-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
4,350 additions
and
13 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -46,6 +46,7 @@ format: | |
| html: | ||
| code-fold: true | ||
| code-overflow: wrap | ||
| code-copy: true | ||
| theme: | ||
| light: lumen | ||
| dark: solar | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| /.quarto/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| format: | ||
| html: | ||
| code-block-bg: true | ||
| code-block-border-left: "#31BAE9" |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,167 @@ | ||
| { | ||
| "cells": [ | ||
| { | ||
| "cell_type": "markdown", | ||
| "metadata": {}, | ||
| "source": [ | ||
| "---\n", | ||
| "title: Wireguard VPS homeserver-bridge\n", | ||
| "date: 2024-10-09\n", | ||
| "description: Short reference documentation for setting up a VPS-homeserver bridge with Wireguard.\n", | ||
| "categories:\n", | ||
| " - Selfhost\n", | ||
| " - Wireguard\n", | ||
| " - VPS\n", | ||
| " - VPN\n", | ||
| "---\n", | ||
| "\n", | ||
| "\n", | ||
| "::: callout-note\n", | ||
| "## Revisited setup guide\n", | ||
| "\n", | ||
| "This guide is updated after I had to go through the process again when my setup got corrupted after a power outage. Until then, this setup has been rock-solid for 3 years during change of internet provider with no adjustments needed.\n", | ||
| ":::\n", | ||
| "\n", | ||
| "We are renting, and I have a small homeserver in the office. I mostly host different apps and sevices for my own use, but also a few pages for public access. I needed a way to securely access my homeserver without having access to the router. This led me to renting a small VPS at [Hetzner](https://www.hetzner.com/cloud/) and run a [Wireguard](https://www.wireguard.com/) instance on this to tunnel all relevant traffic to my home-server. I have been able to find a lot of inspiration online, but nowhere, I found the setup I needed, so here goes for inspiration.\n", | ||
| "\n", | ||
| "After recently having to setup everything again myself, I am now including a complete set of instructions.\n", | ||
| "\n", | ||
| "### Creating configuration templates\n", | ||
| "\n", | ||
| "Skipping a little ahead, we start by creating the encryption keys and configuration templates\n", | ||
| "\n", | ||
| "I recently ran into troubles having no luck with getting a handshake between my two instances, which got me a little frustrated, but [this comment on serverfault.com](https://serverfault.com/questions/1040165/wireguard-not-completing-handshake#comment1419778_1041230) got me back on track:\n", | ||
| "\n", | ||
| "> ...at least, it tends to less error-prone to use a desktop Wireguard GUI to generate the keys than working it out using \"wireguard-tools\" CLI utilities...\n", | ||
| "\n", | ||
| "I created my template configuration and keys on [wireguardconfig.com](https://www.wireguardconfig.com/#), which will generate everything in your browser, so nothing is stored server side. This works well.\n", | ||
| "\n", | ||
| "### On the server (VPS) and then the same steps on the client (homeserver)\n", | ||
| "\n", | ||
| "First update your system and install wireguard:\n", | ||
| "\n", | ||
| "\n", | ||
| "```{bash}\n", | ||
| "#| eval: false\n", | ||
| "sudo apt update\n", | ||
| "sude apt upgrade\n", | ||
| "sudo apt install wireguard\n", | ||
| "```\n", | ||
| "\n", | ||
| "\n", | ||
| "Create and open the config file:\n", | ||
| "\n", | ||
| "```\n", | ||
| "sudo nano /etc/wireguard/wg0.conf\n", | ||
| "```\n", | ||
| "\n", | ||
| "Insert the template configuration file for the server. Below I provide my configuration files for reference on a working setup, and with a few extra added lines compared to the templates.\n", | ||
| "\n", | ||
| "Save and close the configuration files.\n", | ||
| "\n", | ||
| "Now enable and start the wg0 interface.\n", | ||
| "\n", | ||
| "```\n", | ||
| "sudo systemctl enable wg-quick@wg0\n", | ||
| "sudo systemctl start wg-quick@wg0\n", | ||
| "```\n", | ||
| "\n", | ||
| "Afterwards, my experience is that a reboot is necessary, but you can check the connection:\n", | ||
