Skip to content

Instantly share code, notes, and snippets.

@ungeskriptet

ungeskriptet/README.md

Created August 17, 2024 13:13
Show Gist options
  • Save ungeskriptet/3a981b1d1087f15858431399d8e75f5a to your computer and use it in GitHub Desktop.
Save ungeskriptet/3a981b1d1087f15858431399d8e75f5a to your computer and use it in GitHub Desktop.
Download ZIP
WireGuard configs to bypass CGNAT
Raw
README.md

WireGuard configs to bypass CGNAT

This set of files will help you to connect to a network behind carrier-grade NAT using WireGuard. You'll be able to access the LAN of the WireGuard peer behind the CGNAT and route your entire internet traffic to it.

Setup

  • wireguard-hub.conf: This config is intended for the WireGuard peer that has access to a public IP address, e.g. VPS
  • openwrt.conf: This config is intended for the WireGuard peer behind the CGNAT, e.g. OpenWrt router or Raspberry Pi
  • client.conf: This config is inteded for a WireGuard peer that wants to access the LAN of the device behind the CGNAT and route its entire internet traffic to it, e.g. computer or mobile phone

Generating keys

Install wireguard-tools and use these commands to generate the keys:

  • Private Key: $ umask 077 && wg genkey > privatekey
  • Public Key: $ wg pubkey < privatekey > publickey
  • Preshared Key: $ wg genpsk > presharedkey
Raw
client.conf
[Interface]
PrivateKey = <client_privatekey>
Address = 192.168.225.3/24
DNS = <openwrt_dnsip>
# WireGuard Hub
[Peer]
PublicKey = <wireguard-hub_publickey>
PresharedKey = <client_presharedkey>
AllowedIPs = 0.0.0.0/0
Endpoint = <wireguard-hub_publicip>:51820
PersistentKeepalive = 25
Raw
openwrt.conf
[Interface]
PrivateKey = <openwrt_privatekey>
Address = 192.168.225.2/24
# WireGuard Hub
[Peer]
PublicKey = <wireguard-hub_publickey>
PresharedKey = <openwrt_presharedkey>
AllowedIPs = 192.168.225.0/24
Endpoint = <wireguard-hub_publicip>:51820
PersistentKeepalive = 25
Raw
wireguard-hub.conf
[Interface]
PrivateKey = <wireguard-hub_privatekey>
ListenPort = 51820
Address = 192.168.225.1/24
Table = 123 # Create custom routing table
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = ip rule add iif wg0 table 123 priority 456
PostDown = ip rule del iif wg0 table 123 priority 456
# Peer 1 behind CGNAT
[Peer]
PublicKey = <openwrt_publickey>
PresharedKey = <openwrt_presharedkey>
AllowedIPs = 192.168.225.2/32, 0.0.0.0/0
PersistentKeepalive = 25
# Peer 2 that wants to access the LAN/internet of Peer 1
[Peer]
PublicKey = <client_publickey>
PresharedKey = <client_publickey>
AllowedIPs = 192.168.225.3/32
PersistentKeepalive = 25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment