switching public/private

diy-tunnel/private/simple/README.md

@@ -0,0 +1,3 @@
+Copy `wg0.conf` to `/etc/wireguard/wg0.config`
+
+This example works well for forwarding traffic to services running directly on the private server.  If your services are running in Docker things get much more complicated because of how Docker handle networking.  For that, see the `/public/docker-on-host` example.

diy-tunnel/private/simple/wg0.conf

@@ -0,0 +1,35 @@
+[Interface]
+Address = 10.0.0.2/24         # Private IP for the home server in the VPN network
+PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER #####
+Table = 123
+
+# Enable IP forwarding
+PreUp = sysctl -w net.ipv4.ip_forward=1
+
+# Return traffic through wireguard
+PreUp = ip rule add from 10.0.0.2 table 123 priority 1
+PostDown = ip rule del from 10.0.0.2 table 123 priority 1
+
+# Route traffic to public IP to self to avoid it hitting the network
+PreUp = iptables -t nat -A OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
+PostDown = iptables -t nat -D OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
+
+# ==== Firewall ===============================
+
+# Allow our expected traffic
+PreUp = iptables -A INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
+PostDown = iptables -D INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
+
+# And pings
+PreUp = iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+PostDown = iptables -D INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+
+# Block the rest
+PreUp = iptables -A INPUT -i wg0 -j DROP
+PostDown = iptables -D INPUT -i wg0 -j DROP
+
+[Peer]
+PublicKey = #### PUBLIC KEY OF PUBLIC SERVER #####
+AllowedIPs = 0.0.0.0/0
+Endpoint = 999.999.999.999:51820
+PersistentKeepalive = 25