Update README.md
This commit is contained in:
parent
0961b4e9a6
commit
6255196d54
60
README.md
60
README.md
|
|
@ -8,10 +8,64 @@ This repository configures WireGuard VPN tunnel between a mail server (client) a
|
|||
* Mail server can use public static IP
|
||||
* Incoming emails and web portal access are forwarded to the client
|
||||
|
||||
## Security Considerations
|
||||
### Explanation
|
||||
|
||||
* **Server Configuration (`wg0.conf`):**
|
||||
|
||||
* **PrivateKey**: The server's private key; keep this secure.
|
||||
|
||||
* **Address**: The VPN interface IP; `10.0.0.1/24` is the server's VPN IP.
|
||||
|
||||
* **ListenPort**: The port WireGuard listens on; default is `51820`.
|
||||
|
||||
* **PostUp/PostDown**: Commands executed when the interface is brought up or down:
|
||||
|
||||
* **Enable IP forwarding** to allow the server to route packets between interfaces.
|
||||
|
||||
* **Set up NAT (MASQUERADE)** so that VPN clients can access the internet.
|
||||
|
||||
* **Configure `iptables`** to forward SMTP (port `25`) and HTTP (port `80`) traffic to the client.
|
||||
|
||||
* **Client Configuration (`wg0.conf`):**
|
||||
|
||||
* **PrivateKey**: The client's private key.
|
||||
|
||||
* **Address**: The client's VPN IP; `10.0.0.2/24`.
|
||||
|
||||
* **DNS**: Optional; sets a DNS server for the client.
|
||||
|
||||
* **PublicKey**: The server's public key.
|
||||
|
||||
* **Endpoint**: The server's public IP and listening port.
|
||||
|
||||
* **AllowedIPs**: `0.0.0.0/0` routes all traffic through the VPN.
|
||||
|
||||
* **PersistentKeepalive**: Prevents the VPN connection from timing out due to NAT devices.
|
||||
|
||||
### Additional Considerations
|
||||
|
||||
* **Firewall Rules:**
|
||||
|
||||
* Ensure that your server's firewall allows UDP traffic on port `51820`.
|
||||
|
||||
* Adjust `iptables` rules if your external interface is not `eth0`.
|
||||
|
||||
* **Mail Server Configuration:**
|
||||
|
||||
* The mail server should listen on `10.0.0.2`.
|
||||
|
||||
* Ensure that any firewall on the client allows incoming SMTP (port `25`) and HTTP (port `80`) traffic.
|
||||
|
||||
* **Multiple Ports:**
|
||||
|
||||
* If additional ports need to be forwarded, add corresponding `iptables` rules in the `PostUp` section.
|
||||
|
||||
* **Security:**
|
||||
|
||||
* Keep private keys secure and do not share them.
|
||||
|
||||
* Regularly update your systems to patch security vulnerabilities.
|
||||
|
||||
* Keep private keys secure and do not share them.
|
||||
* Regularly update your systems to patch security vulnerabilities.
|
||||
|
||||
## License
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue