From d0875af106b1d97effb422cb3763353589de6f43 Mon Sep 17 00:00:00 2001
From: Christoph Urlacher <christoph.urlacher@protonmail.com>
Date: Fri, 11 Jul 2025 15:49:20 +0200
Subject: [PATCH] Config/Wireguard: Add vps wireguard configuration for
 reference

---
 config/wireguard/vps.conf | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 config/wireguard/vps.conf

diff --git a/config/wireguard/vps.conf b/config/wireguard/vps.conf
new file mode 100644
index 00000000..d8db23bb
--- /dev/null
+++ b/config/wireguard/vps.conf
@@ -0,0 +1,29 @@
+# This configuration is used on the VPS.
+# The clients (e.g. OPNsense from LAN or iPhone from anywhere) connect to this "server".
+[Interface]
+PrivateKey = [...]
+Address = 10.10.10.1/24
+ListenPort = 51820
+
+# FORWARD:    We allow all packets from the wg0 interface
+# MASQUERADE: We rewrite packets from the wg0 interface
+#             as if they were coming from the ens6 interface:
+#               [From: 10.10.10.2,      To: google.com] will become
+#               [From: 212.227.233.241, To: google.com].
+#             This is required since 10.10.10.2 is a local address.
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
+
+# OPNsense
+[Peer]
+PublicKey = bsvabi6V4XZx7ZS/53Tai0s1n0Tf/6KRvMn+9yNnymY=
+# AllowedIPs lists the IPs that this server routes to the client.
+# The first address is the address the client will have.
+# Since this is our gateway to our home network,
+# we want to route the home network subnet to it.
+AllowedIPs = 10.10.10.2/32,192.168.86.0/24
+
+# iPhone 15
+[Peer]
+PublicKey = qcJPgz/N3y+QMac5kfLKDgouIcWnLD+uPpe4JTEB4G0=
+AllowedIPs = 10.10.10.3/32