mirror of
https://git.straybits.ca/straybits/docker-samples.git
synced 2024-11-07 18:22:26 +00:00
46 lines
No EOL
1.9 KiB
Text
46 lines
No EOL
1.9 KiB
Text
[Interface]
|
|
Address = 10.0.0.2/24 # Private IP for the home server in the VPN network
|
|
PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER #####
|
|
Table = 123
|
|
|
|
# Enable IP forwarding
|
|
PreUp = sysctl -w net.ipv4.ip_forward=1
|
|
|
|
# loose reverse path forwarding validation
|
|
PostUp = sysctl -w net.ipv4.conf.wg0.rp_filter=2
|
|
|
|
# Mark new connections coming in through wg0
|
|
PreUp = iptables -t mangle -A PREROUTING -i wg0 -m state --state NEW -j CONNMARK --set-mark 1
|
|
PostDown = iptables -t mangle -D PREROUTING -i wg0 -m state --state NEW -j CONNMARK --set-mark 1
|
|
|
|
# Mark return packets to go out through WireGuard via policy routing
|
|
PreUp = iptables -t mangle -A PREROUTING ! -i wg0 -m connmark --mark 1 -j MARK --set-mark 1
|
|
PostDown = iptables -t mangle -D PREROUTING ! -i wg0 -m connmark --mark 1 -j MARK --set-mark 1
|
|
|
|
# Push marked connections back through wg0
|
|
PreUp = ip rule add fwmark 1 table 123 priority 456
|
|
PostDown = ip rule del fwmark 1 table 123 priority 456
|
|
|
|
# Route traffic to public IP to self to avoid it hitting the network
|
|
PreUp = iptables -t nat -A OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
|
|
PostDown = iptables -t nat -D OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
|
|
|
|
# ==== Firewall ===============================
|
|
|
|
# Allow our expected traffic
|
|
PreUp = iptables -A INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
|
|
PostDown = iptables -D INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
|
|
|
|
# And pings
|
|
PreUp = iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
|
|
PostDown = iptables -D INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
|
|
|
|
# Block the rest
|
|
PreUp = iptables -A INPUT -i wg0 -j DROP
|
|
PostDown = iptables -D INPUT -i wg0 -j DROP
|
|
|
|
[Peer]
|
|
PublicKey = #### PUBLIC KEY OF PUBLIC SERVER #####
|
|
AllowedIPs = 0.0.0.0/0
|
|
Endpoint = 999.999.999.999:51820
|
|
PersistentKeepalive = 25 |