mullvad first according to https://mullvad.net/en/help/easy-wireguard-mullvad-setup-linux/ | |
| sudo systemctl enable --now wg-quick@de-fra-wg-001 | |
| # On Debian only | |
| sudo tee /etc/NetworkManager/conf.d/99-unmanaged-devices.conf<<'EOT' | |
| [keyfile] | |
| unmanaged-devices=interface-name:enp0s25 | |
| EOT | |
| sudo systemctl reload NetworkManager | |
| # On Debian; use `nmtui` on Fedora instead | |
| sudo tee /etc/network/interfaces<<'EOT' | |
| source /etc/network/interfaces.d/* | |
| auto lo | |
| iface lo inet loopback | |
| auto enp0s25 | |
| iface enp0s25 inet static | |
| address 192.168.0.103 | |
| netmask 255.255.255.0 | |
| iface enp0s25 inet6 static | |
| address fd6b:fd6b:9e11::1 | |
| autoconf 1 | |
| accept_ra 2 | |
| EOT | |
| sudo systemctl restart networking | |
| # If you're using `systemd-resolved`, run https://www.linuxuprising.com/2020/07/ubuntu-how-to-free-up-port-53-used-by.html first | |
| sudo tee /etc/dnsmasq.conf<<'EOT' | |
| interface=enp0s25 | |
| dhcp-authoritative | |
| dhcp-option=option:dns-server,1.1.1.1,1.0.0.1 | |
| log-queries | |
| log-dhcp | |
| dhcp-range=192.168.0.101,192.168.0.150,255.255.255.0,6h | |
| EOT | |
| sudo systemctl enable --now dnsmasq | |
| sudo tee -a /etc/sysctl.conf<<'EOT' | |
| net.ipv4.ip_forward=1 | |
| net.ipv6.conf.all.forwarding=1 | |
| EOT | |
| sudo sysctl --system | |
| sudo iptables -t nat -A POSTROUTING -o de-fra-wg-001 -j MASQUERADE | |
| sudo iptables -A FORWARD -i enp0s25 -o de-fra-wg-001 -j ACCEPT | |
| sudo iptables -A FORWARD -i de-fra-wg-001 -o enp0s25 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -A INPUT -i lo -j ACCEPT | |
| sudo iptables -A INPUT -i enp0s25 -p icmp -j ACCEPT | |
| sudo iptables -A INPUT -i enp0s25 -p tcp --dport 22 -j ACCEPT | |
| sudo iptables -A INPUT -i enp0s25 -p udp --dport 67 -j ACCEPT | |
| sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| sudo iptables -P FORWARD DROP | |
| sudo iptables -P INPUT DROP | |
| sudo iptables -L | |
| # On Fedora | |
| sudo iptables-save | sudo tee /etc/sysconfig/iptables | |
| sudo systemctl disable --now firewalld.service | |
| sudo dnf install -y iptables-services | |
| sudo systemctl enable --now iptables | |
| # On Debian | |
| sudo iptables-save | sudo tee /etc/iptables/rules | |
| sudo apt install -y iptables-persistent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment