feat(posts): port archived posts from old rycerz.co siteHEADmain

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1 files changed, 100 insertions, 0 deletions

diff --git a/src/content/post/configure-wireguard-vpn-behind-nat.md b/src/content/post/configure-wireguard-vpn-behind-nat.md
new file mode 100644
index 0000000..3b59c71
--- /dev/null
+++ b/src/content/post/configure-wireguard-vpn-behind-nat.md
@@ -0,0 +1,100 @@
+---
+title: "Configure Wireguard VPN"
+description: "wireguard VPN behind NAT"
+publishDate: "2020-02-10"
+tags: ["archived", "network", "en"]
+author: "Dawid"
+---
+
+[Wireguard](https://www.wireguard.com/) is fast, simple (around 4k lines of code) and secure VPN. From my perspective as a user, a configuration is as simple as in SSH.
+
+## Installation
+
+Add repository and install package (for other systems go to [official docs](https://www.wireguard.com/install/))
+
+```bash
+add-apt-repository ppa:wireguard/wireguard
+apt-get update
+apt-get install -y wireguard
+```
+
+Ensure that you enabled forwarding in sysctl.
+
+```bash
+echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/wg.conf
+echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/wg.conf
+sysctl --system
+```
+
+## Configuration
+
+1. Create server and client keys
+
+    ```sh
+    wg genkey | tee server.private.key | wg pubkey > server.public.key
+    wg genkey | tee client.private.key | wg pubkey > client.public.key
+    ```
+
+2. `touch /etc/wireguard/wg0.conf` and put config for VPN interface:
+
+   ```ini
+    [Interface]
+    Address=<server VPN ip>/24
+    PrivateKey = <server private key>
+    ListenPort = 51820
+    PostUp = iptables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o <server NAT interface> -j MASQUERADE
+    PostDown = iptables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o <server NAT interface> -j MASQUERADE
+
+    [Peer]
+    PublicKey = <client public key>
+    AllowedIPs = <client VPN ip>/32
+   ```
+
+    Example:
+
+   ```ini
+    [Interface]
+    Address=192.168.101.1/24
+    PrivateKey = mHjrLYUTKbrGqJViVOHfQX9dN0Sn49gJNoof68nbJHA=
+    ListenPort = 51820
+    PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
+    PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
+
+    [Peer]
+    PublicKey = XKT1Ctj5b+gjXc1gMtOdxNEpc9UUM2TsXaFdAyABd3w=
+    AllowedIPs = 192.168.101.2/32
+   ```
+
+3. Run VPN server with `wg-quick up`
+
+4. Create config for client
+
+    ```ini
+    [Interface]
+    Address = <client VPN ip>/24
+    PrivateKey = <Client Private Key>
+    ListenPort = 21841
+    DNS = <dns ip 1>,<dns ip 2>
+
+    [Peer]
+    PublicKey = <server public key>
+    Endpoint = <server bridge interface address>:51820
+    AllowedIPs = 0.0.0.0/0
+    ```
+
+    Example:
+
+    ```ini
+    [Interface]
+    Address = 192.168.101.2/32
+    PrivateKey = 0AQI65ehzszpXf9f2FWEABX90PX+gv5DJH3/mkZ/eW8=
+    ListenPort = 21841
+    DNS = 1.1.1.1,1.1.0.0
+
+    [Peer]
+    PublicKey = ccDLW5zKussL3ejxMqWpx1uZMfN09bkGAirCWXZWp0s=
+    Endpoint = 192.168.1.5:51820
+    AllowedIPs = 0.0.0.0/0
+    ```
+
+5. Install client software https://www.wireguard.com/install/ and paste client config