🔐 WireGuard Tutorial on using Wireguard to get a STATIC IP to bypass CGNAT

[Tobisawa]

Note:

• This isn't free, and you may need to spend 250-500 per month or more, depending on the VPS provider of your choice.

Requirements:

• VPS provider of your choice, should have a low ping, VPS with high ping will have bad results (anything above 100ms will have subpar performance)
• Additional secondary IP for that VPS. Basically MAIN IP will be bound to your VPS, while the secondary IP won't be bound to any interface on your VPS
• Knowledge on setting up Wireguard on that VPS
• Mikrotik Router (I didn't try this on any router or system other than Mikrotik, but you can use this as a reference)

Steps:

1. Download Wireguard on your VPS, and make sure the secondary IP isn't bound on any interface in your VPS
2. Configure Wireguard, create a public and private key that you will use for this wireguard instance
   - Tutorials include doing wg genkey | tee vps_private.key | wg pubkey > vps_public.key to create your keys
3. Create a Wireguard interface conf. at /etc/wireguard/<name>.conf
   - <name> can be any of your choice
4. Example wireguard config:
   • This is my configuration on one of my servers, with redacted sensitive info for your reference
   • Do not use the main IP of your VPS for the <secondary_public_ip>, as on step 1, the secondary ip must not be bound on any interface
   • If your VPS has a firewall, make sure port 51820 is open.

   [Interface]
   Address = 10.0.0.1/24
   PostUp = /sbin/sysctl net.ipv4.ip_forward=1
   PostUp = /sbin/sysctl net.ipv4.conf.all.proxy_arp=1
   PostUp = ip neigh add proxy <secondary_public_ip> dev eth0
   PreDown = /sbin/sysctl net.ipv4.ip_forward=0
   PreDown = /sbin/sysctl net.ipv4.conf.all.proxy_arp=0
   PreDown = ip neigh del proxy <secondary_public_ip> dev eth0
   ListenPort = 51820
   PrivateKey = <private_key_from_step_2_in_vps_private.key>
   
   [Peer]
   PublicKey = <this_is_generated_from_client>
   AllowedIPs = <your_secondary_public_ip>/32

5. In Mikrotik, go to WireGuard -> WireGuard Tab -> (click +) icon
6. Make a new WireGuard interface, name it as you wish, then press OK.
7. Open this new WireGuard interface, grab the Public Key, then paste it on [peer] publickey= in config in step 4
8. Go to WireGuard -> Peers Tab -> (click +) icon,
9. Make a new peer, name it as you wish, select the interface on the wireguard interface you created in step 6,
10. Set the public key of this peer to the generated key on step 2 at vps_public.key
11. Set the endpoint to the VPS MAIN IP, not the SECONDARY IP
12. Set the Port to the ListenPort on config at step 4
13. Set the allowed address to 0.0.0.0/0 and ::/0
14. Optional: Set a keep alive if you want.
15. Press OK.
16. Now go to IP -> Adresses -> (click +) icon, set Address to <secondary_public_ip> and network to <secondary_public_ip>, then set the interface on wireguard interface you created in step 6, then press ok.
17. Now go to IP -> Routes -> (click +) icon. Set Dst. Address to 0.0.0.0/0 then gateway to wireguard interface name you created on step 6, then save it.
18. Now go to IP -> Firewall -> NAT, set chain to srcnat, set the out interface on wireguard interface name you created on step 6, then go to action tab, set action to masquerade, then save.
    Doing step 18, allows you to access internet, through this wireguard interface if you want to tunnel specific traffic onto it.
19. Now on the VPS. Start the wireguard server via sudo systemctl enable wg-quick@<conf_name> sudo systemctl start wg-quick@<conf_name> where <conf_name> is the name of the config on step 4 at /etc/wireguard. If your config name is wg0, then that should be sudo systemctl enable wg-quick@wg0
20. If WG is connected, you would see something similar to this on your vps when doing sudo wg show
    
    
21. Done, your home should be accessible on the secondary Static IP of the VPS!

Some Notes:

1. Make sure you setup your firewalls properly as this exposes your whole home network to the internet.
2. This also works for users that is on Dynamic IP.
3. I prefer this method most of the time, unless your ISP gives you the ability to purchase a static IP from them

Example service I use currently with this setup:

• You do not have permission to view the full content of this post. Log in or register now. (Personal File Hosting)
• You do not have permission to view the full content of this post. Log in or register now. (My personal website that shows how good I am as a front end dev )

 

[Tobisawa]

Additional Note:
On Step 17, make sure the Distance is set to 1 or higher than your main internet distance.
Example, if your wan port is on ether1 and your route there is on distance 0, then the wg route should be on distance 1, as you need the main internet to connect to the wireguard server at the first place

 

[telphel]

ang tanung nalang dito alam naman natin na ang wg is VPN goods parin ba ang ping nito for gaming master?

 

[telphel]

ang tanung nalang dito alam naman natin na ang wg is VPN goods parin ba ang ping nito for gaming master?

 

[Maze_31]

Para san po ito? And ano benefits? Applicable ba sa mga unli data?

 

[frozenberyl]

salamat sa pag share

 

[PHC_HARLEY QUINN]

Pang bypass ng putol? Just asking

 

[Tobisawa]

ang tanung nalang dito alam naman natin na ang wg is VPN goods parin ba ang ping nito for gaming master?

Wala itong pakelam sa gaming mo, since sa ang ginagawa mo lang is mag karoon ng "inbound" papunta sa router mo.
Ang dadaan lang na packet sa VPN mo is ung packet na mag ooriginate sa public ip sa vps.


If makikita mo sa screenshot, converge parin ang ISP ko sa speedtest, and mababa parin ping ko.

Pero at the same time, na-aaccess mo isa sa file hosting ko sa: You do not have permission to view the full content of this post. Log in or register now.

Ang setup na to treated as different connection ang normal browsing, download mo etc, dadaan lahat yan sa ISP mo, ang dadaan lang sa vps is if i access mo ung network mo via your public ip na kinonfigure.

But ofc you can set a routing rule kung gusto mo i pa daan sa VPN pero nasa sayo na yan

Pero kung makikita mo sa config, piling ips lang ung pinapadaan ko dyan para di maapektuhan sa online gaming etc ung ping ko, since ang goal ko lang naman is mag karoon ng way para makapag host sa bahay.

 

[Tobisawa]

Para san po ito? And ano benefits? Applicable ba sa mga unli data?

As long as makaka connect ka sa wireguard protocol, walang problema.

 

[PHC_HARLEY QUINN]

Meron ako vps azure baka may need ,

 

[Tobisawa]

Pang bypass ng putol? Just asking

Unfortunately hindi ito pang free internet, way lang ito para makapag karoon ka ng static ip sa internet mo, at magawa mo lahat ng gusto mo gawin like (mag host ng game servers like minecraft, or websites, sa bahay mo)

 

[ChocolateFud]

support po paps. Keep sharing.

 

[hdjrz]

may naka try na sa unli data ?

 

[dflame11]

support lang lods

 

[PHC-Jhim]

Grabe na kasi Cgnat ngayon ni converse di gaya ng dati. Malala ngayon mas lalong kumitid.

Ask lang saan ka bumili ng vps? Yung subok mo na?

 

[Tobisawa]

Grabe na kasi Cgnat ngayon ni converse di gaya ng dati. Malala ngayon mas lalong kumitid.

Ask lang saan ka bumili ng vps? Yung subok mo na?

Server Galatic, meron silang plan na 100mbps na shared for light usage pero nasa PH ung datacenter, sa vitro pldt sa makati, around 700php + static ip, pero bawal abushin ung shared port, so ginamit ko lang siya for mc server, music streaming service ko personally and wala naman issues.

OVH meron silang singapore servers, 400mbps + additional ip for 500php, shared din ito, pero dito naka hook lahat ng public service ko and regular na 25-100mbps avg usage ko no issues

 

[IkaMusume]

Pwede ba gamitin ang sariling Windows Server?

 

[MyN88]

paano ka ma message may tanong ako at willing to pay eto gusto kong setup wireguard with vps for home game servers bumili na ako ng madaming mini pc. Tanong ko lang since ma access yong host server using secondary IP ng vps so ma access din yong gameserver same parin yong secondary ip ng vps? meron kasi akong vps contabo so I need additional IP sa ganun?