Note that GeoIP is unreliable so you may accidentally block some IPs that aren’t Chinese. Even whois is not 100% reliable given how often IPv4 addresses are traded these days.

If some Chinese-made technology really phones home, it’s more likely that they’d communicate with a US-based server that would then communicate to servers in China behind-the-scenes.

I use *.home.mydomain for publicly-accessible IPs (IPv6 addresses plus anything that I’ve port forwarded so it’s accessible externally) and *.int.mydomain for internal IPv4 addresses.

Does your provider not offer IPv6? That’s usually the best way to avoid all NAT, including CGNAT.

$5/m is pretty expensive for a VPS if you’re just using it for Wireguard. A $15/year 2 GB RAM / 20-ish GB SSD VPS would be totally fine for that use case.

Black Friday is coming up… The best time of year for VPS deals. Even without Black Friday deals, providers like GreenCloudVPS (their “Budget KVM” packages) and RackNerd have good deals.

Are there screenshots available anywhere?

AirVPN. They let you port forward up to 20 ports, which is useful for various use cases (not just file sharing). If you want to seed torrents, port forwarding is an essential feature.

Anything that you absolutely must do as root can be done using sudo -i which will give you a root shell.

Nice work!

Some small pieces of feedback:

• You can disable the root user during installation, by leaving the root password blank. The installer explains this in the text at the top of the page. If you do this, root will be disabled and sudo will be installed automatically
• If you really want to control which users can SSH in, it’s recommended to create a group and use AllowGroups, rather than allowing individual users via AllowUsers. Note that once you disable PasswordAuthentication, the only users that can SSH in are users that have keys in authorized_keys, so you don’t really need to use AllowUsers or AllowGroups.
• Disabling IPv6 is unnecessary. If you don’t want to use it, then just… don’t use it? You should ideally always have IPv6 enabled for connections to the internet though. It’s generally faster due to better routing (see Google’s latency impact data: https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption), and more future-proof.
• You may want to consider CrowdSec instead of fail2ban. It’s more efficient and they have a shared list of known bad IPs that you can use.