Last active
September 3, 2024 03:21
-
-
Save fabiojmendes/39b90472bdf04cde4d6a4cb92adc4a6d to your computer and use it in GitHub Desktop.
Wireguard vpn nat proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/nft -f | |
| flush ruleset | |
| define pub_iface = "enp1s0" | |
| define wg_iface = "wg0" | |
| define wg_port = 51820 | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| # accept all loopback packets | |
| iif "lo" accept | |
| # accept all icmp/icmpv6 packets | |
| meta l4proto { icmp, ipv6-icmp } accept | |
| # accept all packets that are part of an already-established connection | |
| ct state vmap { invalid : drop, established : accept, related : accept } | |
| # drop new connections over rate limit | |
| ct state new limit rate over 1/second burst 10 packets drop | |
| # accept all SSH packets received on a public or wg interface | |
| iifname {$pub_iface, $wg_iface} tcp dport ssh accept | |
| # accept all WireGuard packets received on a public interface | |
| iifname $pub_iface udp dport $wg_port accept | |
| # reject with polite "port unreachable" icmp response | |
| reject | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| # forward packets coming from the wireguard interface | |
| ct state vmap { invalid : drop, established : accept, related : accept } | |
| iifname $wg_iface oifname $pub_iface accept | |
| reject with icmpx type host-unreachable | |
| } | |
| } | |
| table inet nat { | |
| chain postrouting { | |
| type nat hook postrouting priority 100; policy accept; | |
| iifname $wg_iface oifname $pub_iface masquerade | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ---------- Server Config ---------- | |
| # vim: ft=conf | |
| # | |
| # Make sure ip forwarding is enabled | |
| # net.ipv4.ip_forward=1 | |
| # net.ipv6.conf.all.forwarding=1 | |
| # config based on: | |
| # https://www.procustodibus.com/blog/2021/11/wireguard-nftables/#point-to-site | |
| [Interface] | |
| Address = 10.10.1.1/24 | |
| Address = fd86:ea04:1111::1/64 | |
| #PublicKey = SERVER_PUBKEY | |
| PrivateKey = SERVER_PVTKEY | |
| ListenPort = 51820 | |
| [Peer] | |
| PublicKey = PEER_PUBKEY | |
| AllowedIPs = 10.10.1.2/32, fd86:ea04:1111::2/128 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Interface] | |
| PrivateKey = PEER_PVTKEY | |
| Address = 10.10.1.2/32, fd86:ea04:1111::2/128 | |
| # Cloudflare DNS | |
| DNS = 1.1.1.1, 2606:4700:4700::1111 | |
| [Peer] | |
| PublicKey = SERVER_PUBKEY | |
| AllowedIPs = 0.0.0.0/0, ::/0 | |
| Endpoint = SERVER_ADDR:51820 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment