NoBIGTech Wiki Técnico

In this tutorial you will learn how to connect your local network (mainly, a PC) with a computer in other place (in this case a VPS on some cloud server). This way, you can forward traffic IN and OUT to your local network from the internet, and keep the original IPs at the end, while having another computer as a firewall or gateway.

First of all, make sure your both VPS and local PC has ip_forward enabled. You might need to run this on every system start, as (maybe?) it is not saved upon reboot. You can do so on cron, systemd, or directly on /etc/network/interfaces on a “post-up” statement.

echo 1 > /proc/sys/net/ipv4/ip_forward

Second, install Wireguard on your both computers (both the VPS and local PC):

apt install wireguard wireguard-dkms
 
# on some newer distros, just the following should work:
apt install wireguard

Create your Wireguard public/private keys on both computers (files are not needed, just their content, we will remove them later).

cd /etc/wireguard/
wg genkey | tee private.key | wg pubkey > public.key

Then, configure your server (the VPS) on /etc/wireguard/<yoursrv>.conf Please mind that <yoursrv> goes without “<” and “>” and will be the name of your Wireguard network interface created.

[Interface]
# The address your wireguard interface will have
Address = 10.5.0.1/32

# We use 443 (UDP) to evade traffic limiting on our residential internet providers, as QUIC (for example, YouTube) uses this port and they can't afford limiting or monitoring large amount of traffic on this port.
ListenPort = 443

PrivateKey = <copy the text from "private.key" file created before, the one of the VPS>
# The next line is not needed (it is commented), is just a way to save the PublicKey in a place you can inspect later for further configurations.
#PublicKey = <copy the text from "public.key" file created before, the one of the VPS>

# Next, we add some series of "PostUp" commands that will be executed (obviously) after putting up the interface.
# Maybe not needed.
PostUp = ifconfig yoursrv broadcast 10.5.0.255 up

# Add the route needed for VPN clients. (Maybe not needed, as i think wireguard already knows how to route to this clients either).
PostUp = ip route add 10.5.0.0/24       dev yoursrv

# Totally optional other routes can be added this way
#PostUp = ip route add 10/8              via 10.5.0.2
#PostUp = ip route add 192.168/16        via 10.5.0.2

# Optional, maybe useless as your server may already set MTU to 1420 by default
#  Keep in mind there is a reason (i don't know) Wireguard uses 1420 as MTU, so make sure your applications work correctly if using 1500 MTU (the default on most *nix systems). If not, make sure wherever your application is, the source network interface has 1420 as MTU also.
#PostUp = ifconfig yoursrv mtu 1420


# peer configuration (server side) for your VPN client: localpc
[Peer]
PublicKey = <copy the text from "public.key" file created before, the one of the localpc>
# This setting specifies which IPs are allowed to pass to the gateway
AllowedIPs = 10.5.0.2/32, 0.0.0.0/0
PersistentKeepalive = 5

Now, on the localpc, edit the file /etc/wireguard/<whatever>.conf and add this content:

[Interface]
# This will be the IP of your localpc wireguard interface
Address = 10.5.0.2/32

PrivateKey = <copy the text from "private.key" file created before, the one of the localpc>
# The next line is not needed (it is commented), is just a way to save the PublicKey in a place you can inspect later for further configurations.
#PublicKey = <copy the text from "public.key" file created before, the one of the localpc>

[Peer]
# Which IPs are allowed to pass on the interface
AllowedIPs = 10.5.0.0/24, 0.0.0.0/0
PublicKey = <copy the text from "public.key" file created before, the one of the VPS>
EndPoint = <IP_of_the_VPS>:443 # remember: 443/udp, and it must be reachable
PersistentKeepalive = 30

Then, remove the “public.key” and “private.key” files on both computers:

cd /etc/wireguard/
rm public.key private.key

Finally, get both interfaces up with the wg-quick command or using systemd if you have it.

# on the VPS:
wg-quick up yoursrv # the manual way
systemctl enable wg-quick@yoursrv; systemctl start wg-quick@yoursrv # the systemd way
 
# on the localpc:
wg-quick up whatever # the manual way
systemctl enable wg-quick@whatever; systemctl start wg-quick@whatever # the systemd way
 
# mind we used "yoursrv" interface name on the VPS and "whatever" on localpc just to differentiate and prove that we can use different names and it does not affect the way it will work. You can also use the same name for both.

If everything is OK, you should be able to ping your VPS from localpc with:

ping 10.5.0.1
 
# Check the wireguard status on any host by using:
wg

To end with this tutorial, you need this final steps too: In order to route some traffic (say, for example web) to a localpc, you must write some iptables rules. In our example, we could do it like this.

# route the IN traffic on ports 80,443 TCP to your localpc VPN IP. (You could also use another internal network IP if you add corresponding routes on Wireguard configuration).
iptables -t nat -A PREROUTING -d <public_ip_of_VPS> -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.5.0.2
 
# Masquerade IP of the VPN localpc when going OUT of the public (internet facing) interface.
iptables -t nat -A POSTROUTING -s 10.5.0.2/32 -o <interface_name_of_public_ip_of_VPS> -j MASQUERADE
 
# Optionally, if you use a DROP policy on your FORWARD iptables filter, you must also add this:
iptables -A FORWARD -i <interface_name_of_public_ip_of_VPS> -d 10.5.0.2 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -i <yoursrv> -o <interface_name_of_public_ip_of_VPS> -j ACCEPT

With all of this, you should now be able to get internet traffic into your localpc with the original IPs!