How To Use This Repository

Begin here if you are new to the project.

This file explains:

• what to read first
• what happens on the VPS side
• what happens on the client side
• how to get from zero to a working setup

Read In This Order

1. This file Use it as the step-by-step setup checklist.
2. README.md Use it to understand the project, the supported Vultr datacenters, and the available profiles.
3. profiles/README.md Use it to find the profile that matches the Vultr datacenter you want to deploy in.
4. The profile you plan to use Example: profiles/cdg-paris/README.md
5. data/README.md Read this only if you want to inspect the source data and evidence.

What You Are Building

You are building a full-tunnel WireGuard path:

• your game client sends traffic into a WireGuard tunnel
• the tunnel exits through a Vultr VPS
• the VPS blocks COD hub families you do not want
• the matching hub family for that VPS location is left open

This is traffic shaping. It improves the chance that the game lands on the matching COD hub family. It does not guarantee the exact physical datacenter.

What You Need

• a Vultr account
• one Vultr VPS in a supported datacenter
• Debian on the VPS
• root or sudo access on the VPS
• a client device that can run WireGuard
• SSH access to the VPS

Client examples:

• a PC with the WireGuard app
• a router that supports WireGuard
• another device that can send only the gaming traffic through the tunnel

Step 1: Choose The Target Location

Pick the Vultr datacenter you want to play through.

Then pick the matching profile from profiles/.

Examples:

• Paris VPS -> profiles/cdg-paris/
• Chicago VPS -> profiles/ord-chicago/
• Frankfurt VPS -> profiles/fra-frankfurt/

Check two things before you continue:

• the profile exists
• the evidence level is acceptable for your use case

Step 2: Create The VPS

On Vultr:

• choose the datacenter that matches your target profile
• choose Debian
• choose the smallest reasonable size, for example 1 vCPU
• note the public IPv4 address
• note the public interface name after login

After the VPS is created, log in to it over SSH.

Typical first login from your terminal:

ssh root@<vps_public_ip>

Use the initial root password shown in the Vultr portal for that instance.

Typical flow:

1. Open the instance in the Vultr portal.
2. Copy the public IPv4 address.
3. Copy or view the initial root password from the instance details.
4. Run ssh root@<vps_public_ip> from your terminal.
5. Paste the password when prompted.

On first login, it is reasonable to update the system immediately:

apt update
apt upgrade -y

Then install the required packages:

sudo apt update
sudo apt install -y wireguard iptables ipset conntrack tcpdump

Step 3: Configure WireGuard On The VPS

Generate a server key pair:

umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.9.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.9.0.2/32
PersistentKeepalive = 25

Bring the interface up:

sudo systemctl enable --now wg-quick@wg0
sudo wg show

Step 4: Enable Routing And NAT On The VPS

Enable IPv4 forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Make it persistent:

echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-cod-wg.conf
sudo sysctl --system

Add outbound NAT on the public interface:

sudo iptables -t nat -A POSTROUTING -o <public-if> -j MASQUERADE

Step 5: Load The COD Blocklist On The VPS

Create the active ipset:

sudo ipset create cod_block hash:net family inet hashsize 4096 maxelem 262144 -exist

Load the selected profile:

while read -r net; do
  sudo ipset add cod_block "$net" -exist
done < profiles/<chosen-profile>/blocklist.txt

Example:

while read -r net; do
  sudo ipset add cod_block "$net" -exist
done < profiles/cdg-paris/blocklist.txt

Step 6: Add Firewall Rules On The VPS

These rules do three things:

• allow existing return traffic
• drop traffic whose destination is in cod_block
• allow the rest of the WireGuard traffic to leave

sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wg0 -o <public-if> -m set --match-set cod_block dst -j DROP
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -o wg0 -j ACCEPT

Step 7: Configure The Client

On a PC, install the WireGuard client.

Create a client key pair:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Use a full-tunnel client config:

[Interface]
PrivateKey = <client_private_key>
Address = 10.9.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = <vps_public_ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Important client-side points:

• AllowedIPs = 0.0.0.0/0 means full tunnel
• the game traffic must actually use the tunnel
• if you only want the game device to use the tunnel, do that with a dedicated PC, VM, router, or policy route

If you are playing from a PC, this is usually the simplest test path:

1. connect the WireGuard tunnel
2. confirm the PC public IP matches the VPS
3. start the game

Step 8: Verify The Path

On the client side:

• confirm your public IP matches the VPS
• confirm latency is reasonable for the chosen region

On the VPS side:

sudo wg show
sudo iptables -vnL FORWARD --line-numbers
sudo tcpdump -ni wg0 -tttt 'host 10.9.0.2 and udp'

What you want to see:

• recent WireGuard handshakes
• traffic flowing on wg0
• DROP ... match-set cod_block dst counters increasing when blocked hubs are attempted

Step 9: Retest Cleanly After Changes

If you change the profile or add networks, clear existing UDP state before testing again:

sudo conntrack -D -p udp

Then:

• fully close the game
• reconnect if needed
• start the game again

Without this, existing UDP sessions can survive through conntrack.

What To Read When Something Looks Wrong

• Wrong region or suspicious endpoints:

read your selected profile README and compare it to data/vultr_geofeed_summary.md

• Need to inspect the source tags:

read data/cod_block_full_by_origin.csv

Short Mental Model

• choose the VPS location first
• choose the matching profile second
• configure WireGuard third
• load the blocklist on the VPS fourth
• verify from both client side and VPS side

If the client is not actually full-tunneled through the VPS, the profile does not matter.