sudo apt-get update
sudo apt-get install wireguard
sudo su -
cd /etc/wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
touch post-up.sh ; chmod +x post-up.sh
touch post-down.sh ; chmod +x post-down.sh
touch wg0.conf
cat publickey # SERVER_PUBLIC_KEY
cat privatekey # SERVER_PRIVATE_KEY[Interface]
Address = 192.168.20.1/24
SaveConfig = false
ListenPort = 52000
PrivateKey = SERVER_PRIVATE_KEY
PostUp = /etc/wireguard/post-up.sh
PostDown = /etc/wireguard/post-down.sh
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.20.2/32
PresharedKey = CLIENT_PRESHARED_KEY
#!/bin/bash
# /etc/wireguard/post-up.sh
# iptables -I INPUT 1 -i ens3 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -I INPUT 1 -i ens3 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -I INPUT 1 -i wg0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -I INPUT 1 -i wg0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -I INPUT 1 -i ens3 -p udp --dport 52000 -j ACCEPT
iptables -I FORWARD 1 -i wg0 -j ACCEPT
iptables -I FORWARD 1 -o wg0 -j ACCEPT#!/bin/bash
# /etc/wireguard/post-down.sh
# iptables -D INPUT -i ens3 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -D INPUT -i ens3 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -D INPUT -i wg0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -D INPUT -i wg0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -D INPUT -i ens3 -p udp --dport 52000 -j ACCEPT
iptables -D FORWARD -i wg0 -j ACCEPT
iptables -D FORWARD -o wg0 -j ACCEPTsudo wg-quick up wg0
sudo wg
sudo wg show wg0
sudo wg-quick down wg0
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0sudo apt-get update
sudo apt-get install wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
touch wg0.conf
cat publickey # CLIENT_PUBLIC_KEY
cat privatekey # CLIENT_PRIVATE_KEY
wg genpsk # CLIENT_PRESHARED_KEY[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 192.168.20.2/24
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP_ADDRESS:52000
AllowedIPs = 192.168.20.1/32
PersistentKeepalive = 25
PresharedKey = CLIENT_PRESHARED_KEY
sudo wg-quick up wg0
sudo wg
sudo wg show wg0
sudo wg-quick down wg0
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0sudo apt-get install monit
sudo systemctl enable monit
sudo systemctl start monit
sudo systemctl status monitOpen /etc/monit/monitrc file and uncomment
set httpd port 2812 and
use address localhost # only accept connection from localhost
allow localhost # allow localhost to connect to the server and
allow admin:monit # require user 'admin' with password 'monit'
Client-side: Create new file /etc/monit/conf.d/wireguard-client.conf
check host 192.168.20.1 with address 192.168.20.1
start program = "/bin/systemctl start [email protected]"
stop program = "/bin/systemctl stop [email protected]"
if failed ping then restart
Server-side: Create new file /etc/monit/conf.d/wireguard-server.conf
check host 192.168.20.2 with address 192.168.20.2
start program = "/bin/systemctl start [email protected]"
stop program = "/bin/systemctl stop [email protected]"
if failed ping then restart
sudo monit -t
sudo monit reload
sudo monit start all
sudo systemctl reload monitsudo monit status
sudo monit summary# enable ip forwarding (router mode)
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
#
# irc-traffic (port 6667), forward rules
#
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i ens3 -o wg0 -p tcp --syn --dport 6667 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o ens3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
# irc-traffic (symmetric port 6667), handle ip difference
#
sudo iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 6667 -j DNAT --to-destination 192.168.4.2
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 6667 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1
#
# ssh (asymmetric port 22 <-> 22222), handle ip difference
#
sudo iptables -A FORWARD -i ens3 -o wg0 -p tcp --syn --dport 22 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 22222 -j DNAT --to-destination 192.168.4.2:22
sudo iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 22 -d 192.168.4.2 -j SNAT --to-source 192.168.4.1
#
# persistence (w/o ipv6)
#
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | sudo debconf-set-selections
sudo debconf-show iptables-persistent
sudo apt-get install -y iptables-persistent
sudo chmod -x /usr/share/netfilter-persistent/plugins.d/25-ip6tables
sudo iptables-save | sudo iptables-restore -t -v
sudo iptables-save > /etc/iptables/rules.v4
sudo iptables-restore -t -v < /etc/iptables/rules.v4
sudo iptables-restore -v < /etc/iptables/rules.v4
sudo systemctl status netfilter-persistent
sudo systemctl reenable netfilter-persistent
sudo systemctl restart netfilter-persistentReference https://lerks.blog/nat-traversal-wireguard/
server {
listen 80 default_server;
listen [::]:80;
server_name example.com;
# server_name _;
# server_name localhost;
server_tokens off;
return 301 https://$host$request_uri; # redirect to https
}
server {
listen 443 ssl http2 default_server; # you can remove the http2 if you want v1
listen [::]:443 ssl http2; # same here
server_name example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # v2 left in for compatibility
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
server_tokens off;
autoindex off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://10.0.1.1:8080; # wireguard client IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "Cloud-LB"; # this can be changed to whatever
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass_header Server;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
tcp_nodelay on;
}
# access_log off;
# error_log /var/log/nginx/nginx.error.log;
# client_max_body_size 100m;
}
Reference https://golb.hplar.ch/2019/01/expose-server-vpn.html