Homemade WireGuard VPN on a VPS server

oh no, I jst copy and paste the config files without setting the keys. How do i get them?

WireGuard nécessite des clés publiques et privées codées en base64. Celles-ci peuvent être générées en utilisant l’utilitaire wg. Des deux côtés, faites WireGuard requires base64-encoded public and private keys. These can be generated using the wg utility. On both side do :

cd /etc/wireguard
sudo wg genkey | tee privatekey | wg pubkey > publickey

it shows no output

The outputs are in text files. You can display the content with cat :

cat /etc/wireguard/publickey
cat /etc/wireguard/privatekey

thanks, I put the private and public keys on both servers as the guide, but after trying to start wireguard I get the following errors:

# journalctl -xe
-- Journal begins at Tue 2023-12-05 17:37:53 UTC, ends at Thu 2023-12-07 14:31:03 UTC. --
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/kgdboc/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/pcspkr/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/reg-dummy/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/reg-dummy/regulator/regulator.0/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/regulatory.0/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/rtc-efi.0/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS1/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS10/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS11/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS12/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS13/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS14/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS15/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS16/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS17/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS18/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS19/uevent': Permission denied
Dec 07 14:15:19 napase systemd-networkd[74]: Enumeration completed
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS2/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS20/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS21/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS22/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS23/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS24/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS25/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS26/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS27/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS28/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS29/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS3/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS30/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS31/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS4/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS5/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS6/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS7/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS8/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/platform/serial8250/tty/ttyS9/uevent': Permission denied
Dec 07 14:15:19 napase udevadm[64]: Failed to write 'add' to '/sys/devices/pnp0/00:00/uevent': Permission denied
Dec 07 14:15:19 napase systemd[1]: Starting Create Volatile Files and Directories...
░░ Subject: A start job for unit systemd-tmpfiles-setup.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit systemd-tmpfiles-setup.service has begun execution.
░░ 
░░ The job identifier is 25.

Hello.

I followed exactly the first post and it works great. I can access my Yunohost server locally (192.168.10.0/24) and from the Internet (through the wireguard VPN), thank you @rungeard !

Now I have configured at home a second local network (192.168.20.0/24) but it fails to communicate to the Yunohost server. When a host on this new network tries to talk to the Yunohost server I can see the packet properly arrives to the ethernet interface of the Yunohost server but the reply goes out through wg0.

How can I fix it?

I guess it might have something to do with iptables, I’ve been told I might have to create a static route in the server… Any help is welcome.

Cheers

Hi, I did some tweaking long time ago on my setup.
Ill post it here for documentation on this topic.
“Better late then never”

# PostUp - VPS
# /etc/wireguard/PostUp.sh

IN_FACE="eth0"                                     # NIC connected to the internet
WG_FACE="wg0"                                      # WG NIC
IPV4="100.200.50.50"                               # ipv4 address of public server
IPV6="2301:3ff:c000:aaa::1"                       # ipv6 address of public server
SUB_ADD4="10.6.0.2"                                # WG IPv4 sub/net
SUB_ADD6="fd42:42:42::2"                           # WG IPv6 sub/net
TCP_PORTS="25 53 80 140 443 587 993 5222 5269"   # All input TCP Ports
BOTH_PORTS="53 5353 49153:49193"    # Both ways UDP and TCP
TCP_OUT_PORTS="25 587"                             # All output TCP Ports from Yunohost Server to internet

iptables -A FORWARD -i $WG_FACE -j ACCEPT;
iptables -t nat -A POSTROUTING -o $IN_FACE -j MASQUERADE;

ip6tables -A FORWARD -i $WG_FACE -j ACCEPT;
ip6tables -t nat -A POSTROUTING -o $IN_FACE -j MASQUERADE;

# icmp
iptables -A INPUT -p icmp -j ACCEPT;

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT;


# Routing "TCP_OUT_PORTS" from Yunohost Server to internet
for j in $TCP_OUT_PORTS
do
        iptables -t nat -A POSTROUTING -s $SUB_ADD4 -p tcp --dport $j -j SNAT --to $IPV4;
        iptables -A FORWARD -s $SUB_ADD4 -p tcp --dport $j -j ACCEPT;

        ip6tables -t nat -A POSTROUTING -s $SUB_ADD6 -p tcp --dport $j -j SNAT --to $IPV6;
        ip6tables -A FORWARD -s $SUB_ADD6 -p tcp --dport $j -j ACCEPT;
done

# Routing TCP port required from VPN server to Yunohost server
for i in $TCP_PORTS
do
        iptables -t nat -A PREROUTING -i $IN_FACE -p tcp --dport $i -j DNAT --to-destination $SUB_ADD4;
        iptables -A FORWARD -d $SUB_ADD4 -p tcp --dport $i -j ACCEPT;

        ip6tables -t nat -A PREROUTING -i $IN_FACE -p tcp --dport $i -j DNAT --to-destination $SUB_ADD6;
        ip6tables -A FORWARD -d $SUB_ADD6 -p tcp --dport $i -j ACCEPT;
done

# Synapse and Coturn
for port in udp tcp
do
        for i in $BOTH_PORTS
        do
                iptables -t nat -A PREROUTING -i $IN_FACE -p $port --dport $i -j DNAT --to-destination $SUB_ADD4;
                iptables -t nat -A POSTROUTING -s $SUB_ADD4 -p $port --dport $i -j SNAT --to $IPV4;
                iptables -A FORWARD -d $SUB_ADD4 -p $port --dport $i -j ACCEPT;

                ip6tables -t nat -A PREROUTING -i $IN_FACE -p $port --dport $i -j DNAT --to-destination $SUB_ADD6;
                ip6tables -t nat -A POSTROUTING -s $SUB_ADD6 -p $port --dport $i -j SNAT --to $IPV6;
                ip6tables -A FORWARD -d $SUB_ADD6 -p $port --dport $i -j ACCEPT;
        done
done

# chmod +x /etc/wireguard/PostUp.sh
# systemctl restart wg-quick@wg0.service
# systemctl enable wg-quick@wg0.service

# PostDown - VPS
# /etc/wireguard/PostDown.sh

IN_FACE="eth0"                                     # NIC connected to the internet
WG_FACE="wg0"                                      # WG NIC
IPV4="100.200.50.50"                               # ipv4 address of public server
IPV6="2301:3ff:c000:aaa::1"                       # ipv6 address of public server
SUB_ADD4="10.6.0.2"                                # WG IPv4 sub/net
SUB_ADD6="fd42:42:42::2"                           # WG IPv6 sub/net
TCP_PORTS="25 53 80 140 443 587 993 5222 5269"   # All input TCP Ports
BOTH_PORTS="53 5353 49153:49193"    # Both ways UDP and TCP
TCP_OUT_PORTS="25 587"                             # All output TCP Ports from Yunohost Server to internet

iptables -D FORWARD -i $WG_FACE -j ACCEPT;
iptables -t nat -D POSTROUTING -o $IN_FACE -j MASQUERADE;

ip6tables -D FORWARD -i $WG_FACE -j ACCEPT;
ip6tables -t nat -D POSTROUTING -o $IN_FACE -j MASQUERADE;

# icmp
iptables -D INPUT -p icmp -j ACCEPT;

ip6tables -D INPUT -p ipv6-icmp -j ACCEPT;


# Routing "TCP_OUT_PORTS" from Yunohost Server to internet
for j in $TCP_OUT_PORTS
do
        iptables -t nat -D POSTROUTING -s $SUB_ADD4 -p tcp --dport $j -j SNAT --to $IPV4;
        iptables -D FORWARD -s $SUB_ADD4 -p tcp --dport $j -j ACCEPT;

        ip6tables -t nat -D POSTROUTING -s $SUB_ADD6 -p tcp --dport $j -j SNAT --to $IPV6;
        ip6tables -D FORWARD -s $SUB_ADD6 -p tcp --dport $j -j ACCEPT;
done

# Routing TCP port required from VPN server to Yunohost server
for i in $TCP_PORTS
do
        iptables -t nat -D PREROUTING -i $IN_FACE -p tcp --dport $i -j DNAT --to-destination $SUB_ADD4;
        iptables -D FORWARD -d $SUB_ADD4 -p tcp --dport $i -j ACCEPT;

        ip6tables -t nat -D PREROUTING -i $IN_FACE -p tcp --dport $i -j DNAT --to-destination $SUB_ADD6;
        ip6tables -D FORWARD -d $SUB_ADD6 -p tcp --dport $i -j ACCEPT;
done

# Synapse and Coturn
for port in udp tcp
do
        for i in $BOTH_PORTS
        do
                iptables -t nat -D PREROUTING -i $IN_FACE -p $port --dport $i -j DNAT --to-destination $SUB_ADD4;
                iptables -t nat -D POSTROUTING -s $SUB_ADD4 -p $port --dport $i -j SNAT --to $IPV4;
                iptables -D FORWARD -d $SUB_ADD4 -p $port --dport $i -j ACCEPT;

                ip6tables -t nat -D PREROUTING -i $IN_FACE -p $port --dport $i -j DNAT --to-destination $SUB_ADD6;
                ip6tables -t nat -D POSTROUTING -s $SUB_ADD6 -p $port --dport $i -j SNAT --to $IPV6;
                ip6tables -D FORWARD -d $SUB_ADD6 -p $port --dport $i -j ACCEPT;
        done
done

# chmod +x /etc/wireguard/PostDown.sh
# systemctl restart wg-quick@wg0.service
# systemctl enable wg-quick@wg0.service

# PostUp.sh - Yunohost
# /etc/wireguard/PostUp.sh

WG_FACE="wg0"                                          # WG NIC
SUB_ADD4="10.6.0.2/24"                                 # WG IPv4 sub/net
SUB_ADD6="fd42:42:42::2/64"                            # WG IPv6 sub/net
TCP_PORTS="25 80 140 443 587 993 4443 5222 5269 8448"  # All TCP Ports
BOTH_PORTS="5353 10000"                                # UDP and TCP Ports for Synapse and Coturn

# Begin IPV4
iptables -w -N vpnclient_in;
iptables -w -N vpnclient_out;
iptables -w -N vpnclient_fwd;

iptables -w -A vpnclient_in -p icmp -j ACCEPT;
iptables -w -A vpnclient_in -s $SUB_ADD4 -j ACCEPT;

# Allowing required TCP ports
for i in $TCP_PORTS
do
        iptables -w -A vpnclient_in -p tcp --dport $i -j ACCEPT;
done

# Allowing required Synapse and Coturn ports - UDP and TCP
for i in $BOTH_PORTS
do
        iptables -w -A vpnclient_in --dport $i -j ACCEPT;
done
# End Synapse and Coturn ports

iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

iptables -w -A vpnclient_in -j DROP;
iptables -w -A vpnclient_out -j ACCEPT;
iptables -w -A vpnclient_fwd -j DROP;

iptables -w -I INPUT 1 -i $WG_FACE -j vpnclient_in;
iptables -w -I OUTPUT 1 -o $WG_FACE -j vpnclient_out;
iptables -w -I FORWARD 1 -o  $WG_FACE -j vpnclient_fwd;
# End IPV4

# Begin IPV6
ip6tables -w -N vpnclient_in;
ip6tables -w -N vpnclient_out;
ip6tables -w -N vpnclient_fwd;

ip6tables -w -A vpnclient_in -p ipv6-icmp -j ACCEPT;
ip6tables -w -A vpnclient_in -s $SUB_ADD6 -j ACCEPT;

# Allowing required TCP ports
for i in $TCP_PORTS
do
        ip6tables -w -A vpnclient_in -p tcp --dport $i -j ACCEPT;
done

# Allowing required Synapse and Coturn ports - UDP and TCP
for i in $BOTH_PORTS
do
        ip6tables -w -A vpnclient_in --dport $i -j ACCEPT;
done
# End Synapse and Coturn ports

ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

ip6tables -w -A vpnclient_in -j DROP;
ip6tables -w -A vpnclient_out -j ACCEPT;
ip6tables -w -A vpnclient_fwd -j DROP;

ip6tables -w -I INPUT 1 -i $WG_FACE -j vpnclient_in;
ip6tables -w -I OUTPUT 1 -o $WG_FACE -j vpnclient_out;
ip6tables -w -I FORWARD 1 -o  $WG_FACE -j vpnclient_fwd;
# End IPV6

# chmod +x /etc/wireguard/PostUp.sh
# systemctl restart wg-quick@wg0.service
# systemctl enable wg-quick@wg0.service
# /etc/init.d/networking restart

# PostDown.sh - Yunohost
# /etc/wireguard/PostDown.sh

WG_FACE="wg0"                    # WG NIC

# Begin IPV4
iptables -w -F vpnclient_in;
iptables -w -F vpnclient_out;
iptables -w -F vpnclient_fwd;

iptables -D INPUT -i $WG_FACE -j vpnclient_in;
iptables -D FORWARD -o $WG_FACE -j vpnclient_fwd;
iptables -D OUTPUT -o $WG_FACE -j vpnclient_out;

iptables -w -X vpnclient_in;
iptables -w -X vpnclient_out;
iptables -w -X vpnclient_fwd;
# End IPV4

# Begin IPV6
ip6tables -w -F vpnclient_in;
ip6tables -w -F vpnclient_out;
ip6tables -w -F vpnclient_fwd;

ip6tables -D INPUT -i $WG_FACE -j vpnclient_in;
ip6tables -D FORWARD -o $WG_FACE -j vpnclient_fwd;
ip6tables -D OUTPUT -o $WG_FACE -j vpnclient_out;

ip6tables -w -X vpnclient_in;
ip6tables -w -X vpnclient_out;
ip6tables -w -X vpnclient_fwd;
# End IPV6

# chmod +x /etc/wireguard/PostDown.sh
# systemctl restart wg-quick@wg0.service
# systemctl enable wg-quick@wg0.service
# /etc/init.d/networking restart

Thank you @tomas.

Hey @rungeard, maybe you want to merge your nice first post with @tomas’ contribution so that we find the merge at the beginning of the post?

@rungeard Thanks for your very helpful post!

Everything works for me as intended, apart from the certificate renewal on my domain.tld - despite adapting /etc/hosts as per your instructions.

Instead, running yunohost domain cert renew domain.tld fails, and I get the following printed to stdout:

Info: Now attempting renewing of certificate for domain domain.tld !
Success! Configuration updated for 'dnsmasq'
Info: Parsing account key...
Info: Parsing CSR...
Info: Found domains: domain.tld, xmpp-upload.domain.tld, muc.domain.tld
Info: Getting directory...
Info: Directory found!
Info: Registering account...
Info: Already registered!
Info: Creating new order...
Info: Order created!
Info: Verifying muc.domain.tld ...
Error: Wrote file to /var/www/.well-known/acme-challenge-public/alphanumeric_code, but couldn't download http://muc.domain.tld/.well-known/acme-challenge/alphanumeric_code: Error:
Url: http://muc.domain.tld/.well-known/acme-challenge/alphanumeric_code
Data: None
Response Code: None
Response: <urlopen error [Errno 111] Connection refused>
Error: Certificate renewing for domain.tld failed!
Info: The operation 'Renew 'domain.tld' Let's Encrypt certificate' could not be completed. Please share the full log of this operation using the command 'yunohost log share 20240906-175406-letsencrypt_cert_renew-domain.tld' to get help
Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/yunohost/vendor/acme_tiny/acme_tiny.py", line 214, in get_crt
    assert disable_check or _do_request(wellknown_url)[0] == keyauthorization
  File "/usr/lib/python3/dist-packages/yunohost/vendor/acme_tiny/acme_tiny.py", line 76, in _do_request
    raise ValueError(
ValueError: Error:
Url: http://muc.domain.tld/.well-known/acme-challenge/alphanumeric_code
Data: None
Response Code: None
Response: <urlopen error [Errno 111] Connection refused>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/yunohost/certificate.py", line 502, in _fetch_and_enable_new_certificate
    signed_certificate = sign_certificate(
  File "/usr/lib/python3/dist-packages/yunohost/vendor/acme_tiny/acme_tiny.py", line 216, in get_crt
    raise ValueError(
ValueError: Wrote file to /var/www/.well-known/acme-challenge-public/alphanumeric_code, but couldn't download http://muc.domain.tld/.well-known/acme-challenge/alphanumeric_code: Error:
Url: http://muc.domain.tld/.well-known/acme-challenge/alphanumeric_code
Data: None
Response Code: None
Response: <urlopen error [Errno 111] Connection refused>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/yunohost/certificate.py", line 390, in certificate_renew
    _fetch_and_enable_new_certificate(domain, no_checks=no_checks)
  File "/usr/lib/python3/dist-packages/yunohost/certificate.py", line 515, in _fetch_and_enable_new_certificate
    raise YunohostError("certmanager_cert_signing_failed")
yunohost.utils.error.YunohostError: Could not sign the new certificate

Error: Could not sign the new certificate
Error: Let's Encrypt certificate renew failed for domain.tld

Further info:

• my muc DNS record is currently a CNAME entry pointing to domain.tld.
• renewing certs for other, app specific subdomains of domain.tld works
• opening the http://muc.domain.tld/.well-known/acme-challenge/alphanumeric_code URL in the browser works, i.e. I see a hash(like?) string

Any help or suggestions are much appreciated! Thanks a lot in advance!

Hi @puer-robustus !
Do you have a row with 127.0.0.1 muc.domain.tld in your hosts file ?

Do you have a row with 127.0.0.1 muc.domain.tld in your hosts file ?

No, that I don’t.
I figured since renewing certs for other subdomains that wouldn’t be necessary.
But let me retry after adding such a line.

@rungeard Yep, that did the trick. Thanks a lot. Would you mind explaining to me, why I needed to add the muc subdomain to /etc/hosts but not e.g. xmpp-upload?

@puer-robustus
Strange indeed. If I remember well, as I don’t use this wireguard config since my ssd died and move to vps setup, if you have xmpp enabled on a domain.tld, you need to add also muc.domain.tld, pubsub.domain.tld,
vjud.domain.tld and xmpp-upload.domain.tld to hosts file.

Ok, thanks. I will monitor this and adapt if necessary. Thanks once again for your quick help! Much appreciated!

Hi there!

I’ve been using this setup for my YunoHost installation and it was worked amazingly so far.

I’m just having one issue where my apps can’t seem to communicate with each other. For example, my Sharkey instance can’t generate previews of webpages that are hosted on the same YunoHost server. Is this a normal YunoHost security feature or have I configured something wrong with the VPN?

Not sure if this helps but I seem to be getting this error in Sharkey’s logs:
RequestError: Blocked address: 127.0.0.1

Thanks!
Loowiz

Hi @loowiz !

Does the connection between these two apps work when the VPN is deactivated?

Ah i just tested it out and it doesnt seem to be related to thr VPN, sorry!

I tried skipping some steps by using pivpn (check this post) and the VPN does work, but I cant get past that. So maybe it’s better if I try to follow this guide? There are some things I need help with, and I would really appreciate a hand.

How do I know if I need an IPV6?
Since I wasn’t sure I got one, but I’m unsure of how to fill the netmask
I think that my netmak is /128. Should I paste it like that? Because I filled the IPV4 one transforming the CIDR with Subnet Cheat Sheet – 24 Subnet Mask, 30, 26, 27, 29, and other IP Address CIDR Network References

Is it safe to share my IPV6 gateway? I’m also unsure if I filled it correctly

I get
sudo: /etc/init.d/networking: command not found

Is the new way to do this with:
sudo systemctl restart systemd-networkd
?

Hi @anon!
Sorry for the late reply.

You can do without IPV6, but I think it’s a shame in 2025 to have a server that is inaccessible via IPV6!

You can copy it as is. If you have any doubts, there are usually documents on the VPS provider’s website explaining how to configure a server in IPV6.

Share the gateway with whom? The server that connects to it? It already knows it!

Yes, that’s entirely possible! If you’re unsure whether that’s enough, you can also reboot the VPS.

Hello,

Super tuto. Merci.
Vivement une app qui gère la config coté YunoHost

On peut aussi utiliser un tunnel tout prêt fait avec amour par des personnes bien intentionnées
Je pense à ça . Même si c’est plutôt pour les locaux (région Grenobloise), ça devrait aussi être accessible à tout le monde.
Il y a aussi ça.
C’est un peu plus cher qu’un VPS mais on n’a pas à se soucier de gérer le coté serveur VPN.
Il y en a certainement d’autres que je ne connais pas.