From 2d3b3f2c2e0e34ab9f7621e20e297f878bb90871 Mon Sep 17 00:00:00 2001 From: lapatatedouce Date: Sat, 1 Mar 2025 04:19:02 +0100 Subject: [PATCH] new file: networking/vpn-wg-site-to-vps.txt --- networking/vpn-wg-site-to-vps.txt | 72 +++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 networking/vpn-wg-site-to-vps.txt diff --git a/networking/vpn-wg-site-to-vps.txt b/networking/vpn-wg-site-to-vps.txt new file mode 100644 index 0000000..aa2f7cd --- /dev/null +++ b/networking/vpn-wg-site-to-vps.txt @@ -0,0 +1,72 @@ +# Prerequisites: +# - Have a VPS server at OVH or ionos with Debian +# - Install https://github.com/angristan/wireguard-install and generate a client +# - Know the network interface with the 'ip a' command and replace ens3 with the appropriate interface +# - Know the public address or IP addresses of the clients + +# Backup of the current configuration before modifying it +# Perform this backup before any modification +# cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak + +# Stopping the WireGuard service before modifying the configuration +# Make sure to stop the service before modifying the configuration +# sudo systemctl stop wg-quick@wg0 + +# Modification of the WireGuard configuration +# Open the configuration file to modify it +# nano /etc/wireguard/wg0.conf +# Delete the columns what is between [Interface] and ### Client + +# Configuration of the WireGuard interface on the server side +[Interface] +Address = 10.66.66.1/24, fd42:42:42::1/64 +ListenPort = 51737 +PrivateKey = X + +# iptables rules to apply after setting up the WireGuard interface +PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT +PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT +PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP + +# NAT rules for client ip1 +PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip1 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip1 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip1 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 + +# NAT rules for client ip2 +PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.4/32 -o ens3 -j SNAT --to-source change-ip2 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip2 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.4:80 +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip2 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.4:443 + +# iptables rules to remove when deleting the WireGuard interface +PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true +PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true +PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true +PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true +PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip1 || true +PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.4/32 -o ens3 -j SNAT --to-source change-ip2 || true +PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip1 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true +PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip1 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 || true + +### Client ip1 +[Peer] +PublicKey = X +PresharedKey = X +AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 + +### Client ip2 +[Peer] +PublicKey = X +PresharedKey = X +AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128 + +# Restart the WireGuard service after modifying the configuration +# sudo systemctl start wg-quick@wg0 +# sudo systemctl status wg-quick@wg0 + +# OPNsense configuration: +# Follow the steps described in the OPNsense documentation: +# https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html +# Configure port forwarding from the OPNsense router to the local IP of the WireGuard client +# For example, forward the port from 192.168.1.x to 10.66.66.2 \ No newline at end of file