Ubuntu 24.04 Server DIY Router Project with ipv6 and wireguard

Project Discussion Server
1

This article is a reworked and updated version of the Ubuntu Router Project by atom-goldsmith

Thanks for your work and efforts which inspired me of replacing my AVM/TP Link Routers with a WAN Router based on Ubuntu Server and use the TP-Links just as an access point.

Hardware: I used an ODROID H4+ which has 2xIntel 226v Network cards (2x2.5 Gbits) and 16GB RAM / Alder Lake N97 Processor (see hints to intel 226 at the end of this article if using powertop --auto-tune to save energy cost).

If have updated the guide to

  • Ubuntu 24.04.01 LTS
  • iptables and ip6tables which replace firewalld (I did not get IPV6 work with it)
  • Wireguard VPN access with ipv6
  • RADVD (which is necessary for ipv6 without DHCP6)
  • ISC-DHCP Server (and not the one included in Adguard Home)
  • Internet access using „Deutsche Glasfaser“ which is DS-Lite
  • usage of powertop and TLP

I’m posting this here in case someone finds it useful, and to take suggestions from the community on how to make this guide/router better. I hope that I’ve picked the most appropriate forum but if not, please feel free to move it or I’ll repost it in the correct place!

The following guide traces the steps for creating your own router out of an Ubuntu Server machine. To follow this guide and maintain a router like this obviously requires some experience with Linux, home networking, and docker-compose. Please don’t attempt this if you can’t understand the guide and/or don’t have the skills to maintain such a device!

We’ll go through the process of setting up AdGuardHome as a DNS server and getting an IPv6 delegated prefix so that every device on your network can get its own unique global address and bypass NAT.

We do NOT cover the process of adding a wireless interface - I assume that you will use your old wifi router as an access point, like me.

The process outline is fairly simple:

  1. The basics
  2. Install Packages
  3. Packet Forwarding / Network setup
  4. Interfaces / RADVD
  5. Adguard Home DNS
  6. Firewall iptables / ip6tables
    

  7. Switch to new Router
  8. Wireguard Setup

Warning: do not use the same LAN subnet as your current home network when setting this up!

  1. The basics:
    1a. Obtain a PC with at least two Ethernet ports. A laptop with ethernet is also handy for troubleshooting and initial setup
    1b. Install Ubuntu Server 24.04.01 LTS.
    1c. Connect the WAN port of the machine to your current LAN.
    1d. Get the machine’s LAN IP and SSH in.

  2. Install packages, in case something breaks along the way:
    2a. Run ‘sudo apt update && sudo apt upgrade -y’.
    2b. Run ‘sudo apt remove ufw && sudo apt install -y docker docker-compose net-tools openvswitch-switch’.
    2c. I also recommend installing webmin for easy administration and just „looking“ (do not adjust network settings with webmin and be careful with iptables!)
    2d. I replaced docker from the original Ubuntu Server 24.04.01 installation (which uses snap) with the plain docker installation guide found on the docker web pages https://docs.docker.com/engine/install/ubuntu/
    With the snap version I got stuck with several containers (portainer etc.)

  3. Allow packet forwarding and enable IPv6 features:

Edit sudo nano /etc/sysctl.conf

Code:

# IPv4 Weiterleitung aktivieren
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding=1
net.ipv4.conf.default.forwarding=1

# Enable IP spoofing protection (against IP spoofing attacks)
net.ipv4.conf.all.rp_filter=1  # Reverse Path Filtering aktivieren
net.ipv4.conf.default.rp_filter=1  # Reverse Path Filtering fĂŒr neue Interfaces aktivieren
net.ipv4.conf.enp1s0.rp_filter=1  # Spezifisch fĂŒr dein WAN-Interface
net.ipv4.conf.enp2s0.rp_filter=1  # Spezifisch fĂŒr dein LAN-Interface

# Disable ICMP redirects acceptance (prevents MITM attacks)
net.ipv4.conf.all.accept_redirects=0  # ICMP Redirects deaktivieren
net.ipv4.conf.default.accept_redirects=0

# Disable source routing (protects from spoofing attacks)
net.ipv4.conf.all.accept_source_route=0  # Quellrouting deaktivieren
net.ipv4.conf.default.accept_source_route=0

# Disable ICMP broadcast (prevents smurf attacks)
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP error responses (protects against malicious ICMP)
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log martian packets (packets with impossible source addresses)
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Enable SYN cookies to prevent SYN flood attacks
net.ipv4.tcp_syncookies = 1

# Increase the size of the SYN backlog queue
net.ipv4.tcp_max_syn_backlog = 2048

# Enable TCP fast recycling (improves security and performance)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30   # default is 60 seconds, adjust as needed
net.core.somaxconn = 1024
net.ipv4.tcp_max_syn_backlog = 4096

# Limit the number of file handles (protects from resource exhaustion attacks)
fs.file-max = 100000

# IPv6 Weiterleitung aktivieren
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

# Privacy Extensions deaktivieren (Deutsche Glasfaser benötigt in der Regel stabile Adressen)
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0

# Akzeptieren von Router Advertisements (RA) nur auf bestimmten Interfaces erlauben
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2
net.ipv6.conf.enp1s0.accept_ra = 2  # WAN-Interface
net.ipv6.conf.enp2s0.accept_ra = 0  # LAN-Interface
net.ipv6.conf.all.accept_ra_pinfo = 1

# Optimierungen fĂŒr das IPv6-Networking
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.default.autoconf = 1

# IPv6-Sicherheitseinstellungen
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# IPv6-MTU Einstellungen (Standardwerte verwenden, ggf. anpassen falls erforderlich)
net.ipv6.conf.all.mtu = 1500
net.ipv6.conf.default.mtu = 1500

# Disable ARP accept (prevents malicious ARP announcements)
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.default.arp_accept = 0

# Enable secure ARP handling
net.ipv4.conf.all.arp_ignore = 2
net.ipv4.conf.default.arp_ignore = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2

# Increase UDP Buffer Size for AdGuardHome
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608

Run ‘sudo sysctl -p’.

  1. Define and configure interfaces:

4a. Use ifconfig or netplan status --all to get the physical interfaces. The WAN port should be connected to your current LAN and the LAN port(s) should have nothing or connect it later on to your notebook with LAN (e.g. USB LAN)

4b. Edit your netplan file in /etc/netplan (mine is 50-cloud-init.yaml). A simple two-port example, using enp1s0 as WAN and enp2s0 as LAN, is below:

sudo nano /etc/netplan/50-cloud-init.yaml

Code:

# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}

network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0:		# WAN
      dhcp4: true
      dhcp6: true
      addresses: []
      nameservers:
        addresses:
          - 2a00:6020:4796:2f00::254 # insert here an IPV6 Address within the Prefix which is assigned by your ISP
          - 192.168.178.254
    enp2s0:		# LAN
      addresses:
        - 192.168.178.254/24
        - 2a00:6020:4796:2f00::254/64 # insert here an IPV6 Address within the Prefix which is assigned by your ISP
      dhcp4: false
      dhcp6: false
      ipv6-privacy: no
      nameservers:
        addresses:
          - 2a00:6020:4796:2f00::254
          - 192.168.178.254

4c. To request an IPv6 delegated prefix from your ISP so that all of your devices get unique public IPs, create the folder /etc/systemd/network/10-netplan-enp1s0.network.d/ (replace enp1s0 with your WAN iface name), then create override.conf in that folder and enter the following

sudo nano /etc/systemd/network/10-netplan-enp1s0.network.d/override.conf

Code:

[Match]
Name=enp1s0

[DHCPv6]
PrefixDelegationHint=::/56
UseDelegatedPrefix=true
WithoutRA=solicit
RapidCommit=true

[Network]
Ipv6AcceptRA=true

4d. Create the folder /etc/systemd/network/10-netplan-enp2s0.network.d/ (replace enp2s0 with your LAN iface name), then create a file inside that folder called override.conf and enter the following to assign the first of your subnets to your LAN:

sudo nano /etc/systemd/network/10-netplan-enp2s0.network.d/override.conf

Code:

[Match]
Name=enp2s0

[Network]
#IPv6DuplicateAddressDetection=1
LinkLocalAddressing=ipv6
# no to deactivate LinkLocal
# ipv6 fuer LinkLocal enable
DHCPPrefixDelegation=yes
#IPv6SendRA=yes
#IPv6AcceptRA=yes

[DHCPv6PrefixDelegation]
# Must be unique per subnet
#SubnetId=0
UplinkInterface=enp1s0
Announce=yes

Run ‘sudo netplan apply’.

