From 29b7f448ec0bad2f6a80ffeda4ffcd91140317e5 Mon Sep 17 00:00:00 2001 From: Dawid Rycerz Date: Sun, 8 Feb 2026 22:52:24 +0100 Subject: feat(posts): port archived posts from old rycerz.co site Co-Authored-By: Claude Opus 4.6 --- .../post/configure-wireguard-vpn-behind-nat.md | 100 +++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 src/content/post/configure-wireguard-vpn-behind-nat.md (limited to 'src/content/post/configure-wireguard-vpn-behind-nat.md') diff --git a/src/content/post/configure-wireguard-vpn-behind-nat.md b/src/content/post/configure-wireguard-vpn-behind-nat.md new file mode 100644 index 0000000..3b59c71 --- /dev/null +++ b/src/content/post/configure-wireguard-vpn-behind-nat.md @@ -0,0 +1,100 @@ +--- +title: "Configure Wireguard VPN" +description: "wireguard VPN behind NAT" +publishDate: "2020-02-10" +tags: ["archived", "network", "en"] +author: "Dawid" +--- + +[Wireguard](https://www.wireguard.com/) is fast, simple (around 4k lines of code) and secure VPN. From my perspective as a user, a configuration is as simple as in SSH. + +## Installation + +Add repository and install package (for other systems go to [official docs](https://www.wireguard.com/install/)) + +```bash +add-apt-repository ppa:wireguard/wireguard +apt-get update +apt-get install -y wireguard +``` + +Ensure that you enabled forwarding in sysctl. + +```bash +echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/wg.conf +echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.d/wg.conf +sysctl --system +``` + +## Configuration + +1. Create server and client keys + + ```sh + wg genkey | tee server.private.key | wg pubkey > server.public.key + wg genkey | tee client.private.key | wg pubkey > client.public.key + ``` + +2. `touch /etc/wireguard/wg0.conf` and put config for VPN interface: + + ```ini + [Interface] + Address=/24 + PrivateKey = + ListenPort = 51820 + PostUp = iptables -t nat -A POSTROUTING -o -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o -j MASQUERADE + PostDown = iptables -t nat -D POSTROUTING -o -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o -j MASQUERADE + + [Peer] + PublicKey = + AllowedIPs = /32 + ``` + + Example: + + ```ini + [Interface] + Address=192.168.101.1/24 + PrivateKey = mHjrLYUTKbrGqJViVOHfQX9dN0Sn49gJNoof68nbJHA= + ListenPort = 51820 + PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE + PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE + + [Peer] + PublicKey = XKT1Ctj5b+gjXc1gMtOdxNEpc9UUM2TsXaFdAyABd3w= + AllowedIPs = 192.168.101.2/32 + ``` + +3. Run VPN server with `wg-quick up` + +4. Create config for client + + ```ini + [Interface] + Address = /24 + PrivateKey = + ListenPort = 21841 + DNS = , + + [Peer] + PublicKey = + Endpoint = :51820 + AllowedIPs = 0.0.0.0/0 + ``` + + Example: + + ```ini + [Interface] + Address = 192.168.101.2/32 + PrivateKey = 0AQI65ehzszpXf9f2FWEABX90PX+gv5DJH3/mkZ/eW8= + ListenPort = 21841 + DNS = 1.1.1.1,1.1.0.0 + + [Peer] + PublicKey = ccDLW5zKussL3ejxMqWpx1uZMfN09bkGAirCWXZWp0s= + Endpoint = 192.168.1.5:51820 + AllowedIPs = 0.0.0.0/0 + ``` + +5. Install client software https://www.wireguard.com/install/ and paste client config -- cgit v1.2.3