Skip to content

Instantly share code, notes, and snippets.

@adog1314

adog1314/PortForwardOverWireGuard.md

Last active February 23, 2025 07:30
Show Gist options
  • Save adog1314/97bf494d74f56bfff51da9bb4bff8ed0 to your computer and use it in GitHub Desktop.
Save adog1314/97bf494d74f56bfff51da9bb4bff8ed0 to your computer and use it in GitHub Desktop.
Download ZIP
Port forward over wireguard to VPS with static IP
Raw
PortForwardOverWireGuard.md

Port forward over wireguard to VPS with static IP

This is write up is on how to port forward over wireguard. I am going to be port forwarding a mail server running MailCow on my local server, but really any service can be port forwared with some modifications to the IPTables commands in the wireguard file.

I am using a cheap Vultr VPS as my proxy server, if your intrested heres a referral link https://www.vultr.com/?ref=9019507 where I get $10 or if you plan to spend more then $35 on your account you will get $100 and I will get $35 https://www.vultr.com/?ref=9019508-8H

My Setup

  • Debain 10 Buster
  • Tunnel subnet: 10.1.1.0
  • Proxy-VPS Tunnel IP: 10.1.1.1
  • Peer [Mail Server] Tunnel IP: 10.1.1.2

WireGuard Setup on the remote VPS

I installed WireGuard using this script: https://github.com/angristan/wireguard-install

Had an error used to fix: https://stackoverflow.com/a/66745279

Allow wireguard on port 51820(make sure the port is correct, the script assign's a random port): E.g.

sudo ufw allow 51820/udp

Start the WireGuard service at boot time using the systemctl command, run:

sudo systemctl enable wg-quick@wg0

Port Forwarding

  • Destination NAT(DNAT) only rewrites the destination IP address, this should be used for incoming trafic headed to a peer.
  • Source NAT(SNAT) rewrites the source IP address to and should happen automatically for outbound traffic that passes through the Wg Tunnel.

Services Port Forwarded

[Peer - Mail - 10.1.1.2]

  • Http on port 80
  • Https on port 443
  • Postfix SMTP on port 25
  • Postfix SMTPS on port 465
  • Postfix Submission on port 587
  • Dovecot IMAP on port 143
  • Dovecot IMAPS on port 993
  • Dovecot POP3 on port 110
  • Dovecot POP3S on port 995
  • Dovecot ManageSieve on port 4190

Also add ufw for each port on Proxy-VPS E.g. sudo ufw allow 25/tcp

Run and find the WAN interface name and replace enp1s0 blow to the correct interface name we want the portforward to listen on

ip addr

Place in /etc/wireguard/wg0.conf on Proxy-VPS just above [Peer]

### Http on port 80
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 80 -j DNAT --to-destination 10.1.1.2:80
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 80 -j DNAT --to-destination 10.1.1.2:80
### Https on port 443
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 443 -j DNAT --to-destination 10.1.1.2:443
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 443 -j DNAT --to-destination 10.1.1.2:443
### Postfix SMTP on port 25
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 25 -j DNAT --to-destination 10.1.1.2:25
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 25 -j DNAT --to-destination 10.1.1.2:25
### Postfix SMTPS on port 465
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 465 -j DNAT --to-destination 10.1.1.2:465
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 465 -j DNAT --to-destination 10.1.1.2:465
### Postfix Submission on port 587
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 587 -j DNAT --to-destination 10.1.1.2:587
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 587 -j DNAT --to-destination 10.1.1.2:587
### Dovecot IMAP on port 143
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 143 -j DNAT --to-destination 10.1.1.2:143
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 143 -j DNAT --to-destination 10.1.1.2:143
### Dovecot IMAPS on port 993
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 993 -j DNAT --to-destination 10.1.1.2:993
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 993 -j DNAT --to-destination 10.1.1.2:993
### Dovecot POP3 on port 110
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 110 -j DNAT --to-destination 10.1.1.2:110
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 110 -j DNAT --to-destination 10.1.1.2:110
### Dovecot POP3S on port 995
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 995 -j DNAT --to-destination 10.1.1.2:995
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 995 -j DNAT --to-destination 10.1.1.2:995
### Dovecot ManageSieve on port 4190 
PostUp = iptables -t nat -A PREROUTING -p tcp -i enp1s0 --dport 4190 -j DNAT --to-destination 10.1.1.2:4190
PostDown = iptables -t nat -D PREROUTING -p tcp -i enp1s0 --dport 4190 -j DNAT --to-destination 10.1.1.2:4190

WireGuard on local mail server

sudo apt install wireguard

Transfer the file created by the script from the remote VPS to /etc/wireguard/wg0.conf

