# WireGuard Easy Setup - Routing Mode Documentation

## Overview

The `wgez-setup.sh` script now supports two different traffic routing modes:

1. **WireGuard-only mode** (default)
2. **Full tunnel mode**

## Routing Modes

### WireGuard-only Mode
- **Purpose**: Only route WireGuard network traffic (10.8.0.x) through the VPN
- **AllowedIPs**: `10.8.0.0/24`
- **DNS**: None (uses system DNS)
- **Internet Traffic**: Bypasses VPN, uses regular internet connection
- **Use Case**: When you want to access WireGuard network resources but keep regular internet traffic separate

### Full Tunnel Mode
- **Purpose**: Route ALL internet traffic through the VPN
- **AllowedIPs**: `0.0.0.0/0, ::/0`
- **DNS**: `1.1.1.1, 8.8.8.8` (Cloudflare and Google DNS)
- **Internet Traffic**: All traffic goes through VPN
- **Use Case**: When you want complete privacy/anonymity or need to bypass network restrictions

## Configuration Differences

### WireGuard-only Configuration
```ini
[Interface]
Address = 10.8.0.6/24
PrivateKey = <private_key>

[Peer]
PublicKey = <zion_public_key>
AllowedIPs = 10.8.0.0/24
Endpoint = ugh.im:51820
PersistentKeepalive = 60
```

### Full Tunnel Configuration
```ini
[Interface]
Address = 10.8.0.6/24
PrivateKey = <private_key>
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <zion_public_key>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ugh.im:51820
PersistentKeepalive = 60
```

## Endpoint Requirements

### WireGuard-only Mode
- **Zion Server**: No special requirements
- **Client**: Standard WireGuard configuration

### Full Tunnel Mode
- **Zion Server**: Must have proper NAT/iptables rules
- **Required Zion Configuration**:
  ```bash
  # Enable IP forwarding
  echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
  sudo sysctl -p
  
  # Add NAT rules (if not already present)
  sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  sudo iptables -A FORWARD -i wg0 -j ACCEPT
  sudo iptables -A FORWARD -o wg0 -j ACCEPT
  ```

## Usage

1. Run the setup script: `./wgez-setup.sh`
2. Choose option 2 (Generate keys + complete config)
3. Select routing mode:
   - Option 1: WireGuard traffic only
   - Option 2: All traffic through VPN
4. Follow the generated instructions

## Important Notes

- **Full tunnel mode** requires the Zion server to have proper NAT configuration
- **WireGuard-only mode** is safer and doesn't require endpoint changes
- The script automatically provides endpoint-specific instructions for full tunnel mode
- Routing mode is saved in the JSON info file for reference

## Troubleshooting

### Full Tunnel Not Working
1. Check Zion's iptables rules: `sudo iptables -t nat -L POSTROUTING`
2. Verify IP forwarding is enabled: `cat /proc/sys/net/ipv4/ip_forward`
3. Check WireGuard interface status: `sudo wg show`

### DNS Issues in Full Tunnel
- The script configures DNS servers (1.1.1.1, 8.8.8.8)
- If DNS doesn't work, check if Zion allows DNS traffic
- Consider adding DNS-specific iptables rules if needed