# WireGuard Mail Server VPN Setup

This repository configures WireGuard VPN tunnel between a mail server (client) and a AWS server (server), allowing the mail server to use the AWS server's public static IP.

## Features

* Secure WireGuard VPN tunnel
* Mail server can use public static IP
* Incoming emails and web portal access are forwarded to the client

### Explanation

This should work out-of-the-box with [mailcow.email](https://mailcow.email), [mailinabox.email](https://mailinabox.email), [mailu.io](https://mailu.io/latest), or [poste.io](https://poste.io/). Pretty much any of these self-hosted full featured Mail, Calendar, Contacts, and Web Mail solutions will work. DYOR: https://prefetch.eu/blog/2020/email-server/.

*   **Server Configuration (`wg0.conf`):**

    *   **PrivateKey**: The server's private key; keep this secure.

    *   **Address**: The VPN interface IP; `10.99.97.1/24` is the server's VPN IP.

    *   **ListenPort**: The port WireGuard listens on; default is `51820`.

    *   **PostUp/PostDown**: Commands executed when the interface is brought up or down:

        *   **Enable IP forwarding** to allow the server to route packets between interfaces.

        *   **Set up NAT (MASQUERADE)** so that VPN clients can access the internet.

        *   **Configure `iptables`** to forward SMTP (port `25`) and HTTP (port `80`) traffic to the client.

*   **Client Configuration (`wg0.conf`):**

    *   **PrivateKey**: The client's private key.

    *   **Address**: The client's VPN IP; `10.99.97.4/32`.

    *   **DNS**: Optional; sets a DNS server for the client.

    *   **PublicKey**: The server's public key.

    *   **Endpoint**: The server's public IP and listening port.

    *   **AllowedIPs**: `0.0.0.0/0` routes all traffic through the VPN.

    *   **PersistentKeepalive**: Prevents the VPN connection from timing out due to NAT devices.

### Additional Considerations

*   **Firewall Rules:**

    *   Ensure that your server's firewall allows UDP traffic on port `51820`.

    *   Adjust `iptables` rules if your external interface is not `eth0`.

*   **Mail Server Configuration:**

    *   The mail server should listen on `10.99.97.4/32`.

    *   Ensure that any firewall on the client allows incoming SMTP (port `25`) and HTTP (port `80`) traffic.

*   **Multiple Ports:**

    *   If additional ports need to be forwarded, add corresponding `iptables` rules in the `PostUp` section.

*   **Security:**

    *   Keep private keys secure and do not share them.

    *   Regularly update your systems to patch security vulnerabilities.


## License

This repository is licensed under the MIT License. See [LICENSE](LICENSE) for details.