Skip to content

Instantly share code, notes, and snippets.

@MorphyDK

MorphyDK/vpn-gateway-rebuild.sh

Last active January 31, 2026 11:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MorphyDK/63222a72e3999499dd48b744581543f2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MorphyDK/63222a72e3999499dd48b744581543f2 to your computer and use it in GitHub Desktop.
Download ZIP
VPN Gateway setup for WG and Tun0 setup for i.e. Ubuntu Desktop ( with VPN App client )
Raw
vpn-gateway-rebuild.sh
#!/bin/bash
### CONFIG ###
# Change your LAN CARD according to your own system, in my case its ens18.
# Build for Ubuntu Desktop and testet for Ubuntu 24.04
# WEB_IP = Add your ip of the client that need to use the this server as gateway.
# Script is acting as gateway where ports are being transfered directly on to the client via TorGuard.
# Script includes a kill switch. If VPN dies - the gateway is lost to the client. No internet.
set -e
LAN_IF="ens18"
WG_IF="torguard-wg"
OC_IF="tun0"
WEB_IP="192.168.0.186"
PORTS="38271 38272"
# ANSI Color Codes
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
echo "=== VPN Gateway full rebuild starting ==="
# 1. Enable IP forwarding (Runtime + Persistent)
echo "[1/6] Enabling IP forwarding"
# Update the config file for persistence
if grep -q "^#net.ipv4.ip_forward=1" /etc/sysctl.conf; then
sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
elif ! grep -q "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
fi
# Apply immediately to the kernel
sysctl -w net.ipv4.ip_forward=1
# 2. Flush ALL iptables (clean slate)
echo "[2/6] Flushing existing iptables rules"
iptables -F
iptables -t nat -F
iptables -X
# 3. Set default policies
echo "[3/6] Setting default policies"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# 4. Allow forwarding ONLY into VPN interfaces
echo "[4/6] Adding forwarding + kill-switch rules"
# Outbound to VPNs
iptables -A FORWARD -i "$LAN_IF" -o "$WG_IF" -j ACCEPT
iptables -A FORWARD -i "$LAN_IF" -o "$OC_IF" -j ACCEPT
# Return traffic
iptables -A FORWARD -i "$WG_IF" -o "$LAN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i "$OC_IF" -o "$LAN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT
# Explicit kill switch (no ISP escape)
iptables -A FORWARD -i "$LAN_IF" -o "$LAN_IF" -j DROP
# 5. NAT (SNAT) for outbound VPN traffic
echo "[5/6] Adding NAT masquerade rules"
iptables -t nat -A POSTROUTING -o "$WG_IF" -j MASQUERADE
iptables -t nat -A POSTROUTING -o "$OC_IF" -j MASQUERADE
# 6. DNAT port forwarding to web server
echo "[6/6] Adding port forwarding rules"
for PORT in $PORTS; do
# WireGuard
iptables -t nat -A PREROUTING -i "$WG_IF" -p tcp --dport "$PORT" \
-j DNAT --to-destination "$WEB_IP:$PORT"
# OpenConnect / tun0
iptables -t nat -A PREROUTING -i "$OC_IF" -p tcp --dport "$PORT" \
-j DNAT --to-destination "$WEB_IP:$PORT"
# Allow forwarded traffic
iptables -A FORWARD -p tcp -d "$WEB_IP" --dport "$PORT" \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
echo "=== Active rules ==="
iptables -L -v
iptables -t nat -L -v
# Persistence
read -p "Save rules persistently? (y/N): " SAVE
if [[ "$SAVE" =~ ^[Yy]$ ]]; then
apt update
apt install -y iptables-persistent
netfilter-persistent save
echo "Rules saved persistently."
else
echo "Rules NOT saved. They will be lost on reboot."
fi
echo "=== VPN Gateway rebuild complete ==="
# Reboot Prompt
echo -e "${YELLOW}Do you want to reboot the server? (y/N)${NC}"
read REBOOT
if [[ "$REBOOT" =~ ^[Yy]$ ]]; then
echo "Rebooting now..."
sudo reboot
else
echo "Reboot skipped. Please remember that some system changes may require a restart to fully verify."
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment