VPN Config Generator

Key Generation Note

WireGuard keys must be generated on the server/client using the wg tool — they cannot be generated securely in a browser.

wg genkey | tee server.key | wg pubkey > server.pub
cat server.key # private key (keep secret)
cat server.pub # public key (share with peers)

Server Interface

Server Private Key ℹ️

Server Public Key ℹ️

Listen Port ℹ️

VPN Interface IP (CIDR) ℹ️

DNS for Clients ℹ️

WireGuard Interface Name ℹ️

Routing, NAT & Forwarding (PostUp / PostDown) ℹ️

Outbound Network Interface ℹ️

Enable MASQUERADE (internet access for VPN clients) ℹ️ Allow all forwarding through VPN interface ℹ️ Also add ip6tables rules (IPv6) ℹ️

Port Forwarding (DNAT) Rules ℹ️

No port forwarding rules. Click "+ Add Port Forward" to expose a client's service to the internet.

Custom PostUp / PostDown Lines ℹ️

PostDown lines are auto-generated by replacing -A with -D.

Peers (Clients)

Server Settings

VPN Subnet ℹ️

Port ℹ️

Protocol ℹ️

Device Type ℹ️

Cipher ℹ️

TLS Auth / Crypt ℹ️

Push DNS ℹ️

Max Clients ℹ️

Allow client-to-client traffic ℹ️

Push Routes (one per line) ℹ️

Routing, NAT & IP Forwarding ℹ️

Outbound Network Interface ℹ️

Enable MASQUERADE / NAT ℹ️ Enable IP forwarding in server config ℹ️ Full tunnel (redirect all client traffic through VPN) ℹ️

Port Forwarding Rules (iptables script) ℹ️

No port forwarding rules added.

IPSec / IKEv2 (strongSwan)

IKEv2/IPSec is built into Windows, macOS, iOS, Android. High performance, no client software needed on most platforms.

Linux setup via strongswan package:

apt install strongswan strongswan-pki # Generate CA, server cert, client certs # Config: /etc/ipsec.conf, /etc/ipsec.secrets

Port: UDP 500 + 4500 (NAT-T)

SSH Tunnel

Quick port forwarding or SOCKS proxy over SSH. No VPN software needed — just an SSH server.

# Local forward: localhost:3307 → remote:3306 ssh -L 3307:localhost:3306 user@server -N # SOCKS5 proxy (configure browser to use) ssh -D 1080 user@server -N # Remote forward: server:8080 → local:8080 ssh -R 8080:localhost:8080 user@server -N # Persistent tunnel with autossh autossh -M 0 -D 1080 user@server -N

WireGuard iptables Reference

Common PostUp patterns — replace eth0 with your outbound interface:

# Basic NAT (internet access) iptables -A FORWARD -i %i -j ACCEPT iptables -A FORWARD -o %i -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # DNAT port forward (e.g. game server) iptables -t nat -A PREROUTING -i eth0 \ -p tcp --dport 25565 \ -j DNAT --to-destination 10.66.66.2:25565 iptables -A FORWARD -p tcp -d 10.66.66.2 \ --dport 25565 -j ACCEPT # Restrict forward to specific subnet only iptables -A FORWARD -s 10.66.66.0/24 \ -o eth0 -j ACCEPT

SoftEther VPN

Multi-protocol VPN: L2TP/IPSec, SSTP, OpenVPN, SoftEther. Excellent for bypassing restrictive firewalls (uses HTTPS port 443).

apt install softether-vpnserver # or download from softether.org # Configure via CLI: vpncmd localhost:443 /SERVER /CMD # or via SoftEther VPN Server Manager GUI

Supports SSL-VPN over TCP 443 — almost never blocked.

L2TP/IPSec

Older protocol, natively supported by all major OSes. Slower than WireGuard/OpenVPN but no client software needed.

apt install xl2tpd strongswan # /etc/ipsec.secrets (pre-shared key): %any %any : PSK "your-secret-key" # /etc/xl2tpd/xl2tpd.conf — defines IP pool # /etc/ppp/chap-secrets — client credentials

Useful iptables Commands

Debugging NAT and forwarding rules:

# List all rules with line numbers iptables -L -n -v --line-numbers # List NAT table iptables -t nat -L -n -v # Save/restore (iptables-persistent) netfilter-persistent save netfilter-persistent reload # Watch live packet counts watch -n1 iptables -L -n -v # Enable kernel IP forwarding sysctl -w net.ipv4.ip_forward=1 echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf