Homemade WireGuard VPN on a VPS server

Thank you
I have a vps at ionos (Debian 11) and a yunohost on a raspi (raspbian 10 an Curl install after wireguard).
I installed the WG Tunnel first and than yunohost.
Sometimes out of the blue it does not work. If I type in wg it shows the following.
wg on yunohost:
interface: wg0
public key: [public key YunoHost]
private key: (hidden)
listening port: 59697
fwmark: 0xca6c
peer: [public key vps]
endpoint: [ipv4vps]:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 30 seconds ago
transfer: 968.50 KiB received, 2.03 MiB sent
persistent keepalive: every 25 seconds
wg on vps shows:
interface: wg0
public key: [public key vps]
private key: (hidden)
listening port: 51820
peer: [public key YunoHost]
allowed ips: 10.6.0.2/32, fd42:42:42::2/128

Why is the YunoHost listening on a Port 59697?
Is it right that Wireguard is rewriting the wg0.conf on the vps?
Here follows the conf how it changed after the first tunneling. Problems were that it did not work with the domain just with the IP address. The wg0.conf in YunoHost did not change. One time it also added the IpAdress of the YunoHost Server to the wg0.conf
wg0.conf of vps
[Interface]
Address = 10.6.0.1/24
Address = fd42:42:42::1/64
SaveConfig = true
PostUp = bash /etc/wireguard/PostUp.sh
PostDown = bash /etc/wireguard/PostDown.sh
ListenPort = 51820
PrivateKey = [private key vps]
[Peer]
PublicKey = [public key of YunoHost]
AllowedIPs = 10.6.0.2/32, fd42:42:42::2/128

Could you elaborate ?

Because you do not set it up as a server but as a client so it keeps the default config. It’s normal.

No

Try to replace this with
Address = 10.6.0.1/24, fd42:42:42::1/64

It is not clear, often after a reboot. Wireguard puts in wg0.conf on vps an Endpoint with my private IP with another port when I delete this it works again, of course. I think for a stable version it is probably good to configure it as a client Server. What could I change for that?

Wireguard changes wg0.conf with this addresses again and again.
I now installed it again with the original img Before I tryed 64bit.

Except if you want to setup a Wireguard relay, a physical machine should be configured as a client or as a server. Not both. Moreover if I well understand your problem, it’s on the VPS side (wg0.conf being modified for no reason there). So let the YH wg0.conf as it is. It seems to be fine.

Reboot on which side VPS or YH ?

Endpoint is a configuration for a client. But your VPS is a server, this shouldn’t happen.

I have some difficulties sometime to understand if you are speaking of the YH or of the VPS side. If you want, you can send me in PM your two wg0.conf, PostUp and PostDown and I can check if everything looks good.

1 Like

Hello,
thanks for the guide and some feedback / questions:

Tip: ionos.fr is 1 € all time, while ionos.de is 2 € from the 7th month on, so if you can navigate a french website…

More explanation for a beginner like me:

  1. IPv6

Request an IPV6 address if necessary: For ionos.fr, this can be done via the UI by clicking on “Réseau → IP publique” where you can create an IPv6 address and assign it to your server.
Ionos also has a written guide up about that which I followed which is completely unnecessary (Adding a Public IPv4 and IPv6 Address to a Linux Server (Ubuntu and Debian) - IONOS Help)

  1. Configurer le VPS - configure the VPS

I needed to google how to find out Gateway and Netmask, would be nice to have that in the tutorial. I tried it like this and got some error, so please correct me:

# You can get the IPs and IPv4 netmask via 
ifconfig

# The gateways can be obtained via these commands in the line starting with "default":
ip route
ip -6 route

# The IPv6 gateway depends on the length of your IPv6, if your IPv6 is 2001:a61:24b5:b2::/64, it will be ffff:ffff:ffff:ffff::

And then give an example for the /etc/network/interfaces file, e.g. what format the IPv6 stuff has.

