Thank you for all the stars!
This project is a bash script that aims to setup a WireGuard VPN that is specified for PERSONAL gaming or torrenting use. It supports multiple WireGuard peers now!
-
09/29/2024 Major update.
- Added multi-peer support.
-
09/23/2024 Major update.
- Added support for OpenVZ, LXC by installing wireguard-go.
- Switched from legacy
iptables
tonftables
rules. - Added shellcheck GitHub Action.
Client connects to it will immediately achieve a Full Cone NAT, the optimal network type for gaming and torrenting. (How to check my NAT type in Win10 ? Use this tool NatTypeTester).
With this script, you do not need to enable port forwarding on your router, you do not need the DMZ setting. All the magic happens inside Wireguard. Simply speaking:
The local ports will be forwarded to the server directly.
It solves connection problems due to strict NAT in these scenarios:
-
You want to host a Minecraft/Terraria, etc. server online and play with your friend, but you cannot figure out how to enable port forwarding on your router, or your ISP just did not give you a public IP address.
-
You play a P2P game like Monster Hunter: World or Overcooked! but your NAT type prevents you from connecting with other players.
For a better gaming experience, the server should be close to your living region and has a low ping value. You should ping the provider's looking glass datacenter IP first before purchasing a VPS.
The script Port Forwards the client ports to the corresponding ports on the server side. Please make sure that there are no other applications (such as SSH) using these ports on the server, otherwise It will deafen any application that listens to these ports. I highly suggest running this script on an new empty system.
The script supports both IPv4 and IPv6.
You can customize the nftables rules by editing the add-fullcone-nat.sh
file BEFORE running the installer script.
The detailed explanations of these nftables
rules can be found in my blog post Understand routing and NAT with WireGuard VPN.
Supported distributions:
- Debian >= 11
- Ubuntu >= 20.04 (Preferred)
- AlmaLinux
- RockyLinux
- ArchLinux
- Fedora
Theoretically any OS that supports nftables
can run this script without too much trouble. It will support more Linux distributions in the future after I test them out one by one.
This script supports both KVM and OpenVZ, LXC machine virtualization types.
For OpenVZ, LXC typed machine, wireguard-go
will be installed instead of the kernel WireGuard implementation.
In this case, you need to enable TUN/TAP driver on your provider's managment panal first.
Because WireGuard is a kernel module, you MUST upgrade the kernel to latest first and reboot your server once.
# If you are using Ubuntu/Debian, etc
sudo apt update && sudo apt upgrade -y
# If you are using Fedora, AlmaLinux, etc
sudo dnf update -y
# Arch, etc.
sudo pacman -Syu
# Reboot once
sudo reboot
Download and execute the script. Script user needs to be able to use sudo
command.
Answer the questions asked by the script and it will take care of the rest. For most VPS providers, you can just enter through all the questions.
git clone https://github.com/xiahualiu/wg_gaming_installer.git
cd ./wg_gaming_installer
./install.sh
This script needs to run on a server with a public IP address to work.
Typically the server public IP should be populated automatically. However for some cloud providers like Google Cloud Platform and Oracle Cloud, the auto-populated public IP address is NOT correct, but instead a subnet IP address (usually starts with 10.*.*.*
).
In these cases you need to change the value to what your server's acutal public IP is.
You can read my blog post to know more about why this script needs to reserve the peer's forward ports on the server.
For most KVM instance with newer kernel, the net.ipv4.ip_local_reserved_ports
paramemter is available, and the script will automatically reserve the forwarded ports inside the system. However for some old system, such as 'OpenVZ' 'LXC' instances, this paramter may not be available. The installer script will print error information in this case.
If you see such kind of errors, please make sure that the forward ports are NOT in the Ephemeral Port Range of your system, ports in this range is used by the system for establishing outgoing connections.
You can check the ephemeral port range by:
sysctl net.ipv4.ip_local_port_range
Run the script again will give you these options!