wg-mail-tunnel/README.md

# WireGuard Mail Server VPN Setup

This repository configures WireGuard VPN tunnel between a mail server (client) and a AWS server (server), allowing the mail server to use the AWS server's public static IP.

## Features

* Secure WireGuard VPN tunnel
* Mail server can use public static IP
* Incoming emails and web portal access are forwarded to the client

### Explanation

This should work out-of-the-box with [mailcow.email](https://mailcow.email), [mailinabox.email](https://mailinabox.email), [mailu.io](https://mailu.io/latest), or [poste.io](https://poste.io/). Pretty much any of these self-hosted full featured Mail, Calendar, Contacts, and Web Mail solutions will work. DYOR: https://prefetch.eu/blog/2020/email-server/.

*   **Server Configuration (`wg0.conf`):**

    *   **PrivateKey**: The server's private key; keep this secure.

    *   **Address**: The VPN interface IP; `10.99.97.1/24` is the server's VPN IP.

    *   **ListenPort**: The port WireGuard listens on; default is `51820`.

    *   **PostUp/PostDown**: Commands executed when the interface is brought up or down:

        *   **Enable IP forwarding** to allow the server to route packets between interfaces.

        *   **Set up NAT (MASQUERADE)** so that VPN clients can access the internet.

        *   **Configure `iptables`** to forward SMTP (port `25`) and HTTP (port `80`) traffic to the client.

*   **Client Configuration (`wg0.conf`):**

    *   **PrivateKey**: The client's private key.

    *   **Address**: The client's VPN IP; `10.99.97.4/32`.

    *   **DNS**: Optional; sets a DNS server for the client.

    *   **PublicKey**: The server's public key.

    *   **Endpoint**: The server's public IP and listening port.

    *   **AllowedIPs**: `0.0.0.0/0` routes all traffic through the VPN.

    *   **PersistentKeepalive**: Prevents the VPN connection from timing out due to NAT devices.

### Additional Considerations

*   **Firewall Rules:**

    *   Ensure that your server's firewall allows UDP traffic on port `51820`.

    *   Adjust `iptables` rules if your external interface is not `eth0`.

*   **Mail Server Configuration:**

    *   The mail server should listen on `10.99.97.4/32`.

    *   Ensure that any firewall on the client allows incoming SMTP (port `25`) and HTTP (port `80`) traffic.

*   **Multiple Ports:**

    *   If additional ports need to be forwarded, add corresponding `iptables` rules in the `PostUp` section.

*   **Security:**

    *   Keep private keys secure and do not share them.

    *   Regularly update your systems to patch security vulnerabilities.


## License

This repository is licensed under the MIT License. See [LICENSE](LICENSE) for details.
Update README.md 2025-01-25 17:42:54 +00:00			`# WireGuard Mail Server VPN Setup`
Initial commit 2025-01-25 17:36:12 +00:00
Update README.md 2025-01-25 17:42:54 +00:00			`This repository configures WireGuard VPN tunnel between a mail server (client) and a AWS server (server), allowing the mail server to use the AWS server's public static IP.`

			`## Features`

			`* Secure WireGuard VPN tunnel`
			`* Mail server can use public static IP`
			`* Incoming emails and web portal access are forwarded to the client`

Update README.md 2025-01-25 17:49:12 +00:00			`### Explanation`

Update README.md 2025-01-26 07:39:44 +00:00			`This should work out-of-the-box with [mailcow.email](https://mailcow.email), [mailinabox.email](https://mailinabox.email), [mailu.io](https://mailu.io/latest), or [poste.io](https://poste.io/). Pretty much any of these self-hosted full featured Mail, Calendar, Contacts, and Web Mail solutions will work. DYOR: https://prefetch.eu/blog/2020/email-server/.`
Update README.md 2025-01-26 07:39:02 +00:00
Update README.md 2025-01-25 17:49:12 +00:00			* Server Configuration (`wg0.conf`):

			`* PrivateKey: The server's private key; keep this secure.`

Update README.md 2025-01-26 07:39:02 +00:00			* Address: The VPN interface IP; `10.99.97.1/24` is the server's VPN IP.
Update README.md 2025-01-25 17:49:12 +00:00
			* ListenPort: The port WireGuard listens on; default is `51820`.

			`* PostUp/PostDown: Commands executed when the interface is brought up or down:`

			`* Enable IP forwarding to allow the server to route packets between interfaces.`

			`* Set up NAT (MASQUERADE) so that VPN clients can access the internet.`

			* Configure `iptables` to forward SMTP (port `25`) and HTTP (port `80`) traffic to the client.

			* Client Configuration (`wg0.conf`):

			`* PrivateKey: The client's private key.`

Update README.md 2025-01-26 07:39:02 +00:00			* Address: The client's VPN IP; `10.99.97.4/32`.
Update README.md 2025-01-25 17:49:12 +00:00
			`* DNS: Optional; sets a DNS server for the client.`

			`* PublicKey: The server's public key.`

			`* Endpoint: The server's public IP and listening port.`

			* AllowedIPs: `0.0.0.0/0` routes all traffic through the VPN.

			`* PersistentKeepalive: Prevents the VPN connection from timing out due to NAT devices.`

			`### Additional Considerations`

			`* Firewall Rules:`

			* Ensure that your server's firewall allows UDP traffic on port `51820`.

			* Adjust `iptables` rules if your external interface is not `eth0`.

			`* Mail Server Configuration:`

Update README.md 2025-01-26 07:39:02 +00:00			* The mail server should listen on `10.99.97.4/32`.
Update README.md 2025-01-25 17:49:12 +00:00
			* Ensure that any firewall on the client allows incoming SMTP (port `25`) and HTTP (port `80`) traffic.

			`* Multiple Ports:`

			* If additional ports need to be forwarded, add corresponding `iptables` rules in the `PostUp` section.

			`* Security:`

			`* Keep private keys secure and do not share them.`

			`* Regularly update your systems to patch security vulnerabilities.`
Update README.md 2025-01-25 17:42:54 +00:00

			`## License`

			`This repository is licensed under the MIT License. See [LICENSE](LICENSE) for details.`