Multiple IPs abandoned due to problems.

2025-03-02 04:31:04 +01:00
parent 8e6d9de9e5
commit 3cdb8e01fa
1 changed files with 13 additions and 31 deletions
--- a/networking/vpn-wg-site-to-vps.conf
+++ b/networking/vpn-wg-site-to-vps.conf
@@ -1,6 +1,6 @@
 # Description:
 # This configuration allows you to connect an OPNsense or pfSense router at home and connect it to a VPS IP.
-# It uses multiple public IPs to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router.
+# It use public IP to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router.
 # Prerequisites:
 # - Have a VPS server at OVH or ionos with Debian
@@ -12,10 +12,6 @@
 # Perform this backup before any modification
 # cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak
 # Stopping the WireGuard service before modifying the configuration
 # Make sure to stop the service before modifying the configuration
 # sudo systemctl stop wg-quick@wg0
 # Modification of the WireGuard configuration
 # Open the configuration file to modify it
 # nano /etc/wireguard/wg0.conf
@@ -25,7 +21,7 @@
 [Interface]
 Address = 10.66.66.1/24, fd42:42:42::1/64
 ListenPort = 51737
-PrivateKey = X
+PrivateKey = x
 # iptables rules to apply after setting up the WireGuard interface
 PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT
@@ -33,40 +29,26 @@ PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
 PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP
-# NAT rules for client ip-1
+PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip-public  # NAT for outgoing traffic from the opnsense client
-PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1
+PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80  # Redirect port 80 to the opnsense client
-PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80
+PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443  # Redirect port 443 to the opnsense client
 PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443
 # NAT rules for client ip-2
 PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2
 PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-2:80
 PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-2:443
 # iptables rules to remove when deleting the WireGuard interface
 PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true
 PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true
 PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true
-PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true
+PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip-public || true
-PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 || true
+PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true
-PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 || true
+PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public -p tcp --dport 25 -j DNAT --to-destination 10.66.66.2:443 || true
 PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 || true
 PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 || true
-### Client ip-1
+### Client opnsense
 [Peer]
-PublicKey = X
+PublicKey = x
-PresharedKey = X
+PresharedKey = x
-AllowedIPs = change-ip-wglocal-1/32,fd42:42:42::2/128
+AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
 ### Client ip-2
 [Peer]
 PublicKey = X
 PresharedKey = X
 AllowedIPs = change-ip-wglocal-2/32,fd42:42:42::3/128
 # Restart the WireGuard service after modifying the configuration
-# sudo systemctl start wg-quick@wg0
+# sudo systemctl restart wg-quick@wg0
 # sudo systemctl status wg-quick@wg0
 # OPNsense configuration: