├── README.md ├── client.conf ├── raspi.conf └── vps.conf /README.md: -------------------------------------------------------------------------------- 1 | # Config to bypass CGNAT using a VPS 2 | 3 | These configs can be used to create a VPN to your local network via a middle hop hosted on a VPS (or other server solution). 4 | I am using a Raspberry Pi 2 (running Raspbian) on my local network as an ingress point. The VPS is running Ubuntu. 5 | 6 | In this config the VPS sits in the middle and both the home network (Raspberry Pi) and client (phone or laptop) connect to the VPS in public IP space. This is to avoid the restrictions that carrier grade NAT places on my ability to tunnel back into my home network from an IPv4 only connection. 7 | 8 | IPv6 is working great at home and if I have IPv6 connectivty it is preferred as I can connect straight home rather than through an antermediate hop. 9 | 10 | To-Do: I now have this setup able to tunnel IPv6 over the IPv4 connection, I need to update the config files here to reflect this enhancement. 11 | 12 | Original Reddit post with more details here: https://www.reddit.com/r/WireGuard/comments/duif1e/my_config_for_bypassing_cgnat_with_vps/ 13 | -------------------------------------------------------------------------------- /client.conf: -------------------------------------------------------------------------------- 1 | [Interface] 2 | PrivateKey = 3 | Address = 192.168.10.20/32 4 | DNS = 192.168.1.200 5 | 6 | [Peer] 7 | # Name VPS 8 | PublicKey = 9 | AllowedIPs = 0.0.0.0/0, 192.168.1.0/24, ::/0 10 | Endpoint = :51820 11 | -------------------------------------------------------------------------------- /raspi.conf: -------------------------------------------------------------------------------- 1 | [Interface] 2 | Address = 192.168.10.2/32 3 | PrivateKey = 4 | PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward 5 | PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp 6 | PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; 7 | PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; 8 | PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward 9 | PostDown = echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp 10 | 11 | [Peer] 12 | # Name VPS 13 | PublicKey = 14 | AllowedIPs = 192.168.10.1/24 15 | Endpoint = :51820 16 | PersistentKeepalive = 21 -------------------------------------------------------------------------------- /vps.conf: -------------------------------------------------------------------------------- 1 | [Interface] 2 | ListenPort = 51820 3 | Address = 192.168.10.1/24 4 | PrivateKey = 5 | PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward 6 | PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp 7 | PostUp = ip rule add not from 192.168.10.0/24 table main # This is needed to allow SSH access after enabling connection 8 | PostUp = iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 9 | PostUp = iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 10 | PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT 11 | PostDown = ip rule del not from 192.168.10.0/24 table main 12 | PostDown = iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 13 | PostDown = iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 14 | PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT 15 | PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward 16 | PostDown = echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp 17 | 18 | [Peer] 19 | # Name RasPi 20 | PublicKey = 21 | AllowedIPs = 192.168.10.2/32, 0.0.0.0/0 22 | 23 | [Peer] 24 | # Name Client 25 | PublicKey = 26 | AllowedIPs = 192.168.10.20/32 27 | --------------------------------------------------------------------------------