From 0ba38f645e2388fdc3c304b6af06feb2af65541a Mon Sep 17 00:00:00 2001 From: lapatatedouce Date: Sat, 1 Mar 2025 04:36:01 +0100 Subject: [PATCH] Enhance change-ip clarity --- networking/vpn-wg-site-to-vps.txt | 32 +++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/networking/vpn-wg-site-to-vps.txt b/networking/vpn-wg-site-to-vps.txt index 397ced5..3d310c1 100644 --- a/networking/vpn-wg-site-to-vps.txt +++ b/networking/vpn-wg-site-to-vps.txt @@ -33,33 +33,33 @@ PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP -# NAT rules for client ip1 -PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip1 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip1 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip1 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 +# NAT rules for client ip-1 +PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 -# NAT rules for client ip2 -PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.4/32 -o ens3 -j SNAT --to-source change-ip2 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip2 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.4:80 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip2 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.4:443 +# NAT rules for client ip-2 +PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-2:80 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-2:443 # iptables rules to remove when deleting the WireGuard interface PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true -PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip1 || true -PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.4/32 -o ens3 -j SNAT --to-source change-ip2 || true -PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip1 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true -PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip1 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 || true +PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 || true +PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 || true +PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 || true +PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 || true -### Client ip1 +### Client ip-1 [Peer] PublicKey = X PresharedKey = X -AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 +AllowedIPs = change-ip-wglocal-1/32,fd42:42:42::2/128 -### Client ip2 +### Client ip-2 [Peer] PublicKey = X PresharedKey = X @@ -73,4 +73,4 @@ AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128 # Follow the steps described in the OPNsense documentation: # https://docs.opnsense.org # Configure port forwarding from the OPNsense router to the local IP of the WireGuard client -# For example, forward the port from 192.168.1.x to 10.66.66.2 \ No newline at end of file +# For example, forward the port from 192.168.1.x to change-ip-wglocal-1 \ No newline at end of file