I did something wrong and lost connection and ssh access with /etc/init.d/networking restart.

Edit: and maybe a section about “Requirements”, e.g.

  • knowledge of IPv6 address format (so now finally I understand “::”, but probably require more knowledge of gateway, netmask, …): IPv6 - Address Types & Formats

:upside_down_face:

This is a way to have it, but this is often a data written in the VPS provider doc.

For instance for ionos it’s always in ipv4 :

netmask 255.255.255.255
gateway 10.255.255.1

in ipv6:

netmask 64
gateway fe80::1

Note that I also wanted to make a guide that does not depend on the provider. That’s why I didn’t specify the specific actions for Ionos.

2 Likes

Ok, I started WireGuard on both sides, but Yunohost appears to be offline.

I opened the suggested ports in the ionos firewall settings.
I entered the IPs of the VPS.
I can access my yunohost via the web interface and via ssh.
But there’s a timeout when I ping 8.8.8.8, and in the yunohost diagnostics it says it is not connected to the internet.

Logs

Yunohost in local LAN

wg

interface: wg0
public key: yxNI4PkF/vvSg2bJZl4qiDjOnbpTk0aetCWhlYOF8wY=
private key: (hidden)
listening port: 53350
fwmark: 0xca6c

peer: XypWafYsppYXQfedVJcNA1OkO9hUKO6IjAXLS3AOVjc=
endpoint: [::1]:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 148 B sent
persistent keepalive: every 25 seconds

journalctl -xeu wg-quick@wg0.service

– Subject: A start job for unit wg-quick@wg0.service has begun execution
– Defined-By: systemd
– Support: Debian -- User Support

– A start job for unit wg-quick@wg0.service has begun execution.

– The job identifier is 1043.
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip link add wg0 type wireguard
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] wg setconf wg0 /dev/fd/63
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 address add 10.6.0.2/24 dev wg0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 address add fd42:42:42::2/64 dev wg0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip link set mtu 65456 up dev wg0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] resolvconf -a tun.wg0 -m 0 -x
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] wg set wg0 fwmark 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 route add ::/0 dev wg0 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 rule add not fwmark 51820 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 rule add table main suppress_prefixlength 0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip6tables-restore -n
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 rule add not fwmark 51820 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 rule add table main suppress_prefixlength 0
Apr 03 10:46:42 ze.noho.st wg-quick[3521]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Apr 03 10:46:42 ze.noho.st wg-quick[3521]: [#] iptables-restore -n
Apr 03 10:46:42 ze.noho.st wg-quick[3521]: [#] bash /etc/wireguard/PostUp.sh
Apr 03 10:46:42 ze.noho.st systemd[1]: Started WireGuard via wg-quick(8) for wg0.
– Subject: A start job for unit wg-quick@wg0.service has finished successfully

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.178.34 netmask 255.255.255.0 broadcast 192.168.178.255
inet6 fe80::46a1:8967:4a6e:fd6f prefixlen 64 scopeid 0x20
inet6 2001:a61:24b5:a601:990c:d95a:4fa3:4bbc prefixlen 64 scopeid 0x0
ether 82:bf:b2:df:f0:09 txqueuelen 1000 (Ethernet)
RX packets 4844 bytes 516167 (504.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2595 bytes 793955 (775.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 43

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 23188 bytes 3422152 (3.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23188 bytes 3422152 (3.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 65456
inet 10.6.0.2 netmask 255.255.255.0 destination 10.6.0.2
inet6 fd42:42:42::2 prefixlen 64 scopeid 0x0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 136 bytes 20128 (19.6 KiB)
TX errors 0 dropped 3398 overruns 0 carrier 0 collisions 0

ionos vps

wg

interface: wg0
public key: XypWafYsppYXQfedVJcNA1OkO9hUKO6IjAXLS3AOVjc=
private key: (hidden)
listening port: 51820

peer: yxNI4PkF/vvSg2bJZl4qiDjOnbpTk0aetCWhlYOF8wY=
allowed ips: 10.6.0.2/32, fd42:42:42::2/128

journalctl -xeu wg-quick@wg0.service

Apr 03 08:45:37 localhost systemd[1]: Starting WireGuard via wg-quick(8) for wg0…
░░ Subject: A start job for unit wg-quick@wg0.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit wg-quick@wg0.service has begun execution.
░░
░░ The job identifier is 1789.
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip link add wg0 type wireguard
Apr 03 08:45:37 localhost wg-quick[2387]: [#] wg setconf wg0 /dev/fd/63
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip -4 address add 10.6.0.1/24 dev wg0
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip -6 address add fd42:42:42::1/64 dev wg0
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip link set mtu 1420 up dev wg0
Apr 03 08:45:37 localhost wg-quick[2387]: [#] bash /etc/wireguard/PostUp.sh
Apr 03 08:45:37 localhost systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
░░ Subject: A start job for unit wg-quick@wg0.service has finished successfully

ifconfig

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 212.227.197.189 netmask 255.255.255.255 broadcast 212.227.197.189
inet6 2001:8d8:1801:81bc::1 prefixlen 64 scopeid 0x0
inet6 fe80::250:56ff:fe16:9fc5 prefixlen 64 scopeid 0x20
ether 00:50:56:16:9f:c5 txqueuelen 1000 (Ethernet)
RX packets 45465 bytes 5241644 (4.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9596 bytes 1417296 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.6.0.1 netmask 255.255.255.0 destination 10.6.0.1
inet6 fd42:42:42::1 prefixlen 64 scopeid 0x0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0

Do you ping from YH or VPS ?

Maybe you can also try to restart the VPS and then the YH server. Sometimes it solves the issue from the diagnostic.

I have some doubts regarding your iptables rules. It seems YH server don’t receive any packets back.

The ping from yunohost is not successful.
After reboot it’s the same problem

What do you mean with the iptables rules? How to check / change them?

netstat -tunlp

yunohost:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 2361/gitea
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2294/nginx: master
tcp 0 0 0.0.0.0:9137 0.0.0.0:* LISTEN 1502/sshd
tcp 0 0 127.0.0.1:10001 0.0.0.0:* LISTEN 1194/postsrsd
tcp 0 0 127.0.0.1:10002 0.0.0.0:* LISTEN 1194/postsrsd
tcp 0 0 0.0.0.0:5269 0.0.0.0:* LISTEN 1992/lua5.1
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1547/dnsmasq
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1694/postgres
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2406/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2294/nginx: master
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1722/slapd
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 1820/dovecot
tcp 0 0 0.0.0.0:8095 0.0.0.0:* LISTEN 1426/node
tcp 0 0 127.0.0.1:20000 0.0.0.0:* LISTEN 2453/sogod
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1820/dovecot
tcp 0 0 0.0.0.0:20001 0.0.0.0:* LISTEN 1290/stunnel4
tcp 0 0 127.0.0.1:6787 0.0.0.0:* LISTEN 1378/python3
tcp 0 0 127.0.0.1:11332 0.0.0.0:* LISTEN 1711/rspamd: main p
tcp 0 0 127.0.0.1:11333 0.0.0.0:* LISTEN 1711/rspamd: main p
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 1722/slapd
tcp 0 0 127.0.0.1:11334 0.0.0.0:* LISTEN 1711/rspamd: main p
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 1992/lua5.1
tcp 0 0 127.0.0.1:8008 0.0.0.0:* LISTEN 2636/python
tcp 0 0 127.0.0.1:5290 0.0.0.0:* LISTEN 1992/lua5.1
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2406/master
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1515/redis-server 1
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1414/memcached
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1820/dovecot
tcp6 0 0 :::80 :::* LISTEN 2294/nginx: master
tcp6 0 0 :::9137 :::* LISTEN 1502/sshd
tcp6 0 0 :::5269 :::* LISTEN 1992/lua5.1
tcp6 0 0 :::53 :::* LISTEN 1547/dnsmasq
tcp6 0 0 ::1:5432 :::* LISTEN 1694/postgres
tcp6 0 0 :::25 :::* LISTEN 2406/master
tcp6 0 0 :::443 :::* LISTEN 2294/nginx: master
tcp6 0 0 :::636 :::* LISTEN 1722/slapd
tcp6 0 0 :::4190 :::* LISTEN 1820/dovecot
tcp6 0 0 :::8448 :::* LISTEN 2636/python
tcp6 0 0 :::993 :::* LISTEN 1820/dovecot
tcp6 0 0 ::1:11332 :::* LISTEN 1711/rspamd: main p
tcp6 0 0 ::1:11333 :::* LISTEN 1711/rspamd: main p
tcp6 0 0 ::1:11334 :::* LISTEN 1711/rspamd: main p
tcp6 0 0 :::5222 :::* LISTEN 1992/lua5.1
tcp6 0 0 ::1:8008 :::* LISTEN 2636/python
tcp6 0 0 :::3306 :::* LISTEN 1698/mysqld
tcp6 0 0 ::1:5290 :::* LISTEN 1992/lua5.1
tcp6 0 0 :::587 :::* LISTEN 2406/master
tcp6 0 0 ::1:6379 :::* LISTEN 1515/redis-server 1
tcp6 0 0 :::143 :::* LISTEN 1820/dovecot
udp 0 0 0.0.0.0:31582 0.0.0.0:* 1547/dnsmasq
udp 0 0 10.6.0.2:5353 0.0.0.0:* 1362/python3
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1362/python3
udp 0 0 0.0.0.0:38929 0.0.0.0:* -
udp 0 0 0.0.0.0:53 0.0.0.0:* 1547/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 2048/dhclient
udp 0 0 10.6.0.2:123 0.0.0.0:* 2257/ntpd
udp 0 0 192.168.178.34:123 0.0.0.0:* 2257/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2257/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2257/ntpd
udp6 0 0 :::38929 :::* -
udp6 0 0 :::53 :::* 1547/dnsmasq
udp6 0 0 :::32889 :::* 1547/dnsmasq
udp6 0 0 2001:a61:24b5:a601::123 :::* 2257/ntpd
udp6 0 0 fd42:42:42::2:123 :::* 2257/ntpd
udp6 0 0 fe80::46a1:8967:4a6:123 :::* 2257/ntpd
udp6 0 0 ::1:123 :::* 2257/ntpd
udp6 0 0 :::123 :::* 2257/ntpd

vps:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9988 0.0.0.0:* LISTEN 762/sshd: /usr/sbin
tcp6 0 0 :::9988 :::* LISTEN 762/sshd: /usr/sbin
root@localhost:/home/juser# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9988 0.0.0.0:* LISTEN 762/sshd: /usr/sbin
tcp6 0 0 :::9988 :::* LISTEN 762/sshd: /usr/sbin
udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp6 0 0 :::51820 :::*

iptables -L

yunohost:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp – anywhere anywhere tcp dpt:ssh
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT tcp – anywhere anywhere tcp dpt:https
ACCEPT tcp – anywhere anywhere tcp dpt:submission
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:xmpp-client
ACCEPT tcp – anywhere anywhere tcp dpt:xmpp-server
ACCEPT tcp – anywhere anywhere tcp dpts:49153:49193
ACCEPT tcp – anywhere anywhere tcp dpt:8448
ACCEPT tcp – anywhere anywhere tcp dpt:5349
ACCEPT tcp – anywhere anywhere tcp dpt:5350
ACCEPT tcp – anywhere anywhere tcp dpt:9137
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT udp – anywhere anywhere udp dpt:mdns
ACCEPT udp – anywhere anywhere udp dpts:49153:49193
ACCEPT udp – anywhere anywhere udp dpt:5349
ACCEPT udp – anywhere anywhere udp dpt:5350
ACCEPT all – anywhere anywhere
ACCEPT icmp – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

vps:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT tcp – 10.0.6.2 anywhere tcp dpt:smtp
ACCEPT tcp – 10.0.6.2 anywhere tcp dpt:submission
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:smtp
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:http
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:140
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:https
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:submission
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:imaps
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:xmpp-client
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:xmpp-server
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:9137

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This text will be hidden

These rules seem correct. If you want, you can send me in PM your two wg0.conf, PostUp and PostDown and I can check if everything looks good.

Could you also check that you can ping google.com and ping -6 google.com from VPS ?

Hello,

@rungeard thank you for your work!

Could you tell me from which device the ip 10.0.6.2 is from in your iptables?

10.6.0.2 is the ip assign to the YunoHost server (the WireGuard client)

So could it be a little typo here?

In your iptables for routing port 25 and 587

there is the ip corrent
iptables -t nat -A POSTROUTING -s 10.6.0.2 -p tcp --dport $j -j SNAT --to [insert public IPV4 of the VPS];
ten.six.zero.two

but one row after it
iptables -A FORWARD -s 10.0.6.2 -p tcp --dport $j -j ACCEPT;
ten.zero.six.two

You are right ! I made the changes in the main post.

Bonjour merci pour ce tuto qui le donne envie de passer à l’achat :grin:

Question

SI dans le cas d’autres utilisateurs souhaiteraient s’y connecter pour l’utiliser comme simple VPN tout en gardant les règles pour le yunohost quelle tête aurai le postup et postdown ?

Merci

yes it’s possible.
You generate on every client a private and a public key.

On the VPS you add to wg0.cong the line

### begin new client ###
[Peer]
PublicKey = [insert public key of the new client]
AllowedIPs = 10.6.0.X/32,fd42:42:42::X/128     #with X = 3 then 4, 5, etc
### end new client###

On the VPS you add to PostUp

iptables -t nat -A POSTROUTING -s 10.6.0.X  -j SNAT --to [insert public IPV4 of the VPS]; 
iptables -A FORWARD -s 10.6.0.X  -j ACCEPT; 
ip6tables -t nat -A POSTROUTING -s fd42:42:42::X -j SNAT --to [insert public IPV6 of the VPS]; 
ip6tables -A FORWARD -s fd42:42:42::X -j ACCEPT; 

On the VPS you add to PostDown

iptables -t nat -D POSTROUTING -s 10.6.0.X  -j SNAT --to [insert public IPV4 of the VPS]; 
iptables -D FORWARD -s 10.6.0.X  -j ACCEPT; 
ip6tables -t nat -D POSTROUTING -s fd42:42:42::X -j SNAT --to [insert public IPV6 of the VPS]; 
ip6tables -D FORWARD -s fd42:42:42::X -j ACCEPT; 

wg0 of the new client

[Interface]
PrivateKey = [insert private key of the new client]
Address = 10.6.0.X/24, fd42:42:42::X/64
# choose your DNS - for instance FDN DNS resolver
DNS = 80.67.169.12, 2001:910:800::12 

[Peer]
PublicKey = [insert public key of the VPS]
Endpoint = [insert your domain name (link to the ips of the VPS server)]:51820
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25

Don’t forget to replace X with 3 then 4,5,6, etc everywhere

1 Like

Merci pour 'es infos.

Par contre si l’on suis ce tuto et que l’on rajoute les lignes que m’a donné est-ce que cela va poser un soucis ?

Encore merci.

En théorie non après j’ai pas testé personnellement avec plusieurs appareils. Tous retour est le bienvenue !

1 Like

Enfin j’ai déjà wireguard à la maison en tant que serveur et je fais passer quelque client. Donc j’ai vraiment une configuration de base avec
J’aimerai faire évoluer tout ça en faisant passer plus de chose dans les tuyaux.
Je vais essayer en partant de zéro avec les clients (ce que je sais faire a peu près) et je rajouterai ta config.

:pray: