scripts-admin-debian/networking/vpn-wg-site-to-vps.conf

# Description:
# This configuration allows you to connect an OPNsense or pfSense router at home and connect it to a VPS IP.
# It uses multiple public IPs to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router.

# Prerequisites:
# - Have a VPS server at OVH or ionos with Debian
# - Install https://github.com/angristan/wireguard-install and generate a client
# - Know the network interface with the 'ip a' command and replace ens3 with the appropriate interface
# - Know the public address or IP addresses of the clients

# Backup of the current configuration before modifying it
# Perform this backup before any modification
# cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak

# Stopping the WireGuard service before modifying the configuration
# Make sure to stop the service before modifying the configuration
# sudo systemctl stop wg-quick@wg0

# Modification of the WireGuard configuration
# Open the configuration file to modify it
# nano /etc/wireguard/wg0.conf
# Delete the columns what is between [Interface] and ### Client

# Configuration of the WireGuard interface on the server side
[Interface]
Address = 10.66.66.1/24, fd42:42:42::1/64
ListenPort = 51737
PrivateKey = X

# iptables rules to apply after setting up the WireGuard interface
PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP

# NAT rules for client ip-1
PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443

# NAT rules for client ip-2
PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-2:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-2:443

# iptables rules to remove when deleting the WireGuard interface
PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true
PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true
PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true
PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 || true
PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 || true
PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 || true
PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 || true

### Client ip-1
[Peer]
PublicKey = X
PresharedKey = X
AllowedIPs = change-ip-wglocal-1/32,fd42:42:42::2/128

### Client ip-2
[Peer]
PublicKey = X
PresharedKey = X
AllowedIPs = change-ip-wglocal-2/32,fd42:42:42::3/128

# Restart the WireGuard service after modifying the configuration
# sudo systemctl start wg-quick@wg0
# sudo systemctl status wg-quick@wg0

# OPNsense configuration:
# Follow the steps described in the OPNsense documentation:
# https://docs.opnsense.org
# Configure port forwarding from the OPNsense router to the local IP of the WireGuard client
# For example, forward the port from 192.168.1.x to change-ip-wglocal-1