wireguard: instructions for setting up proxy

single-dockerfile
Ubuntu 2 years ago
parent 154c7208c3
commit fcd2565b47
  1. 29
      wireguard/README.md
  2. 33
      wireguard/wg0-proxy.conf
  3. 28
      wireguard/wg0-server.conf

@ -0,0 +1,29 @@
# Wireguard proxy setup
This is for a server that is inside of a firewall or behind a NAT gateway
that doesn't have a static IP address. A cheap $6/month DigitalOcean droplet
can be created that will route *all* internet traffic to the server, allowing
it to change IP.
* On both proxy and the server:
```
sudo apt install wireguard-tools net-tools
wg genkey \
| sudo tee /etc/wireguard/wg0.key \
| wg pubkey \
| sudo tee /etc/wireguard/wg0.pub
sudo chmod -R go-rwx /etc/wireguard
```
* Copy `wireguard/wg0-proxy.conf` to `/etc/wireguard/wg0.conf` on the proxy
* On the **proxy** edit `/etc/wireguard/wg0.conf`:
* Change `${SERVER_PUBKEY}` to the public key that was output on the server
* Copy `wireguard/wg0-server.conf` to `/etc/wireguard/wg0.conf` on the server.
* On the **server** edit `/etc/wireguard/wg0.conf`:
* Change `${PROXY_IP}` to the public IP address of the proxy (two places)
* Change `${PROXY_PUBKEY}` to the public key output on the proxy (two places)
* Change `${SERVER_GW}` to the gateway address used to reach the internet from the server
* On both machines run `sudo wg-quick up /etc/wireguard/wg0.conf`

@ -0,0 +1,33 @@
[Interface]
Address = 192.168.4.1/24
ListenPort = 51820
PostUp = wg set %i private-key /etc/wireguard/%i.key
# Enable IP masquerading for the remote host
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# accept the wireguard connection
PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp --dport 51820 -j ACCEPT
# redirect ssh to port 23
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT --to-port 22
# redirect *all* traffic to the wg tunnel
PostUp = iptables -t nat -A PREROUTING -i eth0 -p all -j DNAT --to-destination 192.168.4.2
# Tear down the proxy
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp --dport 51820 -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT -to-port 22
PostDown = iptables -t nat -D PREROUTING -i eth0 -p all -j DNAT --to-destination 192.168.4.2
[Peer]
PublicKey = ${SERVER_PUBKEY}
AllowedIPs = 192.168.4.2/32

@ -0,0 +1,28 @@
# wg0-server.conf
#
# This is the configuration for the server hidden behind the wireguard proxy.
# It routes all internet traffic via the proxy, with the exception of traffic
# to the proxy itself. It is still accessible on the local network.
#
# When moving this to a new machine:
# * Update the PostUp route so that the proxy address has an explicit route via the local gateway
# * Update the PownDown to delete the explicit route and restore the default gw
# * Update the Peer PublicKey and Endpoint with the proxy key and address
#
[Interface]
PostUp = wg set %i private-key /etc/wireguard/%i.key
Address = 192.168.4.2/24
# Delete the default gateway and add an explicit route for the wireguard tunnel
PostUp = route add ${PROXY_IP} gw ${SERVER_GW} || echo "wrong route"
PostUp = route del default || echo "no default"
PostUp = route add default gw 192.168.4.1
PostDown = route del ${PROXY_IP}
PostDown = route add default gw ${SERVER_GW}
[Peer]
PublicKey = ${PROXY_PUBKEY}
Endpoint = ${PROXY_IP}:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Loading…
Cancel
Save