Last active
May 30, 2025 07:08
-
-
Save ccrsxx/11370967939a6a0a558ec8826dca80aa to your computer and use it in GitHub Desktop.
wg-easy port forward
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| volumes: | |
| etc_wireguard: | |
| networks: | |
| net_wireguard: | |
| driver: bridge | |
| ipam: | |
| config: | |
| - subnet: 172.18.0.0/16 | |
| gateway: 172.18.0.1 | |
| services: | |
| wg-easy: | |
| environment: | |
| # Change Language: | |
| # (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi) | |
| LANG: en | |
| # ⚠ Required: | |
| # Change this to your host's public address | |
| WG_HOST: host_ip_or_domain | |
| PASSWORD_HASH: pw | |
| # Optional: | |
| # PORT: 51821 | |
| # WG_PORT: 51820 | |
| # WG_CONFIG_PORT: 92820 | |
| # WG_DEFAULT_ADDRESS: 10.8.0.x | |
| WG_DEFAULT_DNS: internal_dns_server_ip | |
| # WG_PRE_UP: echo "Pre Up" > /etc/wireguard/pre-up.txt | |
| WG_POST_UP: > | |
| # iptables -A FORWARD -i wg0 -m iprange --src-range 10.8.0.2-10.8.0.10 -j ACCEPT; | |
| # iptables -A FORWARD -i wg0 -p tcp -d internal_dns_server_ip --dport 53 -j ACCEPT; | |
| # iptables -A FORWARD -i wg0 -p udp -d internal_dns_server_ip --dport 53 -j ACCEPT; | |
| # iptables -A FORWARD -i wg0 -d 10.8.0.0/24 -j DROP; | |
| # iptables -A FORWARD -i wg0 -d vps_ip -j DROP; | |
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; | |
| iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE; | |
| # WG_PRE_DOWN: echo "Pre Down" > /etc/wireguard/pre-down.txt | |
| WG_POST_DOWN: > | |
| # iptables -D FORWARD -i wg0 -m iprange --src-range 10.8.0.2-10.8.0.10 -j ACCEPT; | |
| # iptables -D FORWARD -i wg0 -p tcp -d internal_dns_server_ip --dport 53 -j ACCEPT; | |
| # iptables -D FORWARD -i wg0 -p udp -d internal_dns_server_ip --dport 53 -j ACCEPT; | |
| # iptables -D FORWARD -i wg0 -d 10.8.0.0/24 -j DROP; | |
| # iptables -D FORWARD -i wg0 -d vps_ip -j DROP; | |
| iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; | |
| iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE; | |
| # WG_MTU: 1420 | |
| # WG_ALLOWED_IPS: 0.0.0.0/0, 10.0.10.0/24, 192.168.1.0/24 | |
| # WG_PERSISTENT_KEEPALIVE: 25 | |
| # WG_PRE_UP: echo "Pre Up" > /etc/wireguard/pre-up.txt | |
| # WG_POST_UP: echo "Post Up" > /etc/wireguard/post-up.txt | |
| # WG_PRE_DOWN: echo "Pre Down" > /etc/wireguard/pre-down.txt | |
| # WG_POST_DOWN: echo "Post Down" > /etc/wireguard/post-down.txt | |
| # UI_TRAFFIC_STATS: true | |
| # UI_CHART_TYPE: 1 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart) | |
| image: ghcr.io/wg-easy/wg-easy | |
| container_name: wg-easy | |
| volumes: | |
| - etc_wireguard:/etc/wireguard | |
| ports: | |
| - '51820:51820/udp' | |
| - '51821:51821/tcp' | |
| restart: unless-stopped | |
| cap_add: | |
| - NET_ADMIN | |
| - SYS_MODULE | |
| # - NET_RAW # ⚠ Uncomment if using Podman | |
| sysctls: | |
| - net.ipv4.ip_forward=1 | |
| - net.ipv4.conf.all.src_valid_mark=1 | |
| networks: | |
| net_wireguard: | |
| ipv4_address: 172.18.0.2 |
Author
Author
Topology of this archicture to make it more clear:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Persist ip tables and ip route after reboot:
Persist IP tables:
Create IP route script:
cd /usr/local/sbin sudo touch wireguard.sh sudo chmod u+x wireguard.sh sudo vim wireguard.shCopy paste below script to vim or nano:
Create systemctl service:
Copy paste below service file:
Run service and make sure it is running:
sudo systemctl daemon-reload sudo systemctl enable wireguard sudo systemctl start wireguard sudo systemctl status wireguardAll done, now you can reboot without issue.