From 34f4f01fe549d0893103ff0c1f75530730a98d24 Mon Sep 17 00:00:00 2001 From: lapatatedouce Date: Sun, 2 Mar 2025 04:49:01 +0100 Subject: [PATCH] Various corrections. --- networking/vpn-wg-site-to-vps.conf | 39 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/networking/vpn-wg-site-to-vps.conf b/networking/vpn-wg-site-to-vps.conf index 709aa84..52d15f2 100644 --- a/networking/vpn-wg-site-to-vps.conf +++ b/networking/vpn-wg-site-to-vps.conf @@ -1,11 +1,11 @@ # Description: -# This configuration allows you to connect an OPNsense or pfSense router at home and connect it to a VPS IP. -# It use public IP to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router. +# This configuration allows you to connect an OPNsense or pfSense router at hoport and connect it to a VPS IP. +# It use public IP to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your hoport router. # Prerequisites: # - Have a VPS server at OVH or ionos with Debian # - Install https://github.com/angristan/wireguard-install and generate a client -# - Know the network interface with the 'ip a' command and replace ens3 with the appropriate interface +# - Know the network interface with the 'ip a' command and replace ens6 with the appropriate interface # - Know the public address or IP addresses of the clients # Backup of the current configuration before modifying it @@ -15,31 +15,32 @@ # Modification of the WireGuard configuration # Open the configuration file to modify it # nano /etc/wireguard/wg0.conf -# Delete the columns what is between [Interface] and ### Client +# Delete the columns what is between 'PrivateKey = x'and '### Client opnsense' +# Replace 'add-port' with 'add-ip-public' information # Configuration of the WireGuard interface on the server side [Interface] Address = 10.66.66.1/24, fd42:42:42::1/64 -ListenPort = 51737 +ListenPort = 666 PrivateKey = x # iptables rules to apply after setting up the WireGuard interface -PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT -PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT -PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +PostUp = iptables -I INPUT -p udp --dport add-port -j ACCEPT +PostUp = iptables -A FORWARD -i wg0 -o ens6 -j ACCEPT +PostUp = iptables -A FORWARD -i ens6 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP -PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip-public # NAT for outgoing traffic from the opnsense client -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 # Redirect port 80 to the opnsense client -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 # Redirect port 443 to the opnsense client +PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens6 -j SNAT --to-source add-ip-public # NAT for outgoing traffic from the opnsense client +PostUp = iptables -t nat -A PREROUTING -i ens6 -d add-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 # Redirect port 80 to the opnsense client +PostUp = iptables -t nat -A PREROUTING -i ens6 -d add-ip-public -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 # Redirect port 443 to the opnsense client # iptables rules to remove when deleting the WireGuard interface -PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true -PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true -PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true -PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip-public || true -PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true -PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public -p tcp --dport 25 -j DNAT --to-destination 10.66.66.2:443 || true +PostDown = iptables -D INPUT -p udp --dport add-port -j ACCEPT || true +PostDown = iptables -D FORWARD -i wg0 -o ens6 -j ACCEPT || true +PostDown = iptables -D FORWARD -i ens6 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true +PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens6 -j SNAT --to-source add-ip-public || true +PostDown = iptables -t nat -D PREROUTING -i ens6 -d add-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true +PostDown = iptables -t nat -D PREROUTING -i ens6 -d add-ip-public -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 || true ### Client opnsense [Peer] @@ -52,7 +53,7 @@ AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 # sudo systemctl status wg-quick@wg0 # OPNsense configuration: -# Follow the steps described in the OPNsense documentation: +# Follow the steps described in the OPNsense docuportntation: # https://docs.opnsense.org # Configure port forwarding from the OPNsense router to the local IP of the WireGuard client -# For example, forward the port from 192.168.1.x to change-ip-wglocal-1 \ No newline at end of file +# For example, forward the port from 192.168.1.x to add-ip-wglocal-1 \ No newline at end of file