Linux Blog by batjorge.com
How to Setup a 'buyvm.com, KVM Slice 512 MB' as wireguard VPN Router with IPv4 and IPv6

## Setup wireguard (Debian 9)

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard -y
cd /etc/wireguard
wg genkey | tee wg-private.key | wg pubkey > wg-public.key


Client-Peer 'news-feed1.batjorge.com': /etc/wireguard/wireguard.conf

[Interface]
PrivateKey = .....
ListenPort = 12345
Address = 10.169.192.120/24, fd42:2788:e840:b5b7::120/64

[Peer]
# news-feed1.batjorge.com zbox
PublicKey = .....
#AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 10.169.192.120/32, fd42:2788:e840:b5b7::120/128

[Peer]
# news-es.batjorge.com
Endpoint = 192.168.0.158:12345
PublicKey = .....
#AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 10.169.192.119/32, fd42:2788:e840:b5b7::119e/128

[Peer]
# nyc
#Endpoint = 198.98.52.145:12345
Endpoint = 2605:6400:10:7a9::119
PublicKey = .....
AllowedIPs = 0.0.0.0/0, ::/0
AllowedIPs = 10.169.192.1/32, fd42:2788:e840:b5b7::1/128
PersistentKeepalive = 25


## Debian 9 Server in NYC 'news-feed1.batjorge.com' (buyvm.com KVM 512 MB RAM) acting as wireguard VPN Router:

/etc/arno-iptables-firewall/firewall.conf

EXT_IF="eth0"
EXT_IF_DHCP_IP=1
INT_IF="wireguard"
INTERNAL_NET="10.169.192.0/24"
NAT=1
IPV6_SUPPORT=1
NAT_FORWARD_TCP="433>10.169.192.120"
LAN_OPEN_TCP="22,53,8080"
LAN_OPEN_UDP="53"
OPEN_TCP="22"
OPEN_UDP="12345"


/etc/arno-iptables-firewall/custom-rules

# IPV6 Forward Port 119 to internal news.batjorge.com
/sbin/ip6tables -vt nat -A PREROUTING -i eth0 -p tcp -d 2605:6400:0010:07a9:0000:0000:0000:0119 --dport 119 -j DNAT --to-destination [fd42:2788:e840:b5b7::119e]:119;
/sbin/ip6tables -vA EXT_FORWARD_IN_CHAIN -i eth0 -p tcp -d fd42:2788:e840:b5b7::119e --dport 119 -j ACCEPT;

# IPV6 Forward port 433 to internal news-feed1.batjorge.com
/sbin/ip6tables -vt nat -A PREROUTING -i eth0 -p tcp -d 2605:6400:0010:07a9:0000:0000:0000:0119 --dport 433 -j DNAT --to-destination [fd42:2788:e840:b5b7::120]:433;
/sbin/ip6tables -vA EXT_FORWARD_IN_CHAIN -i eth0 -p tcp -d fd42:2788:e840:b5b7::120 --dport 433 -j ACCEPT;

# IPV6 NAT to World
/sbin/ip6tables -t nat -A POSTROUTING -o eth0 -s fd42:2788:e840:b5b7::/64 -j SNAT --to-source 2605:6400:0010:07a9:0000:0000:0000:0119


/etc/network/interfaces

allow-hotplug eth0
iface eth0 inet dhcp
up ip addr add up ip addr add 2605:6400:0010:07a9:0000:0000:0000:0119/48 dev eth0
up ip -6 route add default via 2605:6400:10::1 dev eth0
up /usr/bin/wg-quick up wireguard