# Prerequisites:
# - Have a VPS server at OVH or ionos with Debian
# - Install https://github.com/angristan/wireguard-install and generate a client
# - Know the network interface with the 'ip a' command and replace ens3 with the appropriate interface
# - Know the public address or IP addresses of the clients

# Backup of the current configuration before modifying it
# Perform this backup before any modification
# cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak

# Stopping the WireGuard service before modifying the configuration
# Make sure to stop the service before modifying the configuration
# sudo systemctl stop wg-quick@wg0

# Modification of the WireGuard configuration
# Open the configuration file to modify it
# nano /etc/wireguard/wg0.conf
# Delete the columns what is between [Interface] and ### Client

# Configuration of the WireGuard interface on the server side
[Interface]
Address = 10.66.66.1/24, fd42:42:42::1/64
ListenPort = 51737
PrivateKey = X

# iptables rules to apply after setting up the WireGuard interface
PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP

# NAT rules for client ip1
PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip1
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip1 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip1 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443

# NAT rules for client ip2
PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.4/32 -o ens3 -j SNAT --to-source change-ip2
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip2 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.4:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip2 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.4:443

# iptables rules to remove when deleting the WireGuard interface
PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true
PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true
PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true
PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens3 -j SNAT --to-source change-ip1 || true
PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.4/32 -o ens3 -j SNAT --to-source change-ip2 || true
PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip1 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true
PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip1 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 || true

### Client ip1
[Peer]
PublicKey = X
PresharedKey = X
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

### Client ip2
[Peer]
PublicKey = X
PresharedKey = X
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128

# Restart the WireGuard service after modifying the configuration
# sudo systemctl start wg-quick@wg0
# sudo systemctl status wg-quick@wg0

# OPNsense configuration:
# Follow the steps described in the OPNsense documentation:
# https://docs.opnsense.org/manual/how-tos/wireguard-client-proton.html
# Configure port forwarding from the OPNsense router to the local IP of the WireGuard client
# For example, forward the port from 192.168.1.x to 10.66.66.2