Certain company blocking a certain hosting provider? No problem, just tunnel the process through a small VPS with wireguard.
Consider server A your blocked server and server B your VPS.
Server A:
wg genkey > endpoint-a.key
wg pubkey < endpoint-a.key > endpoint-a.pubServer B:
wg genkey > endpoint-b.key
wg pubkey < endpoint-b.key > endpoint-b.pubEdit /etc/sysctl.conf and ensure the following line is uncommented:
net.ipv4.ip_forward=1
Create a wireguard config at /etc/wireguard/wg0.conf with the following content:
[Interface]
PrivateKey = <endpoint-b.key>
Address = 10.0.0.2/32
ListenPort = 51822
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
[Peer]
PublicKey = <endpoint-a.pub>
AllowedIPs = 10.0.0.1/32
Endpoint = <server A ip address>:51822If you wish to forward ports, add the following 2 lines under [Interface] per port you wish to forward:
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 12345 -j DNAT --to-destination 10.0.0.1
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 12345 -j DNAT --to-destination 10.0.0.1Enable & start wg0 using wg-quick:
systemctl enable --now wg-quick@wg0Create a wireguard config at /etc/wireguard/wg0.conf with the following content:
[Interface]
PrivateKey = <endpoint-a.key>
ListenPort = 51821
[Peer]
PublicKey = <endpoint-b.pub>
Endpoint = <server B ip address>:51822
AllowedIPs = 0.0.0.0/0Create a script to setup the namespace:
cat <<EOF | sudo tee /etc/wireguard/netns_setup.sh
ip netns add pvt-net1
ip -n pvt-net1 link set lo up
ip link add wg0 type wireguard
ip link set wg0 netns pvt-net1
ip netns exec pvt-net1 wg setconf wg0 /etc/wireguard/wg0.conf
ip -n pvt-net1 address add 10.0.0.1/32 dev wg0
ip -n pvt-net1 link set wg0 up
ip -n pvt-net1 route add default dev wg0
EOFMake script executable:
chmod +x /etc/wireguard/netns_setup.shMake DNS work:
mkdir -p /etc/netns/pvt-net1
echo nameserver 1.1.1.1 | sudo tee /etc/netns/pvt-net1/resolv.conf >/dev/null
chmod -R o+rX /etc/netnsCreate systemd service to execute this on boot:
cat <<EOF | sudo tee /etc/systemd/system/tunnel1.service
[Unit]
Description=Tunnel 1
After=network.target [email protected]
[Service]
ExecStart=/etc/wireguard/netns_setup.sh
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOFExecute on boot & execute now:
systemctl enable --now tunnel1Use a systemd override to bind to network namespace & ensure service is started after tunnel is up:
systemctl edit <service>Add the following at the top, in the override section (you may have to change After=:
[Unit]
After=network.target network-online.target tunnel1.target
[Service]
NetworkNamespacePath=/run/netns/pvt-net1
BindReadOnlyPaths=/etc/netns/pvt-net1/resolv.conf:/etc/resolv.confReload systemd & restart service:
systemctl daemon-reload
systemctl restart <your service>This whole config was derived from https://www.procustodibus.com/blog/2023/04/wireguard-netns-for-specific-apps. All credit goes to them!
You have to edit the service you want to route into your tunnel with
systemctl edit <service-name>and to add the following lines before being able to start the tunnel service :This tutorial is not a standard wireguard guide where you can use the command
wgto check your VPN status. You have to follow the guide until the end then the easiest is to reboot your server. After the reboot, you will be able to check if the trafic is properly routed through the VPN.