Skip to content

Instantly share code, notes, and snippets.

Forked from tombowditch/
Last active February 27, 2025 13:23
Show Gist options
  • Save ulumios/cb954027117ce7f875b03d936218e900 to your computer and use it in GitHub Desktop.
Save ulumios/cb954027117ce7f875b03d936218e900 to your computer and use it in GitHub Desktop.
Tunneling a whole process through wireguard

Tunneling a whole process through wireguard

Certain company blocking a certain hosting provider? No problem, just tunnel the process through a small VPS with wireguard.

Consider server A your blocked server and server B your VPS.

Step 1: Generate a keypair on server A and server B

Server A:

wg genkey > endpoint-a.key
wg pubkey < endpoint-a.key >

Server B:

wg genkey > endpoint-b.key
wg pubkey < endpoint-b.key >

Step 2: Configure server B

Edit /etc/sysctl.conf and ensure the following line is uncommented:

net.ipv6.conf.all.forwarding = 1

Create a wireguard config at /etc/wireguard/wg0.conf with the following content:

PrivateKey = <endpoint-b.key>
Address =,fd00::2/128
ListenPort = 51822

PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PreUp = ip6tables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x31
PreUp = ip6tables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x31 -j MASQUERADE
PostDown = ip6tables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x31
PostDown = ip6tables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x31 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

PublicKey = <>
AllowedIPs =,fd00::1/128
Endpoint = <server A ip address>:51822

If you wish to forward ports, add the following 2 lines under [Interface] per port you wish to forward:

PreUp = iptables -t nat -A PREROUTING -p tcp --dport 12345 -j DNAT --to-destination
PreUp = ip6tables -t nat -A PREROUTING -p tcp --dport 12345 -j DNAT --to-destination fd00::1
PostDown = ip6tables -t nat -D PREROUTING -p tcp --dport 12345 -j DNAT --to-destination fd00::1
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 12345 -j DNAT --to-destination

Enable & start wg0 using wg-quick:

systemctl enable --now wg-quick@wg0

Step 3: Configure server A

Create a wireguard config at /etc/wireguard/wg0.conf with the following content:

PrivateKey = <endpoint-a.key>
ListenPort = 51821

PublicKey = <>
Endpoint = <server B ip address>:51822
AllowedIPs =,::/0

Create sudo nano /etc/wireguard/ a script to setup the namespace:

ip netns add pvt-net1
ip -n pvt-net1 link set lo up
ip link add wg0 type wireguard
ip link set wg0 netns pvt-net1
ip netns exec pvt-net1 wg setconf wg0 /etc/wireguard/wg0.conf
ip -n pvt-net1 address add dev wg0
ip -6 -n pvt-net1 addr add fd00::1/128 dev wg0
ip -n pvt-net1 link set wg0 up
ip -n pvt-net1 route add default dev wg0
ip -6 -n pvt-net1 route add default dev wg0

ip link add mv1 link enp6s18 address 00:11:22:33:44:55 type macvlan mode bridge
ip link set mv1 netns pvt-net1
ip netns exec pvt-net1 ip link set dev mv1 up
ip netns exec pvt-net1 dhclient mv1
ip netns exec pvt-net1 sysctl -w net.ipv4.conf.all.forwarding=1
ip netns exec pvt-net1 sysctl -w net.ipv6.conf.all.forwarding=1

Make script executable:

chmod +x /etc/wireguard/

Make DNS work:

mkdir -p /etc/netns/pvt-net1
echo nameserver | sudo tee /etc/netns/pvt-net1/resolv.conf >/dev/null
chmod -R o+rX /etc/netns

Make Routing to Lan work

echo "200 lan" | sudo tee -a /etc/iproute2/rt_tables

Assign Routes to the New Table

For IPv4:

ip netns exec pvt-net1 ip route add default via <LAN_GATEWAY_IP> dev mv1 table lan
ip netns exec pvt-net1 ip rule add from <LAN_IP>/32 table lan

For IPv6:

ip netns exec pvt-net1 ip -6 route add default via <LAN_GATEWAY_IPV6> dev mv1 table lan
ip netns exec pvt-net1 ip -6 rule add from <LAN_IPV6>/128 table lan

🔹 Replace:

<LAN_GATEWAY_IP> with your actual LAN router's IP (e.g.,
<LAN_IP> with the DHCP-assigned IP (use ip netns exec pvt-net1 ip a to check).
<LAN_GATEWAY_IPV6> with your router's IPv6 address.
<LAN_IPV6> with your assigned IPv6.

Create systemd service to execute this on boot: sudo nano /etc/systemd/system/tunnel1.service

Description=Tunnel 1 [email protected]



Execute on boot & execute now:

systemctl enable --now tunnel1

Use a systemd override to bind to network namespace & ensure service is started after tunnel is up:

systemctl edit <service>

Add the following at the top, in the override section (you may have to change After=:



Reload systemd & restart service:

systemctl daemon-reload
systemctl restart <your service>


This whole config was derived from All credit goes to them!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment