primemover/wg-mail-tunnel
primemover/wg-mail-tunnel
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
wg-mail-tunnel/README.md
first 44d8f5844d Update README.md
2025-01-26 07:39:44 +00:00

74 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# WireGuard Mail Server VPN Setup
This repository configures WireGuard VPN tunnel between a mail server (client) and a AWS server (server), allowing the mail server to use the AWS server's public static IP.
## Features
* Secure WireGuard VPN tunnel
* Mail server can use public static IP
* Incoming emails and web portal access are forwarded to the client
### Explanation
This should work out-of-the-box with [mailcow.email](https://mailcow.email), [mailinabox.email](https://mailinabox.email), [mailu.io](https://mailu.io/latest), or [poste.io](https://poste.io/). Pretty much any of these self-hosted full featured Mail, Calendar, Contacts, and Web Mail solutions will work. DYOR: https://prefetch.eu/blog/2020/email-server/.
* **Server Configuration (`wg0.conf`):**
* **PrivateKey**: The server's private key; keep this secure.
* **Address**: The VPN interface IP; `10.99.97.1/24` is the server's VPN IP.
* **ListenPort**: The port WireGuard listens on; default is `51820`.
* **PostUp/PostDown**: Commands executed when the interface is brought up or down:
* **Enable IP forwarding** to allow the server to route packets between interfaces.
* **Set up NAT (MASQUERADE)** so that VPN clients can access the internet.
* **Configure `iptables`** to forward SMTP (port `25`) and HTTP (port `80`) traffic to the client.
* **Client Configuration (`wg0.conf`):**
* **PrivateKey**: The client's private key.
* **Address**: The client's VPN IP; `10.99.97.4/32`.
* **DNS**: Optional; sets a DNS server for the client.
* **PublicKey**: The server's public key.
* **Endpoint**: The server's public IP and listening port.
* **AllowedIPs**: `0.0.0.0/0` routes all traffic through the VPN.
* **PersistentKeepalive**: Prevents the VPN connection from timing out due to NAT devices.
### Additional Considerations
* **Firewall Rules:**
* Ensure that your server's firewall allows UDP traffic on port `51820`.
* Adjust `iptables` rules if your external interface is not `eth0`.
* **Mail Server Configuration:**
* The mail server should listen on `10.99.97.4/32`.
* Ensure that any firewall on the client allows incoming SMTP (port `25`) and HTTP (port `80`) traffic.
* **Multiple Ports:**
* If additional ports need to be forwarded, add corresponding `iptables` rules in the `PostUp` section.
* **Security:**
* Keep private keys secure and do not share them.
* Regularly update your systems to patch security vulnerabilities.
## License
This repository is licensed under the MIT License. See [LICENSE](LICENSE) for details.
Reference in a new issue View git blame Copy permalink