diff --git a/networking/vpn-wg-site-to-vps.conf b/networking/vpn-wg-site-to-vps.conf index b811fc6..709aa84 100644 --- a/networking/vpn-wg-site-to-vps.conf +++ b/networking/vpn-wg-site-to-vps.conf @@ -1,6 +1,6 @@ # Description: # This configuration allows you to connect an OPNsense or pfSense router at home and connect it to a VPS IP. -# It uses multiple public IPs to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router. +# It use public IP to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router. # Prerequisites: # - Have a VPS server at OVH or ionos with Debian @@ -12,10 +12,6 @@ # Perform this backup before any modification # cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak -# Stopping the WireGuard service before modifying the configuration -# Make sure to stop the service before modifying the configuration -# sudo systemctl stop wg-quick@wg0 - # Modification of the WireGuard configuration # Open the configuration file to modify it # nano /etc/wireguard/wg0.conf @@ -25,7 +21,7 @@ [Interface] Address = 10.66.66.1/24, fd42:42:42::1/64 ListenPort = 51737 -PrivateKey = X +PrivateKey = x # iptables rules to apply after setting up the WireGuard interface PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT @@ -33,40 +29,26 @@ PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP -# NAT rules for client ip-1 -PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 - -# NAT rules for client ip-2 -PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-2:80 -PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-2:443 +PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip-public # NAT for outgoing traffic from the opnsense client +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 # Redirect port 80 to the opnsense client +PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 # Redirect port 443 to the opnsense client # iptables rules to remove when deleting the WireGuard interface PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true -PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true -PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 || true -PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 || true -PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 || true -PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 || true +PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip-public || true +PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true +PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public -p tcp --dport 25 -j DNAT --to-destination 10.66.66.2:443 || true -### Client ip-1 +### Client opnsense [Peer] -PublicKey = X -PresharedKey = X -AllowedIPs = change-ip-wglocal-1/32,fd42:42:42::2/128 - -### Client ip-2 -[Peer] -PublicKey = X -PresharedKey = X -AllowedIPs = change-ip-wglocal-2/32,fd42:42:42::3/128 +PublicKey = x +PresharedKey = x +AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 # Restart the WireGuard service after modifying the configuration -# sudo systemctl start wg-quick@wg0 +# sudo systemctl restart wg-quick@wg0 # sudo systemctl status wg-quick@wg0 # OPNsense configuration: