注：これは作業メモの転載です。AS-ISですしrecklessかもしれません。

サーバーサイド

Edit UFW defaults

 $ cp /etc/default/ufw{,.orig}
 $ diff /etc/default/ufw{.orig,}
 19c19
 < DEFAULT_FORWARD_POLICY="DROP"
 ---
 > DEFAULT_FORWARD_POLICY="ACCEPT"

Add NAT rule to UFW

$ cp /etc/ufw/before.rules{,.orig}
$ diff /etc/ufw/before.rules{.orig,}
10a11,17
> # TunnelSats
> *nat
> :PREROUTING ACCEPT [0:0]
> -A PREROUTING -i <Interface with global address eg. eth0 enp1s0> -p tcp -m tcp --dport 9735 -j DNAT --to 10.9.0.2:9735
> -A POSTROUTING -s 10.9.0.0/24 -o <Interface with global address eg. eth0 enp1s0> -j MASQUERADE
> COMMIT
> 

Enable ipv4.ip_forward

$ cp /etc/sysctl.conf{,.orig}
$ diff /etc/sysctl.conf{.orig,}
28c28
< #net.ipv4.ip_forward=1
---
> net.ipv4.ip_forward=1

Add UFW rules

$ ufw allow 9735 comment 'LN'
Rule added
Rule added (v6)
$ ufw allow 51820 comment 'WireGuard'
Rule added
Rule added (v6)

Enable ufw

$ ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y <--- INPUT
Firewall is active and enabled on system startup
$ ufw reload

Apply sysctl

$ sysctl --system
...
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1
 

Install WireGuard

$ apt update
...
All packages are up to date.

$ apt install --no-install-recommends -y wireguard
...

Generate server key

$ umask 077
$ wg genkey | tee server.priv | wg pubkey > server.pub
$ ls -l
total 8
-rw------- 1 root root 45 Mar  8 13:04 server.priv
-rw------- 1 root root 45 Mar  8 13:04 server.pub

Generate client key

$ wg genkey | tee client.priv | wg pubkey > client.pub
$ ls -l
total 16
-rw------- 1 root root 45 Mar  8 13:06 client.priv
-rw------- 1 root root 45 Mar  8 13:06 client.pub
-rw------- 1 root root 45 Mar  8 13:04 server.priv
-rw------- 1 root root 45 Mar  8 13:04 server.pub

Generate pre-shared key

$ wg genpsk > preshared.key

Create WireGuard configuration

$ cat tunnelsats.conf
[Interface]
Address = 10.9.0.1/32
SaveConfig = true
ListenPort = 51820
PrivateKey = <Content of server.priv>
[Peer]
PublicKey = <Content of client.pub>
PresharedKey = <Content of preshared.key>
AllowedIPs = 10.9.0.2/32
PersistentKeepalive = 25

Enable and start WireGuard interface

$ systemctl enable --now wg-quick@tunnelsats.service
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@tunnelsats.service → /lib/systemd/system/wg-quick@.service.

クライアントサイド

$ cat tunnelsatsv2.conf

[Interface]
PrivateKey = <Content of client.priv>
Address = 10.9.0.2/32
 
#VPNPort = 9735
#myPubKey = <Content of client.pub>
 
[Peer]
PublicKey = <Content of server.pub>
PresharedKey = <Content of preshared.key>
Endpoint = <Global IP on VPS>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Execute setupv2.sh

$ wget -O setupv2.sh https://github.com/tunnelsats/tunnelsats/raw/main/scripts/setupv2.sh
$ bash setupv2.sh