How to Wireguard behind NAT

Install Wireguard on Server / Client:
#Debian
apt update && apt install wireguard
#Suse
zypper ref && zypper in wireguard
Activate Port forwarding:
echo -e "#wg server port forward\nnet.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
#reboot
sysctl -p
Create keys and config Wireguard
cd /etc/wireguard && umask 077
wg genkey | tee priv-serv.key | wg pubkey | tee pub-serv.key
# Setup rw only on private key:
chmod 600 priv-serv.key
Create config /etc/wireguard/wire0.conf
[Interface]
PrivateKey = <PRIV-SERV.KEY>
Address = 10.2.2.0/28
#
# IPv6 Scopes:
# Localhost ::1/128
# Link Local Unicast (APIPA) fe80::/64
# Unique Local Host fc00 --> fdff (fc00::/7)
# Multicast ff00::/8
#
Address = fdfc:fece:acab:acab::/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wire0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wire0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
ListenPort = 51820
Starting wg (wire0) interface
chmod 600 /etc/wireguard/wire0.conf
# fw allowing
#ufw allow 51820/udp
#Starting all up
wg-quick up wire0
#checking with
wg
#Enable (optional) Autostart:
systemctl enable wg-quick@wire0

Client configuration
Create keys on Client
cd /etc/wireguard && umask 077
wg genkey | sudo tee priv-client.key | wg pubkey | sudo tee pub-client.key
# Setup rw only on private key:
chmod 600 priv-client.key
Create a /etc/wireguard/wgclient0.conf
[Interface]
PrivateKey = <PRIV-CLIENT.KEY>
Address = 10.2.2.2/32
#
# Adminforge DNS / Quard9 ?
# DNS = 176.9.93.198, 176.9.1.117, 2a01:4f8:151:34aa::198, 2a01:4f8:141:316d::117
DNS = 9.9.9.9, 2620:fe::9
[Peer]
PublicKey = <PUB-SERV.KEY>
Endpoint = <SERV-IP| DOMAIN>:51820
AllowedIPs = 0.0.0.0/0, ::/0
On Serverside add peer / Start wg on Clientside
## ON SERV:
wg set wire0 peer <PUB-CLIENT.KEY> allowed-ips 10.2.2.2/32
#
## ON CLIENT
wg-quick up wgclient0
# For down the line:
wg-quick down wgclient0

NAT Traveral Wireguard
SSH Reversed Tunneling method
# adduser wguser :passwd passw0rd123
#
ssh -Nf -R 51443:localhost:51820 wguser@vps -P22
# Now you can connect to your wg server with the port 51443
How to UDP Traffic in TCP Tunnel
#Serverside:
mkfifo /tmp/fifi-wg
nc -l -p 51820 < /tmp/fifo-wg | nc -u 127.0.0.1 51820 > /tmp/fifo-wg
#Clientside:
mkfifo /tmp/fifi-wg
nc -l -u -p 51820 < /tmp/fifo-wg | nc VPS-SERVER-IP 51820 > /tmp/fifo-wg
Debugging Wireguard
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
# For deactivating just (-)
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control
journalctl -f -k
# Watch some ipv6 traffic on wire-line
tcpdump -nettti wire0 "ip6"
Tip for IPv6 issus:
Just raise some values in /etc/gai.conf for forcing ipv4
precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 100
Automate Script
Here a small quick and dirty ssh script for automate the process
#!/bin/bash
#SERVER DATA
LPORT=51820
IPADDR="10.1.1.1"
SN=24
IPV6="fdfc:cccc:dddd:ffff::/64"
# /24 Scope only yet!
__XIP=$(echo $IPADDR | cut -d "." -f4)
clear
echo "*************************************************************"
echo "*** Wireguard admin and peer creator v0.2a (c) suuhm 2023 ***"
echo "*************************************************************"
_server_conf() {
echo -e "#wg server port forward\nnet.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
#reboot
sysctl -p
cd /etc/wireguard && umask 077
wg genkey | tee priv-serv.key | wg pubkey > pub-serv.key
# Setup rw only on private key:
chmod 600 priv-serv.key
cat << EOG > /etc/wireguard/wire0.conf
[Interface]
PrivateKey = $(cat priv-serv.key)
Address = $IPADDR/$SN
#
# IPv6 Scopes:
# Localhost ::1/128
# Link Local Unicast (APIPA) fe80::/64
# Unique Local Host fc00 --> fdff (fc00::/7)
# Multicast ff00::/8
#
Address = $IPV6
SaveConfig = true
PostUp = iptables -A FORWARD -i wire0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wire0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wire0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
ListenPort = $LPORT
EOG
chmod 600 /etc/wireguard/wire0.conf
# fw allowing
ufw allow $LPORT/udp
echo "Startiung wg server"; sleep 3
wg-quick up wire0
}
_client_conf() {
echo; read -p "Please enter a name of the User Peer: " UCLIENT
echo
# cd dir and create keys
cd /etc/wireguard && umask 077
wg genkey | tee priv-client_$UCLIENT.key | wg pubkey > pub-client_$UCLIENT.key
# Setup rw only on private key:
chmod 600 priv-client_$UCLIENT.key
#Raise IP Adress
echo $__XIP > SCOPE
PEER_IP=$(echo $IPADDR | awk -v xip=$__XIP -F "." '{print $1"."$2"."$3"."xip+1}')
let __XIP++ ; echo $__XIP > SCOPE
cat << EOG > /etc/wireguard/client_$UCLIENT.conf
[Interface]
PrivateKey = $(cat priv-client_$UCLIENT.key)
Address = $PEER_IP/32
#
# Adminforge DNS / Quard9 ?
# DNS = 176.9.93.198, 176.9.1.117, 2a01:4f8:151:34aa::198, 2a01:4f8:141:316d::117
# DNS = 9.9.9.9, 2620:fe::9
[Peer]
PublicKey = $(cat pub-serv.key)
Endpoint = $(curl -s ifconfig.co):51820
AllowedIPs = 0.0.0.0/0, ::/0
EOG
echo
echo "Adding peer $UCLIENT $PEER_IP on server..."
wg set wire0 peer $(cat pub-client_$UCLIENT.key) allowed-ips $PEER_IP/32
echo "Copy config to client and run: wg-quick up $client_$UCLIENT.conf"; echo
}
if [ "$1" == "-s" ]; then
_server_conf
elif [ "$1" == "-c" ]; then
_client_conf
else
echo "Error no Input Usage: $0 <-s or -c>"
exit 1
fi
exit 0
Copy to your client host with scp or mail:
scp /etc/wireguard/client_02.conf root@otherclienthost:/etc/wireguard/