4e) Edit /etc/RADVD.conf and restart service

sudo nano /etc/radvd.conf

sudo systemctl restart radvd

interface enp2s0 {
    AdvSendAdvert on;                     # Router Advertisement aktivieren
    MaxRtrAdvInterval 30;                 # Maximales Intervall fĂŒr Router Advertisement
    MinRtrAdvInterval 7;                  # Minimales Intervall fĂŒr Router Advertisement
    AdvManagedFlag off;                   # Verwaltet Flag (false, da keine DHCPv6 Stateful-Konfiguration)
    AdvOtherConfigFlag off;               # Anderes Konfigurationsflag (DNS-Infos ĂŒber RA)
    AdvReachableTime 3000;                # Zeit, in der ein Nachbar als erreichbar angesehen wird
    AdvRetransTimer 1000;                 # NeuĂŒbertragungszeit (in ms)
    AdvDefaultLifetime 1800;

    prefix 2a00:6020:4796:2f00::/64 {
        AdvOnLink on;                     # PrĂ€fix ist auf dem Link verfĂŒgbar
        AdvAutonomous on;                 # Stateless Address Autoconfiguration (SLAAC) aktivieren
        AdvValidLifetime 7200;            # GĂŒltigkeitsdauer des PrĂ€fixes (in Sekunden)
        AdvPreferredLifetime 3600 ;       # Bevorzugte Lebensdauer des PrÀfixes (in Sekunden)
    };

    RDNSS 2a00:6020:4796:2f00::254
    {
        AdvRDNSSLifetime 1800;            # Lebensdauer des RDNSS (Recursive DNS Server)
    };

    route fe80::21e:6ff:fe45:704c/128	 # hier das Default Gateway des ISP eintragen
    {
        AdvRoutePreference medium;     
        AdvRouteLifetime 1800;            # Lebensdauer des DNSSL (DNS Search List)
    };

    DNSSL lan 
    {
        AdvDNSSLLifetime 1800;            # Lebensdauer des DNSSL (DNS Search List)
    };
};

4f) DHCP Server /etc/dhcp/dhcpd.conf

sudo nano /etc/dhcp/dhcpd.conf

subnet 192.168.178.0 netmask 255.255.255.0 {
  range 192.168.178.10 192.168.178.250;
  option routers 192.168.178.254;
  option domain-name-servers 192.168.178.254;
  option domain-name "lan";
}
  1. AdGuardHome DNS server

5a. Create a folder for the AdGuard Home docker files
5b. Create a file called docker-compose.yaml and enter the following:

Code:

version: '3.9'
services:
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome
    restart: unless-stopped
    volumes:
      - /home/martin/adguard/work:/opt/adguardhome/work
      - /home/martin/adguard/conf:/opt/adguardhome/conf
    network_mode: host

5c. Navigate to the same folder as the docker-compose file then run ‘sudo docker-compose up -d’.

5d. Go to [LAN IP]:3000 to complete the initial setup of AGH. It doesn’t matter what you pick as the interfaces for now; we’ll change these in the config file.

5e. Run “sudo docker-compose down” and edit the file conf/AdGuardHome.yaml:

Code:

http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.178.254:3000
  session_ttl: 720h
users:
  - name: xxx
    password: xxx
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
    - '::'
  port: 53
  anonymize_client_ip: false
  ratelimit: 0
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 64
  ratelimit_whitelist: []
  refuse_any: true

5f. Stop and disable the default system resolver by running ‘sudo systemctl stop systemd-resolved && sudo systemctl disable systemd-resolved’, otherwise AGH will fail to bind to 0.0.0.0:53 and [::]:53.

5g. In the same folder as the docker-compose file, run ‘sudo docker-compose up -d’ to bring the container back up, then run ‘sudo docker-compose logs adguardhome’ and check for errors before proceeding.

5h. Go to http://[LAN IP] from a device on LAN, or if you have a laptop with ethernet, connect it to the LAN interface and go to http://192.168.178.254 and configure AdGuardHome. Note that the default DNS server does not provide ad blocking.

  1. Firewall Setup
    Here I did a complete change, I did not get firewalld up and running with ipv6 properly so I decided to switch to iptables / ip6tables which was a good choice for this project as it works very well and is throughly supported in this forum and anywhere in inet.

I would recommend using webmin to check if the rules have been imported or just run
sudo iptables -L
sudo ip6tables -L

/etc/iptables/iptables.v4

As I am using several docker containers in my network i had to open several ports on LAN enp2s0
 For the basics with Adguard DNS and DHCP you will just need port 546 (DHCP V6), 22 (SSH), 53 (DNS), 67 (DHCP V4), 443 (DoH), 853 (DoT, QUIC) depending on your Adguard setup

Code:

# Generated by iptables-save v1.8.10 (nf_tables) on Sat Dec 28 14:02:17 2024
*mangle
:PREROUTING ACCEPT [8825393:10208059381]
:INPUT ACCEPT [4734757:6523422683]
:FORWARD ACCEPT [4090436:3684628042]
:OUTPUT ACCEPT [4873065:512007739]
:POSTROUTING ACCEPT [8980022:4202376004]
COMMIT
# Completed on Sat Dec 28 14:02:17 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Sat Dec 28 14:02:17 2024
*filter
:INPUT DROP [29126:8104102]
:FORWARD DROP [94:11887]
:OUTPUT ACCEPT [4873065:512007739]
-A INPUT -i enp1s0 -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 853 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 853 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 7070 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 502 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 1883 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 8001 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 5022 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 8123 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 5021 -j ACCEPT
-A INPUT -i enp1s0 -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
-A INPUT -i enp1s0 -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
-A INPUT -i enp2s0 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp1s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.251/32 -i enp2s0 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -d 239.255.255.250/32 -i enp2s0 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i enp1s0 -p icmp -j DROP
-A INPUT -j LOG --log-prefix "IPv4-DROP: "
-A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Dec 28 14:02:17 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Sat Dec 28 14:02:17 2024
*nat
:PREROUTING ACCEPT [42385:5797527]
:INPUT ACCEPT [22521:2299462]
:OUTPUT ACCEPT [87295:6308481]
:POSTROUTING ACCEPT [40872:2511402]
-A POSTROUTING -o enp1s0 -j MASQUERADE
COMMIT
# Completed on Sat Dec 28 14:02:17 2024

/etc/iptables/iptables.v6

Code:

# Generated by ip6tables-save v1.8.10 (nf_tables) on Sat Dec 28 14:02:19 2024
*mangle
:PREROUTING ACCEPT [3346591:9391070983]
:INPUT ACCEPT [95833:23185238]
:FORWARD ACCEPT [3248754:9367662777]
:OUTPUT ACCEPT [111223:15560964]
:POSTROUTING ACCEPT [3367211:9384931081]
COMMIT
# Completed on Sat Dec 28 14:02:19 2024
# Generated by ip6tables-save v1.8.10 (nf_tables) on Sat Dec 28 14:02:19 2024
*filter
:INPUT DROP [2848:1038562]
:FORWARD DROP [1444:104504]
:OUTPUT ACCEPT [111177:15551358]
-A INPUT -i enp1s0 -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 853 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 853 -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i enp1s0 -p ipv6-icmp -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -i enp2s0 -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp1s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -i enp1s0 -p ipv6-icmp -j DROP
-A INPUT -j LOG --log-prefix "IPv6-DROP: "
-A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o enp1s0 -p udp -m udp --sport 546 -j ACCEPT
COMMIT
# Completed on Sat Dec 28 14:02:19 2024
# Generated by ip6tables-save v1.8.10 (nf_tables) on Sat Dec 28 14:02:19 2024
*nat
:PREROUTING ACCEPT [28469:5389747]
:INPUT ACCEPT [16755:1524441]
:OUTPUT ACCEPT [22191:2690110]
:POSTROUTING ACCEPT [32133:6383801]
COMMIT
# Completed on Sat Dec 28 14:02:19 2024


.
  1. Switch to the new router
    9a. Shut down your old router, new DIY router, and modem.
    9b. Rewire your home network as needed.
    9c. Start the new router and wait until it’s fully booted. Start the modem and wait until it’s connected.
    9d. Connect directly to your old wifi router (via ethernet or wifi) to switch it to access point mode.

Check connectivity with netplan status --all if you get an ip-address from your ISP (ipv4 is often much faster than ipv6), be patient for the ipv6 address.

  1. Wireguard:

Setup can be easily done with the following guide: https://bash-prompt.net/guides/wireguard-setup/
/etc/wireguard/wg0.conf

Code:

[Interface]
# Router Interface wg0
Address = 10.0.0.254/24, 2a00:6020:4796:2f01::254/64  		# IPv6-Adresse des WireGuard Interfaces
PrivateKey = [Private Key Server]
#PublicKey = [Public Key Server]
ListenPort = 51820

PostUp = iptables -A INPUT -i enp1s0 -p udp --dport 51820 -m conntrack --ctstate NEW -m limit --limit 15/minute -j ACCEPT; ip6tables -A INPUT -i enp1s0 -p udp --dport 51820 -m conntrack --ctstate NEW -m limit --limit 15/minute -j ACCEPT; iptables -A INPUT -i wg0 -j ACCEPT; ip6tables -A INPUT -i wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -o enp1s0 -j ACCEPT; iptables -A FORWARD -i enp1s0 -o wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -o enp1s0 -j ACCEPT; ip6tables -A FORWARD -i enp1s0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -o enp2s0 -j ACCEPT; iptables -A FORWARD -i enp2s0 -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE; iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i enp1s0 -p udp --dport 51820 -m conntrack --ctstate NEW -m limit --limit 15/minute -j ACCEPT; ip6tables -D INPUT -i enp1s0 -p udp --dport 51820 -m conntrack --ctstate NEW -m limit --limit 15/minute -j ACCEPT; iptables -D INPUT -i wg0 -j ACCEPT; ip6tables -D INPUT -i wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -o enp1s0 -j ACCEPT; iptables -D FORWARD -i enp1s0 -o wg0 -j ACCEPT; ip6tables -D FORWARD -i wg0 -o enp1s0 -j ACCEPT; ip6tables -D FORWARD -i enp1s0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -o enp2s0 -j ACCEPT; iptables -D FORWARD -i enp2s0 -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE; iptables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; ip6tables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

[Peer]
# Mobiltelefon Peer
PublicKey = [Public Key Client]
#PrivateKey= [Private Key Client]
AllowedIPs = 10.0.0.1/24, 2a00:6020:4796:2f01::1/64		# IPv6-Adresse fuer das Mobiltelefon
PresharedKey = [Shared Key]

Smartphone Config paste here for QR Code to scan: https://www.wireguardconfig.com/qrcode

[Interface]
PrivateKey = [Private Key Client]
# PublicKey = [Public Key Client]
Address = 10.0.0.1/24, 2a00:6020:4796:2f01::1/64    # IPv6-Adresse des Mobiltelefons
DNS = 192.168.178.254, 2a00:6020:4796:2f00::254

[Peer]
PublicKey = [Public Key Server]
Endpoint = [xxxxxx]:51820  # externe IPv6-Adresse des Routers
AllowedIPs = 0.0.0.0/0, ::/0                # IPv6-Route ueber den Router
PersistentKeepalive = 25
PresharedKey = [Sharded Key]

Enable wg0 Interface for wireguard:
sudo wg-quick up wg0

Additional if powersaving of your router is a must:
Be careful when using powetop --auto-tune with odroid h4+ and any intel 226 based system:

There is a bug in the current intel driver kernel 6.8.51 (December 2024) which crashes the server!
I am using TLP instead and let the intel 226v cards be excluded from power management

https://bugzilla.kernel.org/show_bug.cgi?id=218499

Extract of TLP.conf
AHCI_RUNTIME_PM_ON_AC=auto
RUNTIME_PM_DRIVER_DENYLIST=“igc”

1 Like