On the local machine we kept encountering an issue where the tunnel would die after several minutes, once the handshake connection expired. To fix this I added PersistentKeepAlive = 25 to the bottom of the wg0.conf file

I left AllowedIPs = 0.0.0.0/0 to forward all traffic of all my mail server through the remote VPS IP address, due to it needing to send outgoing SMTP email through the NAT masquerade as the remote IP instead of my home networks IP

Start the WireGuard service at boot time using the systemctl command, run:

sudo systemctl enable wg-quick@wg0

Start WireGuard the tunnel:

sudo wg-quick up wg0
@BytxForge
Copy link

Many thanks for the good instructions. How is Mailcow configured for you? I'm getting an error message that the ACME challenge is failing.

Confirmed A record with IP x.x.x.x, but HTTP validation failed

@adog1314
Copy link
Author

@BytxForge Are you forwarding port 80 or are you using a reverse proxy like nginx on your remote VPS?
LetsEncrypt needs http://mail.domain.tld/.well-known/acme-challenge/ to pass to your mailcow web server to get an SSL cert to verify you own the domain.

@BytxForge
Copy link

@BytxForge Are you forwarding port 80 or are you using a reverse proxy like nginx on your remote VPS? LetsEncrypt needs http://mail.domain.tld/.well-known/acme-challenge/ to pass to your mailcow web server to get an SSL cert to verify you own the domain.

Thank you for your answer. I forward port 80 from the VPS as described in your instructions.

@adog1314
Copy link
Author

adog1314 commented Dec 27, 2024
edited
Loading

@BytxForge You could try and create a test.html file in /opt/mailcow-dockerized/data/web/.well-known/acme-challenge/test.html then go to http://mail.domain.tld/.well-known/acme-challenge/test.html to see the text you put in the test file shows up or a 404.

Its been 2 years since I set up my current instance, but if I remember right there isn't anything you change in the Mailcow config along as all traffic is being forwarded back through Wireguard out your VPS providers ip address and not local ip.

@osyduck
Copy link

osyduck commented Feb 3, 2025

does this work with wireguard windows client too?

@adog1314
Copy link
Author

adog1314 commented Feb 4, 2025

@osyduck

does this work with wireguard windows client too?

It should work as long as your remote VPS is Linux with iptables for the forwarding part, wireguard is just used as a light weigh vpn to route the traffic but you could also use some others like tailscale or openvpn and persistent iptables rules

@MmMapIoSpace
Copy link

does this work with wireguard windows client too?

it work perfectly to me, i use ubuntu vps and windows server on local server as wireguard client

@MmMapIoSpace
Copy link

MmMapIoSpace commented Feb 18, 2025
edited
Loading

But can you help me understand why the DNS server on my Windows Server doesn't seem to work? I can successfully test it using nslookup with the target 192.168.18.18 (using the router's internal IP), but it fails when I use the internet IP of the VPS. I have forwarded both TCP and UDP port 53.

PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53

@adog1314
Copy link
Author

@MmMapIoSpace

But can you help me understand why the DNS server on my Windows Server doesn't seem to work? I can successfully test it using nslookup with the target 192.168.18.18 (using the router's internal IP), but it fails when I use the internet IP of the VPS. I have forwarded both TCP and UDP port 53.

PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53

What is your AllowedIPs = set to on your local system?

You need Wireguard to forward all packets through the NAT masquerade of the VPS as the remote IP otherwise the will try to reply back to incoming packets through your local ISP IP, and then the firewall on the other end of the connection just drop it since it didn't come from the expected IP that it originated the connection to.

There is probably other ways to setting up Stateful routing, but I am not familiar windows networking so forwarding all packets back out Wireguard is the easiest way to do it.

@MmMapIoSpace
Copy link

MmMapIoSpace commented Feb 19, 2025
edited
Loading

@MmMapIoSpace

But can you help me understand why the DNS server on my Windows Server doesn't seem to work? I can successfully test it using nslookup with the target 192.168.18.18 (using the router's internal IP), but it fails when I use the internet IP of the VPS. I have forwarded both TCP and UDP port 53.

PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53

PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 53 -j DNAT --to-destination 10.66.66.2:53

What is your AllowedIPs = set to on your local system?

You need Wireguard to forward all packets through the NAT masquerade of the VPS as the remote IP otherwise the will try to reply back to incoming packets through your local ISP IP, and then the firewall on the other end of the connection just drop it since it didn't come from the expected IP that it originated the connection to.

There is probably other ways to setting up Stateful routing, but I am not familiar windows networking so forwarding all packets back out Wireguard is the easiest way to do it.

