-
-
Save amanjuman/8c01cc37f1008715a4586fd160134cad to your computer and use it in GitHub Desktop.
| sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get autoremove -y | |
| ## For Regular Linux Server/PC | |
| sudo apt install software-properties-common && sudo apt install linux-headers-$(uname -r) | |
| ## Raspberry Pi | |
| sudo apt install raspberrypi-kernel-headers libelf-dev libmnl-dev build-essential git -y | |
| ## Install WireGuard and WireGuard Tools | |
| sudo apt install wireguard wireguard-tools resolvconf -y | |
| wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey | |
| ifconfig | |
| sudo nano /etc/wireguard/wg0.conf | |
| ## WireGuard VPN Server Config File | |
| #Server: | |
| [Interface] | |
| Address = 10.26.26.1/24, fd26:26:26::1/64 | |
| ListenPort = 51820 | |
| PrivateKey = SERVER-PRIVATE-KEY | |
| SaveConfig = true | |
| ## Firewall Rules | |
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o YOUR-IPv4-INTERFACE-NAME -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o YOUR-IPv6-INTERFACE-NAME -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o YOUR-IPv4-INTERFACE-NAME -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o YOUR-IPv6-INTERFACE-NAME -j MASQUERADE | |
| #Client Profile | |
| #Laptop: | |
| [Peer] | |
| Public Key = CLIENT-1-PUBLIC-KEY | |
| AllowedIPs = 10.26.26.2/32, fd26:26:26::2/128 | |
| #Android: | |
| [Peer] | |
| Public Key = CLIENT-2-PUBLIC-KEY | |
| AllowedIPs = 10.26.26.3/32, fd26:26:26::3/128 | |
| ## Start WireGuard Interface | |
| sudo wg-quick up wg0 | |
| ## Check WireGuard Interface | |
| sudo wg show wg0 | |
| ## Auto Start WireGuard Interface after boot | |
| sudo systemctl enable wg-quick@wg0 | |
| ## Enable System IP forwarding | |
| echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf | |
| echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf | |
| sudo sysctl -p /etc/sysctl.conf | |
| ## Allow Firewall to Accept SSH and WireGuard Traffic | |
| ufw alliow 22/tcp | |
| sudo ufw allow 51820/udp | |
| ## Edit WireGuard Configuration | |
| sudo nano /etc/wireguard/wg0.conf | |
| ## WireGuard VPN Client Config File | |
| [Interface] | |
| PrivateKey = CLIENT-PRIVATE-KEY | |
| Address = 10.26.26.2/24, fd26:26:26::2/64 | |
| ListenPort = 51820 | |
| DNS = 1.1.1.1, 2606:4700:4700::1111 | |
| MTU = 1370 | |
| ## VPN Server Public Key | |
| [Peer] | |
| PublicKey = SERVER-PUBLIC-KEY | |
| Endpoint = SERVER-IP:51820 | |
| AllowedIPs = 0.0.0.0/0, ::/0 | |
| PersistentKeepalive = 25 | |
| ## To add a new Peer, here is an example. | |
| sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15 | |
| ## To remove a existing peer, here is an example. | |
| sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15 remove | |
| ## WireGuard with Port Forwarding | |
| PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 45678,56789 -j DNAT --to-destination 10.26.26.2; iptables -t nat -A POSTROUTING -d 10.26.26.2 -j MASQUERADE; | |
| PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dports 45678,56789 -j DNAT --to-destination 10.26.26.2; iptables -t nat -D POSTROUTING -d 10.26.26.2 -j MASQUERADE; |
@amanjuman sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15
why are we allowing this ip this was not used any where?
AllowedIPs = 10.26.26.3/32, fd26:26:26::3/128 why are we using /32 it was given /24?
Comments added, hope it would be easier to understand now.
You can use /32 or /24, Up to you. This is just an example, feel free to customize.
Thank you. But brother I am trying this on an azure vm which i can not normally ping even though it has a real ip. The service does not work although I have followed all the steps. Will it work and can you please tell me what type of aws server of vm you are using?. It would be really helpful. Thanks
…
On Sat, Aug 19, 2023 at 9:15 PM Aman Juman @.> wrote: @.* commented on this gist. ------------------------------ @amanjuman https://github.com/amanjuman sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15 why are we allowing this ip this was not used any where? AllowedIPs = 10.26.26.3/32, fd26:26:26::3/128 why are we using /32 it was given /24? Comments added, hope it would be easier to understand now. You can use /32 or /24, Up to you. This is just an example, feel free to customize. — Reply to this email directly, view it on GitHub https://gist.github.com/amanjuman/8c01cc37f1008715a4586fd160134cad#gistcomment-4665679 or unsubscribe https://github.com/notifications/unsubscribe-auth/AMR6AIKU6DGBKRYKZBFGHNTXWDKCTBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTANJSHE4TAOJUU52HE2LHM5SXFJTDOJSWC5DF . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .
You need to allow ICMP traffic in order to perform Ping from outside.
@amanjuman
sudo wg set wg0 peer NEW-CLIENT-PUBLIC-KEY allowed-ips 10.26.26.15
why are we allowing this ip this was not used any where?
AllowedIPs = 10.26.26.3/32, fd26:26:26::3/128
why are we using /32 it was given /24?