User Tools
This is an old revision of the document!
Configurar un servidor VPN Wireguard en tu VPS para dirigir tráfico de internet a tu red local (incluso con CG NAT)
En este tutorial aprenderás a connectar tu red local (principalmente, un PC) con una computadora en otro lugar (en este caso un VPS o algún servidor Cloud). Así, podremos enrutar tráfico de ENTRADA y SALIDA a tu red local desde internet, y preservar las IPs originales de la conexión, teniendo el servidor VPN como firewall o gateway.
First of all, make sure your both VPS and local PC has ip_forward enabled. You might need to run this on every system start, as (maybe?) it is not saved upon reboot. You can do so on cron, systemd, or directly on /etc/network/interfaces on a “post-up” statement.
Lo primero de todo, asegurate de que ambos VPS y localpc tienen habilitado el IP forwarding. Quizás necesites ejecutar esto en cada inicio del sistema (quizás, no estoy seguro). Puedes hacerlo con cron, systemd o directamente en /etc/network/interfaces con un “post-up” en la interfaz que quieras.
echo 1 > /proc/sys/net/ipv4/ip_forward
Second, install Wireguard on your both computers (both the VPS and local PC):
apt install wireguard wireguard-dkms # on some newer distros, just the following should work: apt install wireguard
Create your Wireguard public/private keys on both computers (files are not needed, just their content, we will remove them later).
cd /etc/wireguard/ wg genkey | tee private.key | wg pubkey > public.key
Then, configure your server (the VPS) on /etc/wireguard/<yoursrv>.conf Please mind that <yoursrv> goes without “<” and “>” and will be the name of your Wireguard network interface created.
[Interface] # The address your wireguard interface will have Address = 10.5.0.1/32 # We use 443 (UDP) to evade traffic limiting on our residential internet providers, as QUIC (for example, YouTube) uses this port and they can't afford limiting or monitoring large amount of traffic on this port. ListenPort = 443 PrivateKey = <copy the text from "private.key" file created before, the one of the VPS> # The next line is not needed (it is commented), is just a way to save the PublicKey in a place you can inspect later for further configurations. #PublicKey = <copy the text from "public.key" file created before, the one of the VPS> # Next, we add some series of "PostUp" commands that will be executed (obviously) after putting up the interface. # Maybe not needed. PostUp = ifconfig yoursrv broadcast 10.5.0.255 up # Add the route needed for VPN clients. (Maybe not needed, as i think wireguard already knows how to route to this clients either). PostUp = ip route add 10.5.0.0/24 dev yoursrv # Totally optional other routes can be added this way #PostUp = ip route add 10/8 via 10.5.0.2 #PostUp = ip route add 192.168/16 via 10.5.0.2 # Optional, maybe useless as your server may already set MTU to 1420 by default # Keep in mind there is a reason (i don't know) Wireguard uses 1420 as MTU, so make sure your applications work correctly if using 1500 MTU (the default on most *nix systems). If not, make sure wherever your application is, the source network interface has 1420 as MTU also. #PostUp = ifconfig yoursrv mtu 1420 # peer configuration (server side) for your VPN client: localpc [Peer] PublicKey = <copy the text from "public.key" file created before, the one of the localpc> # This setting specifies which IPs are allowed to pass to the gateway AllowedIPs = 10.5.0.2/32, 0.0.0.0/0 PersistentKeepalive = 5
Now, on the localpc, edit the file /etc/wireguard/<whatever>.conf and add this content:
[Interface] # This will be the IP of your localpc wireguard interface Address = 10.5.0.2/32 PrivateKey = <copy the text from "private.key" file created before, the one of the localpc> # The next line is not needed (it is commented), is just a way to save the PublicKey in a place you can inspect later for further configurations. #PublicKey = <copy the text from "public.key" file created before, the one of the localpc> [Peer] # Which IPs are allowed to pass on the interface AllowedIPs = 10.5.0.0/24, 0.0.0.0/0 PublicKey = <copy the text from "public.key" file created before, the one of the VPS> EndPoint = <IP_of_the_VPS>:443 # remember: 443/udp, and it must be reachable PersistentKeepalive = 30
Then, remove the “public.key” and “private.key” files on both computers:
cd /etc/wireguard/ rm public.key private.key
Finally, get both interfaces up with the wg-quick command or using systemd if you have it.
# on the VPS: wg-quick up yoursrv # the manual way systemctl enable wg-quick@yoursrv; systemctl start wg-quick@yoursrv # the systemd way # on the localpc: wg-quick up whatever # the manual way systemctl enable wg-quick@whatever; systemctl start wg-quick@whatever # the systemd way # mind we used "yoursrv" interface name on the VPS and "whatever" on localpc just to differentiate and prove that we can use different names and it does not affect the way it will work. You can also use the same name for both.
If everything is OK, you should be able to ping your VPS from localpc with:
ping 10.5.0.1 # Check the wireguard status on any host by using: wg
To end with this tutorial, you need this final steps too:
In order to route some traffic (say, for example web) to a localpc, you must write some iptables rules. In our example, we could do it like this. This rules (except otherwise mentioned) are executed on the VPS.
# route the IN traffic on ports 80,443 TCP to your localpc VPN IP. (You could also use another internal network IP if you add corresponding routes on Wireguard configuration). iptables -t nat -A PREROUTING -d <public_ip_of_VPS> -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.5.0.2 # Masquerade IP of the VPN localpc when going OUT of the public (internet facing) interface. iptables -t nat -A POSTROUTING -s 10.5.0.2/32 -o <interface_name_of_public_ip_of_VPS> -j MASQUERADE # At the localpc, run this command (this is a "hack" to fix MTU problems on some applications, as Wireguard uses 1420 MTU and the internet normally uses 1500): iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Optionally, if you use a DROP policy on your FORWARD iptables filter, you must also add this: iptables -A FORWARD -i <interface_name_of_public_ip_of_VPS> -d 10.5.0.2 -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -i <yoursrv> -o <interface_name_of_public_ip_of_VPS> -j ACCEPT
With all of this, you should now be able to get internet traffic into your localpc with the original IPs!