This is the configuration on my local windows.
For server, i use 'https://github.com/angristan/wireguard-install' default configuration unless adding the forwarding rules, all of forwarding rules is work perfectly, just problems on DNS server.

[Interface]
PrivateKey = ---
Address = 10.66.66.2/32, fd18:18:18::2/128
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = ---
PresharedKey = ---
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = ---

The configuration is non blocking untunnelled connection, so i can still connect via internal routing directly without going to internet.

@adog1314
Copy link
Author

@MmMapIoSpace
What VPS provider are you using?
Some providers block common problematic ports by default (I.E. port 25 SMTP for email) and you have to contact support to unblock them. If I remember right there have been a lot of issues of DNS servers not configured correctly doing reflection DDOS attacks.

@MmMapIoSpace
Copy link

MmMapIoSpace commented Feb 20, 2025
edited
Loading

I am using a local VPS in my country. I have asked them and they have confirmed that there are no restrictions whatsoever; the VPS is completely pure without any add-ons/protections or blocking certain accesses.

However, I am experiencing another unresolved issue, which I think is related to this.

So, I have a website hosted on my local Windows server (as a WireGuard client). My local Windows server cannot contact itself through the public IP because I believe there is an unresolved and ambiguous traffic route. This is because the requester and the receiver are the same, or because the response is directly sent to the internal IP instead of the public IP, which makes the caller think that the request was never answered.

Here is my WireGuard configuration:
Server ( VM-Ubuntu ):

[Interface]
Address = 10.18.18.1/24,fd18:18:18::1/64
ListenPort = 59005
PrivateKey = <>

## IP Table Rule

PostUp = iptables -I INPUT -p udp --dport 59005 -j ACCEPT
PostDown = iptables -D INPUT -p udp --dport 59005 -j ACCEPT

PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT

PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

### IPv6
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT

### SNAT untuk mengatasi masalah Hairpin NAT
### Mengubah source IP dari server lokal ke IP VM ()
### agar balasan kembali melewati VM.
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

### IPv6 NAT
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

### DNAT HTTP - Redirect koneksi dari IP publik ke server lokal (10.18.18.2)
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.18.18.2:80
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.18.18.2:80

### DNAT HTTPS
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 10.18.18.2:443
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 10.18.18.2:443

### DNAT SMTP
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.18.18.2:25
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.18.18.2:25

### DNAT IMAP
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 143 -j DNAT --to-destination 10.18.18.2:143
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 143 -j DNAT --to-destination 10.18.18.2:143

### Logging (opsional) - untuk debugging jika masih gagal
PostUp = iptables -I INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP_ACCESS: "
PostDown = iptables -D INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP_ACCESS: "
PostUp = iptables -I INPUT -p tcp --dport 443 -j LOG --log-prefix "HTTPS_ACCESS: "
PostDown = iptables -D INPUT -p tcp --dport 443 -j LOG --log-prefix "HTTPS_ACCESS: "

### Client
[Peer]
PublicKey = <>
PresharedKey = <>
AllowedIPs = 10.18.18.2/32,fd18:18:18::2/128

Client ( Windows Server ):

[Interface]
PrivateKey = <>
Address = 10.18.18.2/32, fd18:18:18::2/128
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = <>
PresharedKey = <>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = 1.1.1.1:59005

And also, do you know how to route all ports, both TCP and UDP, to the local server without explicit individual rules, letting the Windows firewall handle the filtering, but still allowing tunnel and SSH access from the VM via the Internet IP?

Thank you.

@adog1314
Copy link
Author

@MmMapIoSpace

So, I have a website hosted on my local Windows server (as a WireGuard client). My local Windows server cannot contact itself through the public IP because I believe there is an unresolved and ambiguous traffic route. This is because the requester and the receiver are the same, or because the response is directly sent to the internal IP instead of the public IP, which makes the caller think that the request was never answered.

Sounds like a loopback issue possibly because only external traffic going to eth0 hits the prerouting chain and not traffic from wg0, or something to do with IPv6 as your only forwarding IPv4 with iptables, you would need to also add rules with ip6tables for IPv6.

Might be worth trying Wireshark on windows server and tcpdump on VPS to troubleshoot.

And also, do you know how to route all ports, both TCP and UDP, to the local server without explicit individual rules, letting the Windows firewall handle the filtering, but still allowing tunnel and SSH access from the VM via the Internet IP?

I am not a iptables expert so use at your own risk, as you may lock your self out.

