@@ 140,14 140,26 @@ include "/etc/nftables/proxy.nft"
This firewall rule will NOT close SSH access. If you have publicly available SSH, that is a bad idea, and you should adjust `allowed_tcp_dports` to not include SSH. This default configuration will only pass through HTTP and HTTPS. Adjust `allowed_tcp_dports` to allow your TCP port, and `allowed_udp_dports` to allow your UDP port. In the first file, use the example HTTP/HTTPS configuration to forward another port. Keep in mind that this port forwarding will take priority! If you have SSH open to the VPS and you try forwarding SSH, you WILL lose SSH access!
-Add the line `include /etc/nftables/main.nft;` at the end of the file `/etc/nftables.conf`, then run `sudo sysctl -w net.ipv4.ip_forward=1` and `echo net.ipv4.ip_forward = 1 | sudo tee -a /etc/sysctl.conf`. Reload the firewall rules: `sudo systemctl restart nftables`.
+Add the line `include /etc/nftables/main.nft;` at the end of the file `/etc/nftables.conf` (the semicolon is important), and then restart the firewall (and ensure it persists across reboots):
+
+```console
+cloudvm# systemctl enable nftables
+cloudvm# systemctl restart nftables
+```
+
+Finally, enable IP forwarding and make it persist across reboots:
+
+```console
+cloudvm# sysctl -w net.ipv4.ip_forward=1
+cloudvm# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
+```
## Step 4: Set Up Wireguard
First, set up the Wireguard keys. On the cloud VM, run this command as root:
-```
-wg genkey | tee privatekey | wg pubkey > publickey
+```console
+cloudvm# wg genkey | tee privatekey | wg pubkey > publickey
```
Keep these generated files (`privatekey`, `publickey`) in a safe place.
@@ 186,11 198,11 @@ AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 30
```
-Then, reload the firewall rules and start the Wireguard tunnels:
+Then start and persist the Wireguard tunnel on both machines:
-```
-sudo systemctl enable --now wg-quick@wg0.service
-sudo systemctl restart nftables.service
+```console
+cloudvm# systemctl enable --now wg-quick@wg0.service
+server# systemctl enable --now wg-quick@wg0.service
```
---