MorphyDK · December 18, 2025 11:44
diff --git a/vpn-gateway-rebuild.sh b/vpn-gateway-rebuild.sh
 #!/bin/bash
 set -e

 ### CONFIG ###
 LAN_IF="ens18"
 WG_IF="torguard-wg"
 OC_IF="tun0"
 WEB_IP="192.168.0.186"
 PORTS="38271 38272"

 echo "=== VPN Gateway full rebuild starting ==="

 # 1. Enable IP forwarding
 echo "[1/6] Enabling IP forwarding"
 sysctl -w net.ipv4.ip_forward=1

 # 2. Flush ALL iptables (clean slate)
 echo "[2/6] Flushing existing iptables rules"
 iptables -F
 iptables -t nat -F
 iptables -X

 # 3. Set default policies
 echo "[3/6] Setting default policies"
 iptables -P INPUT ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD DROP

 # 4. Allow forwarding ONLY into VPN interfaces
 echo "[4/6] Adding forwarding + kill-switch rules"

 # Outbound to VPNs
 iptables -A FORWARD -i "$LAN_IF" -o "$WG_IF" -j ACCEPT
 iptables -A FORWARD -i "$LAN_IF" -o "$OC_IF" -j ACCEPT

 # Return traffic
 iptables -A FORWARD -i "$WG_IF" -o "$LAN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i "$OC_IF" -o "$LAN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT

 # Explicit kill switch (no ISP escape)
 iptables -A FORWARD -i "$LAN_IF" -o "$LAN_IF" -j DROP

 # 5. NAT (SNAT) for outbound VPN traffic
 echo "[5/6] Adding NAT masquerade rules"
 iptables -t nat -A POSTROUTING -o "$WG_IF" -j MASQUERADE
 iptables -t nat -A POSTROUTING -o "$OC_IF" -j MASQUERADE

 # 6. DNAT port forwarding to web server
 echo "[6/6] Adding port forwarding rules"
 for PORT in $PORTS; do
    # WireGuard
    iptables -t nat -A PREROUTING -i "$WG_IF" -p tcp --dport "$PORT" \
        -j DNAT --to-destination "$WEB_IP:$PORT"

    # OpenConnect / tun0
    iptables -t nat -A PREROUTING -i "$OC_IF" -p tcp --dport "$PORT" \
        -j DNAT --to-destination "$WEB_IP:$PORT"

    # Allow forwarded traffic
    iptables -A FORWARD -p tcp -d "$WEB_IP" --dport "$PORT" \
        -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 done

 echo "=== Active rules ==="
 iptables -L -v
 iptables -t nat -L -v

 # Persistence
 read -p "Save rules persistently? (y/N): " SAVE
 if [[ "$SAVE" =~ ^[Yy]$ ]]; then
    apt update
    apt install -y iptables-persistent
    netfilter-persistent save
    echo "Rules saved persistently."
 else
    echo "Rules NOT saved. They will be lost on reboot."
 fi

 echo "=== VPN Gateway rebuild complete ==="
	#!/bin/bash
	set -e

	### CONFIG ###
	LAN_IF="ens18"
	WG_IF="torguard-wg"
	OC_IF="tun0"
	WEB_IP="192.168.0.186"
	PORTS="38271 38272"

	echo "=== VPN Gateway full rebuild starting ==="

	# 1. Enable IP forwarding
	echo "[1/6] Enabling IP forwarding"
	sysctl -w net.ipv4.ip_forward=1

	# 2. Flush ALL iptables (clean slate)
	echo "[2/6] Flushing existing iptables rules"
	iptables -F
	iptables -t nat -F
	iptables -X

	# 3. Set default policies
	echo "[3/6] Setting default policies"
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP

	# 4. Allow forwarding ONLY into VPN interfaces
	echo "[4/6] Adding forwarding + kill-switch rules"

	# Outbound to VPNs
	iptables -A FORWARD -i "$LAN_IF" -o "$WG_IF" -j ACCEPT
	iptables -A FORWARD -i "$LAN_IF" -o "$OC_IF" -j ACCEPT

	# Return traffic
	iptables -A FORWARD -i "$WG_IF" -o "$LAN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -i "$OC_IF" -o "$LAN_IF" -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Explicit kill switch (no ISP escape)
	iptables -A FORWARD -i "$LAN_IF" -o "$LAN_IF" -j DROP

	# 5. NAT (SNAT) for outbound VPN traffic
	echo "[5/6] Adding NAT masquerade rules"
	iptables -t nat -A POSTROUTING -o "$WG_IF" -j MASQUERADE
	iptables -t nat -A POSTROUTING -o "$OC_IF" -j MASQUERADE

	# 6. DNAT port forwarding to web server
	echo "[6/6] Adding port forwarding rules"
	for PORT in $PORTS; do
	# WireGuard
	iptables -t nat -A PREROUTING -i "$WG_IF" -p tcp --dport "$PORT" \
	-j DNAT --to-destination "$WEB_IP:$PORT"

	# OpenConnect / tun0
	iptables -t nat -A PREROUTING -i "$OC_IF" -p tcp --dport "$PORT" \
	-j DNAT --to-destination "$WEB_IP:$PORT"

	# Allow forwarded traffic
	iptables -A FORWARD -p tcp -d "$WEB_IP" --dport "$PORT" \
	-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	done

	echo "=== Active rules ==="
	iptables -L -v
	iptables -t nat -L -v

	# Persistence
	read -p "Save rules persistently? (y/N): " SAVE
	if [[ "$SAVE" =~ ^[Yy]$ ]]; then
	apt update
	apt install -y iptables-persistent
	netfilter-persistent save
	echo "Rules saved persistently."
	else
	echo "Rules NOT saved. They will be lost on reboot."
	fi

	echo "=== VPN Gateway rebuild complete ==="
No results found