### Keeps SSH port 22 open
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 22 -j RETURN

### Keeps Wireguard port 59005 open
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 --dport 59005 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 --dport 59005 -j RETURN

### Forward all TCP ports to 10.18.18.2
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to-destination 10.18.18.2
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 -j DNAT --to-destination 10.18.18.2

### Forward all UDP ports to 10.18.18.2
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 -j DNAT --to-destination 10.18.18.2 
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 -j DNAT --to-destination 10.18.18.2

@MmMapIoSpace
Copy link

MmMapIoSpace commented Feb 23, 2025
edited
Loading

@MmMapIoSpace

So, I have a website hosted on my local Windows server (as a WireGuard client). My local Windows server cannot contact itself through the public IP because I believe there is an unresolved and ambiguous traffic route. This is because the requester and the receiver are the same, or because the response is directly sent to the internal IP instead of the public IP, which makes the caller think that the request was never answered.

Sounds like a loopback issue possibly because only external traffic going to eth0 hits the prerouting chain and not traffic from wg0, or something to do with IPv6 as your only forwarding IPv4 with iptables, you would need to also add rules with ip6tables for IPv6.

Might be worth trying Wireshark on windows server and tcpdump on VPS to troubleshoot.

And also, do you know how to route all ports, both TCP and UDP, to the local server without explicit individual rules, letting the Windows firewall handle the filtering, but still allowing tunnel and SSH access from the VM via the Internet IP?

I am not a iptables expert so use at your own risk, as you may lock your self out.

### Keeps SSH port 22 open
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 22 -j RETURN

### Keeps Wireguard port 59005 open
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 --dport 59005 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 --dport 59005 -j RETURN

### Forward all TCP ports to 10.18.18.2
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to-destination 10.18.18.2
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 -j DNAT --to-destination 10.18.18.2

### Forward all UDP ports to 10.18.18.2
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 -j DNAT --to-destination 10.18.18.2 
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 -j DNAT --to-destination 10.18.18.2

Thank you very much, sir.
I successfully configured it as I expected, thanks to you.

And here is my configuration:
Previously, I forwarded all rules but lost access to SSH because I was using INPUT ACCEPT, while the packets had already undergone NAT.

[Interface]
Address = 10.18.18.1/24
ListenPort = 11111
PrivateKey = <Secret>

## IP Table Policy harus ditetapkan menjadi ACCEPT

### Biarkan SSH Port 22 tetap terbuka didalam VM
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 22 -j RETURN

### Biarkan Wireguard Port 11111 tetap terbuka didalam VM
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 --dport 11111 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 --dport 11111 -j RETURN

### Reject semua koneksi masuk untuk koneksi RDP dari IP publik VM
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 3389 -j RETURN
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 3389 -j RETURN
PostUp = iptables -A INPUT -p tcp --dport 3389 -j REJECT
PostDown = iptables -D INPUT -p tcp --dport 3389 -j REJECT

### Penerusan Inbound dari eth0 menuju wg0 ( IPv4 Only )
PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT

### Penerusan Outbound untuk wg0
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

### SNAT: semua paket yang keluar
### melalui interface eth0 akan mengalami Source NAT (SNAT)
### dengan menggunakan IP dari eth0.
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

### DNAT: Alihkan semua port TCP dan UDP ke server lokal ( 10.18.18.2 ), kecuali yang telah diblokir 
PostUp = iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to-destination 10.18.18.2
PostDown = iptables -t nat -D PREROUTING -p tcp -i eth0 -j DNAT --to-destination 10.18.18.2
PostUp = iptables -t nat -A PREROUTING -p udp -i eth0 -j DNAT --to-destination 10.18.18.2 
PostDown = iptables -t nat -D PREROUTING -p udp -i eth0 -j DNAT --to-destination 10.18.18.2 

### Loopback untuk menghandle koneksi lokal menggunakan IP publik
# DNAT: Ubah tujuan paket dari <PublicIP> menjadi 10.18.18.2
PostUp = iptables -t nat -A PREROUTING -s 10.18.18.2 -d <PublicIP> -j DNAT --to-destination 10.18.18.2
PostDown = iptables -t nat -D PREROUTING -s 10.18.18.2 -d <PublicIP> -j DNAT --to-destination 10.18.18.2

# SNAT: Ubah source paket menjadi <PublicIP> agar terlihat berasal dari IP publik
PostUp = iptables -t nat -A POSTROUTING -s 10.18.18.2 -d 10.18.18.2 -j SNAT --to-source <PublicIP>
PostDown = iptables -t nat -D POSTROUTING -s 10.18.18.2 -d 10.18.18.2 -j SNAT --to-source <PublicIP>

### Client
[Peer]
PublicKey = <Secret>
PresharedKey = <Secret>
AllowedIPs = 10.18.18.2/32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment