[Interface]
Address = 10.0.0.2/24         # Private IP for the home server in the VPN network
PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER #####
Table = 123

# Enable IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

# Return traffic through wireguard
PreUp = ip rule add from 10.0.0.2 table 123 priority 1
PostDown = ip rule del from 10.0.0.2 table 123 priority 1

# Route traffic to public IP to self to avoid it hitting the network
PreUp = iptables -t nat -A OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
PostDown = iptables -t nat -D OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1

# ==== Firewall ===============================

# Allow our expected traffic
PreUp = iptables -A INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
PostDown = iptables -D INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT

# And pings
PreUp = iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
PostDown = iptables -D INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT

# Block the rest
PreUp = iptables -A INPUT -i wg0 -j DROP
PostDown = iptables -D INPUT -i wg0 -j DROP

[Peer]
PublicKey = #### PUBLIC KEY OF PUBLIC SERVER #####
AllowedIPs = 0.0.0.0/0
Endpoint = 999.999.999.999:51820
PersistentKeepalive = 25