Calmcacil/wg-admin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Fix firewall rules not loading on reboot

Browse Source 
- Enable and start nftables service during installation
- Create /etc/nftables.conf that includes /etc/nftables.d/wireguard.conf
- nftables service now loads firewall rules automatically on boot
- Update documentation to reflect proper configuration file paths
- Remove historical VALIDATION.md document
- Clean up documentation references to non-existent scripts
This commit is contained in:
Calmcacil
2026-01-12 16:12:06 +01:00
parent 6b97f0532f
commit 22688d96b5
6 changed files with 125 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
README.md
View File

@@ -1,7 +1,7 @@
# WireGuard VPN Setup for Debian 13
## Overview
Personal WireGuard VPN server with IPv4/IPv6 support, client management via `/etc/wireguard/peer.d/`, designed for 1 CPU / 1GB RAM VPS.
Personal WireGuard VPN server with IPv4/IPv6 support, client management via `wireguard.sh`, designed for 1 CPU / 1GB RAM VPS.
## Configuration
- **Server Domain**: velkhana.calmcacil.dev
@@ -9,63 +9,57 @@ Personal WireGuard VPN server with IPv4/IPv6 support, client management via `/et
- **VPN IPv4 Range**: 10.10.69.0/24
- **VPN IPv6 Range**: fd69:dead:beef:69::/64
- **DNS**: 8.8.8.8, 8.8.4.4 (Google)
- **Server-side peer configs**: /etc/wireguard/peer.d/*.conf (loaded dynamically)
- **Server-side peer configs**: /etc/wireguard/conf.d/client-*.conf (loaded dynamically)
- **Client-side configs**: /etc/wireguard/clients/*.conf (for distribution)
## Installation
### 1. Upload files to VPS
### 1. Upload script to VPS
```bash
scp install-wireguard.sh wg-client-manager calmcacil@velkhana.calmcacil.dev:~/
scp wireguard.sh calmcacil@velkhana.calmcacil.dev:~/
```
### 2. Run installation
```bash
chmod +x ~/install-wireguard.sh ~/wg-client-manager
sudo ~/install-wireguard.sh
```
### 3. Install client manager
```bash
sudo mv ~/wg-client-manager /usr/local/sbin/
sudo chmod +x /usr/local/sbin/wg-client-manager
chmod +x ~/wireguard.sh
sudo ~/wireguard.sh install
```
## Usage
### Dynamic client loading
WireGuard automatically loads clients from `/etc/wireguard/peer.d/`:
- Add/remove client configs in `/etc/wireguard/peer.d/*.conf`
- Run `sudo /usr/local/sbin/wg-load-clients` to reload
WireGuard automatically loads clients from `/etc/wireguard/conf.d/`:
- Add/remove client configs in `/etc/wireguard/conf.d/client-*.conf`
- Run `sudo ~/wireguard.sh load-clients` to reload
- Changes are applied immediately without restarting
### Add a new client
```bash
sudo /usr/local/sbin/wg-client-manager add myphone
sudo ~/wireguard.sh add myphone
```
This creates:
- Server config in `/etc/wireguard/peer.d/myphone.conf`
- Server config in `/etc/wireguard/conf.d/client-myphone.conf`
- Client config in `/etc/wireguard/clients/myphone.conf`
- QR code in `/etc/wireguard/clients/myphone.qr`
### List all clients
```bash
sudo /usr/local/sbin/wg-client-manager list
sudo ~/wireguard.sh list
```
### Show client config
```bash
sudo /usr/local/sbin/wg-client-manager show myphone
sudo ~/wireguard.sh show myphone
```
### Show QR code
```bash
sudo /usr/local/sbin/wg-client-manager qr myphone
sudo ~/wireguard.sh qr myphone
```
### Remove a client
```bash
sudo /usr/local/sbin/wg-client-manager remove myphone
sudo ~/wireguard.sh remove myphone
```
## Server Management
@@ -87,7 +81,7 @@ sudo systemctl restart wg-quick@wg0
### Reload clients (automatic on add/remove)
```bash
sudo /usr/local/sbin/wg-load-clients
sudo ~/wireguard.sh load-clients
```
### Firewall management
@@ -102,23 +96,24 @@ The setup configures nftables with:
View firewall rules:
```bash
sudo nft list ruleset
```
Reload firewall:
```bash
sudo nft -f /etc/nftables.conf
```
Enable/disable firewall:
```bash
sudo nftables-firewall disable
sudo nftables-firewall enable
```
**Note**: nftables rules are automatically loaded on boot by the nftables service from `/etc/nftables.conf`. No manual intervention required after reboot.
Allow additional ports if needed:
```bash
sudo nftables-firewall allow 80/tcp # HTTP
sudo nftables-firewall allow 443/tcp # HTTPS
sudo nft add rule inet wireguard input tcp dport 80 accept # HTTP
sudo nft add rule inet wireguard input tcp dport 443 accept # HTTPS
```
## Manual Client Configuration
To manually add a client, create a file in `/etc/wireguard/peer.d/`:
To manually add a client, create a file in `/etc/wireguard/conf.d/`:
```ini
[Peer]
@@ -129,7 +124,7 @@ AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128
Then run:
```bash
sudo /usr/local/sbin/wg-load-clients
sudo ~/wireguard.sh load-clients
```
## Client Setup
@@ -169,16 +164,16 @@ sudo journalctl -u wg-quick@wg0 -f
### Check client directory
```bash
ls -la /etc/wireguard/peer.d/
ls -la /etc/wireguard/conf.d/
```
### Manual reload if needed
```bash
sudo /usr/local/sbin/wg-load-clients
sudo ~/wireguard.sh load-clients
```
## Notes
- `/etc/wireguard/peer.d/` - Server-side peer configs, loaded automatically by wg-load-clients
- `/etc/wireguard/conf.d/` - Server-side peer configs, loaded automatically by wireguard.sh
- `/etc/wireguard/clients/` - Client-side configs (import to WireGuard apps) and QR codes
- Clients are automatically reloaded when added/removed
- IPv4 and IPv6 NAT are configured (MASQUERADE)
@@ -188,4 +183,3 @@ sudo /usr/local/sbin/wg-load-clients
- Keepalive is set to 25 seconds for better stability
- Server private keys are stored in `/etc/wireguard/server_private.key`
- Server public key is displayed after installation
- Use `nftables-firewall` script for easy firewall management