How to Wireguard behind NAT

How to Wireguard behind NAT

Install Wireguard on Server / Client:

#Debian
apt update && apt install wireguard

#Suse
zypper ref && zypper in wireguard

Activate Port forwarding:

echo -e "#wg server port forward\nnet.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
#reboot
sysctl -p

Create keys and config Wireguard

cd /etc/wireguard && umask 077
wg genkey | tee priv-serv.key | wg pubkey | tee pub-serv.key

# Setup rw only on private key:
chmod 600 priv-serv.key
Create config  /etc/wireguard/wire0.conf
[Interface]
PrivateKey = <PRIV-SERV.KEY>
Address = 10.2.2.0/28
#
# IPv6 Scopes:
# Localhost ::1/128
# Link Local Unicast (APIPA) fe80::/64
# Unique Local Host fc00 --> fdff (fc00::/7)
# Multicast ff00::/8
#
Address = fdfc:fece:acab:acab::/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wire0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wire0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
ListenPort = 51820

Starting wg (wire0) interface

chmod 600 /etc/wireguard/wire0.conf
# fw allowing
#ufw allow 51820/udp

#Starting all up
wg-quick up wire0

#checking with
wg

#Enable (optional) Autostart:
systemctl enable wg-quick@wire0

Server started and waiting for peers adding

Client configuration

Create keys on Client

cd /etc/wireguard && umask 077
wg genkey | sudo tee priv-client.key | wg pubkey | sudo tee pub-client.key

# Setup rw only on private key:
chmod 600 priv-client.key

Create a /etc/wireguard/wgclient0.conf

[Interface]
PrivateKey = <PRIV-CLIENT.KEY>
Address = 10.2.2.2/32
#
# Adminforge DNS / Quard9 ?
# DNS = 176.9.93.198, 176.9.1.117, 2a01:4f8:151:34aa::198, 2a01:4f8:141:316d::117
DNS = 9.9.9.9, 2620:fe::9

[Peer]
PublicKey = <PUB-SERV.KEY>
Endpoint = <SERV-IP| DOMAIN>:51820
AllowedIPs = 0.0.0.0/0, ::/0

On Serverside add peer / Start wg on Clientside

## ON SERV:
wg set wire0 peer <PUB-CLIENT.KEY> allowed-ips 10.2.2.2/32

#
## ON CLIENT
wg-quick up wgclient0

# For down the line:
wg-quick down wgclient0

Serverside with one peer adding

NAT Traveral Wireguard

SSH Reversed Tunneling method

# adduser wguser :passwd passw0rd123
#
ssh -Nf -R 51443:localhost:51820 wguser@vps -P22

# Now you can connect to your wg server with the port 51443

How to UDP Traffic in TCP  Tunnel

#Serverside:
mkfifo /tmp/fifi-wg
nc -l -p 51820 < /tmp/fifo-wg | nc -u 127.0.0.1 51820 > /tmp/fifo-wg

#Clientside:
mkfifo /tmp/fifi-wg
nc -l -u -p 51820 < /tmp/fifo-wg | nc VPS-SERVER-IP 51820 > /tmp/fifo-wg

Debugging Wireguard

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

# For deactivating just (-) 
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control

journalctl -f -k

# Watch some ipv6 traffic on wire-line
tcpdump -nettti wire0 "ip6"

Tip for IPv6 issus:

Just raise some values in /etc/gai.conf for forcing ipv4

precedence  ::1/128       50
precedence  ::/0          40
precedence  2002::/16     30
precedence ::/96          20
precedence ::ffff:0:0/96  100

Automate Script

Here a small quick and dirty ssh script for automate the process

#!/bin/bash

#SERVER DATA
LPORT=51820
IPADDR="10.1.1.1"
SN=24
IPV6="fdfc:cccc:dddd:ffff::/64"
# /24 Scope only yet!
__XIP=$(echo $IPADDR | cut -d "." -f4)

clear
echo "*************************************************************"
echo "*** Wireguard admin and peer creator v0.2a (c) suuhm 2023 ***"
echo "*************************************************************"

_server_conf() {
    echo -e "#wg server port forward\nnet.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
    #reboot
    sysctl -p

    cd /etc/wireguard && umask 077
    wg genkey | tee priv-serv.key | wg pubkey > pub-serv.key
    # Setup rw only on private key:
    chmod 600 priv-serv.key

    cat << EOG > /etc/wireguard/wire0.conf
[Interface]
PrivateKey = $(cat priv-serv.key)
Address = $IPADDR/$SN
#
# IPv6 Scopes:
# Localhost ::1/128
# Link Local Unicast (APIPA) fe80::/64
# Unique Local Host fc00 --> fdff (fc00::/7)
# Multicast ff00::/8
#
Address = $IPV6
SaveConfig = true
PostUp = iptables -A FORWARD -i wire0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wire0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
ListenPort = $LPORT
EOG

    chmod 600 /etc/wireguard/wire0.conf
    # fw allowing
    ufw allow $LPORT/udp

    echo "Startiung wg server"; sleep 3
    wg-quick up wire0

}

_client_conf() {

    echo; read -p "Please enter a name of the User Peer: " UCLIENT
    echo

    # cd  dir and create keys
    cd /etc/wireguard && umask 077
    wg genkey | tee priv-client_$UCLIENT.key | wg pubkey > pub-client_$UCLIENT.key
    # Setup rw only on private key:
    chmod 600 priv-client_$UCLIENT.key

    #Raise IP Adress
    echo $__XIP > SCOPE
    PEER_IP=$(echo $IPADDR | awk -v xip=$__XIP -F "." '{print $1"."$2"."$3"."xip+1}') 
    let __XIP++ ; echo $__XIP > SCOPE

    cat << EOG > /etc/wireguard/client_$UCLIENT.conf
[Interface]
PrivateKey = $(cat priv-client_$UCLIENT.key)
Address = $PEER_IP/32
#
# Adminforge DNS / Quard9 ?
# DNS = 176.9.93.198, 176.9.1.117, 2a01:4f8:151:34aa::198, 2a01:4f8:141:316d::117
# DNS = 9.9.9.9, 2620:fe::9

[Peer]
PublicKey = $(cat pub-serv.key)
Endpoint = $(curl -s ifconfig.co):51820
AllowedIPs = 0.0.0.0/0, ::/0
EOG

    echo
    echo "Adding peer $UCLIENT $PEER_IP on server..."
    wg set wire0 peer $(cat pub-client_$UCLIENT.key) allowed-ips $PEER_IP/32

    echo "Copy config to client and run: wg-quick up $client_$UCLIENT.conf"; echo
}

if [ "$1" == "-s" ]; then
    _server_conf
elif [ "$1" == "-c" ]; then
    _client_conf
else
    echo "Error no Input Usage: $0 <-s or -c>"
    exit 1
fi

exit 0

Copy to your client host with scp or mail:

scp /etc/wireguard/client_02.conf root@otherclienthost:/etc/wireguard/