| "\n", | ||
| "```\n", | ||
| "sudo wg\n", | ||
| "```\n", | ||
| "\n", | ||
| "Look for the \"Latest handshake\" to verify that the connection is up and running.\n", | ||
| "\n", | ||
| "::: callout-note\n", | ||
| "## Sources\n", | ||
| "\n", | ||
| "My inspiration is heavily drawn from these two following sites, that I am in no way affiliated with.\n", | ||
| "\n", | ||
| "- [wiki.r-selfhosted.com](https://wiki.r-selfhosted.com/guides/software/virtual-private-networks/wireguard/#wireguard)\n", | ||
| "- [www.procustodibus.com](https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/)\n", | ||
| "- [blog.cavelab.dev](https://blog.cavelab.dev/2021/03/vps-wireguard-iptables/)\n", | ||
| "- [serverfault.com](https://serverfault.com/questions/1040165/wireguard-not-completing-handshake)\n", | ||
| ":::\n", | ||
| "\n", | ||
| "## My configuration files\n", | ||
| "\n", | ||
| "Insert your own values in the square brackets.\n", | ||
| "\n", | ||
| "### VPS\n", | ||
| "\n", | ||
| "```\n", | ||
| "[Interface]\n", | ||
| "Address = 10.25.4.3/32,fd42::1/128\n", | ||
| "PrivateKey = [Private key for VPS]\n", | ||
| "ListenPort = [VPS port]\n", | ||
| "\n", | ||
| "# Allows package forwarding\n", | ||
| "PreUp = sysctl -w net.ipv4.ip_forward=1\n", | ||
| "\n", | ||
| "# Allows forwarding traffic on specified ports (remember to open corresponding ports on the VPS firewall)\n", | ||
| "PreUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.25.4.1:443\n", | ||
| "PreUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.25.4.1:80\n", | ||
| "PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.25.4.1:443\n", | ||
| "PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.25.4.1:80\n", | ||
| "\n", | ||
| "# THis may be necessary for you, but I found it overflooded my logs.\n", | ||
| "#PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE\n", | ||
| "#PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE\n", | ||
| "\n", | ||
| "[Peer]\n", | ||
| "PublicKey = [Public key for home-server]\n", | ||
| "AllowedIPs = 10.25.4.1/32\n", | ||
| "PersistentKeepalive = 25\n", | ||
| "```\n", | ||
| "\n", | ||
| "### Home-server\n", | ||
| "\n", | ||
| "``` \n", | ||
| "[Interface]\n", | ||
| "Address = 10.25.4.1/24\n", | ||
| "ListenPort = [Wireguard port number]\n", | ||
| "PrivateKey = [Private key for home-server]\n", | ||
| "\n", | ||
| "# These lines should allow forwarding outgoing traffic to the local network.\n", | ||
| "# Maybe you want it differently. It works for me.\n", | ||
| "PostUp = iptables -A FORWARD -i wg0 -j ACCEPT\n", | ||
| "PostUp = iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE\n", | ||
| "PostUp = ip6tables -A FORWARD -i %i -j ACCEPT\n", | ||
| "PostUp = ip6tables -A FORWARD -o %i -j ACCEPT\n", | ||
| "PostUp = ip6tables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE\n", | ||
| "PostUp = ip link set multicast on dev %i\n", | ||
| "PostDown = iptables -D FORWARD -i wg0 -j ACCEPT\n", | ||
| "PostDown = iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE\n", | ||
| "PostDown = ip6tables -D FORWARD -i %i -j ACCEPT\n", | ||
| "PostDown = ip6tables -D FORWARD -o %i -j ACCEPT\n", | ||
| "PostDown = ip6tables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE\n", | ||
| "\n", | ||
| "# Setting up a firewall table\n", | ||
| "Table = 123\n", | ||
| "PreUp = ip rule add from 10.25.4.1 table 123 priority 456\n", | ||
| "PostDown = ip rule del from 10.25.4.1 table 123 priority 456\n", | ||
| "\n", | ||
| "\n", | ||
| "## Hetzner VPS\n", | ||
| "[Peer]\n", | ||
| "PublicKey = [Public key for VPS]\n", | ||
| "AllowedIPs = 0.0.0.0/0\n", | ||
| "Endpoint = [VPS public IP]:[Wireguard port number]\n", | ||
| "PersistentKeepalive = 25\n", | ||
| "```" | ||
| ], | ||
| "id": "a49db8f7" | ||
| } | ||
| ], | ||
| "metadata": { | ||
| "kernelspec": { | ||
| "display_name": "Python 3", | ||
| "language": "python", | ||
| "name": "python3" | ||
| } | ||
| }, | ||
| "nbformat": 4, | ||
| "nbformat_minor": 5 | ||
| } |
Oops, something went wrong.