aboutsummaryrefslogtreecommitdiff
path: root/content/weblog/2020-06-04_wireguard-vpn
diff options
context:
space:
mode:
authorYaroslav <contact@yaroslavps.com>2020-06-04 20:53:36 +0300
committerYaroslav <contact@yaroslavps.com>2020-06-05 11:54:11 +0300
commit2fc8cc3911e9101370e5fbca883ed337fd76b0e4 (patch)
tree0b1df99dfcc89b8c1b252319e133b3f6209921fd /content/weblog/2020-06-04_wireguard-vpn
parentf251f1ad331f8d13cbd2d6e15e65e6990570add6 (diff)
downloadyaroslavps.com-2fc8cc3911e9101370e5fbca883ed337fd76b0e4.tar.gz
yaroslavps.com-2fc8cc3911e9101370e5fbca883ed337fd76b0e4.zip
wireguard vpn draft
Diffstat (limited to 'content/weblog/2020-06-04_wireguard-vpn')
-rw-r--r--content/weblog/2020-06-04_wireguard-vpn/index.md123
1 files changed, 123 insertions, 0 deletions
diff --git a/content/weblog/2020-06-04_wireguard-vpn/index.md b/content/weblog/2020-06-04_wireguard-vpn/index.md
new file mode 100644
index 0000000..5d68389
--- /dev/null
+++ b/content/weblog/2020-06-04_wireguard-vpn/index.md
@@ -0,0 +1,123 @@
++++
+title = "Goodbye OpenVPN, hello Wireguard"
+date = 2020-06-05T13:00:00Z
++++
+
+I have been using OpenVPN for quite some time for my internet privacy purposes.
+However, recently I decided to switch to Wireguard. I am going to layout the
+reason why I chose to do it, and how I setup the Wireguard VPN for my purposes.
+I had been meaning to write about this for some time, unfortunately, I have been
+quite busy with finishing my last year of university.
+
+<!-- more -->
+
+I had heard about this new VPN thing-y called Wireguard last year and how it is
+supposed to be so much better than other VPN technologies such as IPsec and
+OpenVPN. It sounded nice to me and all, but it still wasn't considered stable
+back then, and I really didn't feel like switching when I had a setup that "just
+works™".
+
+But then, something happened. My then hosting provider decided to cancel their
+VPS hosting plans, so I had to migrate everything that I had on my VPS to a new
+hosting provider, which included this site and my VPN. Also by this time, the
+stable release of Wireguard had been release, and the kernel module added to
+upstream. When I was in the process of migrating to my new VPS, I actually
+started to setup OpenVPN first, but some things had changed since the last time
+I had setup OpenVPN, and I didn't really want to deal with OpenVPN at this
+point. That's when I remembered about Wireguard. Good timing, if I do say so
+myself.
+
+I have been using Wireguard for over a month now, and I have to say, I am really
+happy with it. It really is better than OpenVPN. The main advantages that
+Wireguard has over OpenVPN for me are the following:
+
+* It is so much easier to setup. No need to mess around with certificates.
+* Adding new clients or peers is also much easier are straightforward.
+* Latency and speed are slightly better than OpenVPN, especially latency. It
+ might not be such a big difference, but I no longer feel the need to turn off
+ my VPN when videoconferencing.
+* It brings up the network interface(s) much faster than OpenVPN.
+* It consumes less resources.
+* I had to disconnect and manually reconnect OpenVPN every time I resumed my
+ computer from sleep or when I changed networks. With Wireguard, not anymore.
+ It has a built-in roaming feature, so it doesn't matter if I suspend my
+ computer, after waking up it "keeps" the connection for me, the same when I,
+ for example, disconnect from WiFi and connect to ethernet, etc.
+
+If these advantages haven't convinced you yet, I don't know what will.
+
+## Set up instructions
+
+There are something that are worth keeping in mind while setting up Wireguard.
+One of them is that unlike other VPN protocols, like OpenVPN, there is no server
+and client per se. There are just peers. Of course, that doesn't mean that you
+cannot use Wireguard like you would use OpenVPN, quite the contrary. It just
+means there is more flexibility and that you need to configure the peer that
+you're going to use as a server, such that it tunnels all the internet traffic
+it receives from the other peers and reroutes it.
+
+Before setting up Wireguard, you'll need to install it on each peer. Check out
+this link on how to install Wireguard on your system:
+[https://www.wireguard.com/install/](https://www.wireguard.com/install/)
+
+### Server configuration
+
+Before setting up Wireguard, you might want to setup a firewall such as `ufw`.
+After installing Wireguard and setting up your firewall, it's time to create a
+new profile for your connection.
+
+First, as root, change to the `/etc/wireguard/` directory.
+
+You'll need to create a private key, and from that private key you should get
+the public key for your clients.
+
+Generating a private key is as simple as this:
+
+```sh
+wg genkey
+```
+
+Then you'll need to create the profile, for that create file wg0.conf with the
+following contents:
+
+```
+[Interface]
+Address = 10.0.0.1/24
+Address = fd86:ea04:1115::1/64
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
+ListenPort = 51820
+PrivateKey = <your private key here>
+```
+
+You should put the private key that you generated before in the wg0.conf file in
+the "PrivateKey" field.
+
+Now is a good time to get the public key. It would be convenient to have it
+saved in a file so that you can easily retrieve in the future when you need to
+add new peers:
+
+```sh
+echo "<your private key here>" | wg pubkey > wg0.pubkey
+```
+
+If you already have setup a firewall on your server, don't forget to allow
+connections on the port being used by Wireguard. For example, for ufw you would
+run the following:
+
+```sh
+ufw allow 5182/udp
+```
+
+### Client configuration
+
+The configuration for the client side of things is pretty similar to the server
+side of things, since after all, to Wireguard there is no server or client.
+
+Back on the server, append an entry for your client device to the end of the
+wg.conf file:
+
+```
+[Peer]
+PublicKey = <your public key here>
+AllowedIPs = 10.0.0.2/32