primemover/wg-mail-tunnel
primemover/wg-mail-tunnel
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
A simple and secure WireGuard VPN configuration for self-hosted home mail servers, allowing them to use a public static IP and forward incoming emails and web portal access back to a residential IP.
9 commits 1 branch 0 tags 354 KiB
Find a file
first 125a98796f Update README.md
2025-01-26 07:39:02 +00:00
client Update client/wg0.conf 2025-01-26 07:37:24 +00:00
server Update server/wg0.conf 2025-01-26 07:38:41 +00:00
LICENSE Initial commit 2025-01-25 17:36:12 +00:00
README.md Update README.md 2025-01-26 07:39:02 +00:00

README.md

WireGuard Mail Server VPN Setup

This repository configures WireGuard VPN tunnel between a mail server (client) and a AWS server (server), allowing the mail server to use the AWS server's public static IP.

Features

  • Secure WireGuard VPN tunnel
  • Mail server can use public static IP
  • Incoming emails and web portal access are forwarded to the client

Explanation

This should work out-of-the-box with mailcow.email, mailinabox.email mailu.io or poste.io. Pretty much any of these self-hosted full featured Mail, Calendar, Contacts, and Web Mail solutions will work. DYOR: https://prefetch.eu/blog/2020/email-server/.

  • Server Configuration (wg0.conf):

    • PrivateKey: The server's private key; keep this secure.

    • Address: The VPN interface IP; 10.99.97.1/24 is the server's VPN IP.

    • ListenPort: The port WireGuard listens on; default is 51820.

    • PostUp/PostDown: Commands executed when the interface is brought up or down:

      • Enable IP forwarding to allow the server to route packets between interfaces.

      • Set up NAT (MASQUERADE) so that VPN clients can access the internet.

      • Configure iptables to forward SMTP (port 25) and HTTP (port 80) traffic to the client.

  • Client Configuration (wg0.conf):

    • PrivateKey: The client's private key.

    • Address: The client's VPN IP; 10.99.97.4/32.

    • DNS: Optional; sets a DNS server for the client.

    • PublicKey: The server's public key.

    • Endpoint: The server's public IP and listening port.

    • AllowedIPs: 0.0.0.0/0 routes all traffic through the VPN.

    • PersistentKeepalive: Prevents the VPN connection from timing out due to NAT devices.

Additional Considerations

  • Firewall Rules:

    • Ensure that your server's firewall allows UDP traffic on port 51820.

    • Adjust iptables rules if your external interface is not eth0.

  • Mail Server Configuration:

    • The mail server should listen on 10.99.97.4/32.

    • Ensure that any firewall on the client allows incoming SMTP (port 25) and HTTP (port 80) traffic.

  • Multiple Ports:

    • If additional ports need to be forwarded, add corresponding iptables rules in the PostUp section.

  • Security:

    • Keep private keys secure and do not share them.

    • Regularly update your systems to patch security vulnerabilities.

License

This repository is licensed under the MIT License. See LICENSE for details.