diff options
author | Yaroslav <contact@yaroslavps.com> | 2020-06-06 05:40:35 +0300 |
---|---|---|
committer | Yaroslav <contact@yaroslavps.com> | 2020-06-06 05:40:35 +0300 |
commit | 9b02790f30925c4853b507d46bb73a433b1df1f9 (patch) | |
tree | cc37ed8196fa99932b36c88bf40f05adc51777b6 /content/weblog/2020-06-06_wireguard-vpn | |
parent | 2fc8cc3911e9101370e5fbca883ed337fd76b0e4 (diff) | |
download | yaroslavps.com-9b02790f30925c4853b507d46bb73a433b1df1f9.tar.gz yaroslavps.com-9b02790f30925c4853b507d46bb73a433b1df1f9.zip |
wireguard vpn article finished
Diffstat (limited to 'content/weblog/2020-06-06_wireguard-vpn')
-rw-r--r-- | content/weblog/2020-06-06_wireguard-vpn/index.md | 239 | ||||
-rw-r--r-- | content/weblog/2020-06-06_wireguard-vpn/qrexample.png | bin | 0 -> 8426 bytes |
2 files changed, 239 insertions, 0 deletions
diff --git a/content/weblog/2020-06-06_wireguard-vpn/index.md b/content/weblog/2020-06-06_wireguard-vpn/index.md new file mode 100644 index 0000000..04dd969 --- /dev/null +++ b/content/weblog/2020-06-06_wireguard-vpn/index.md @@ -0,0 +1,239 @@ ++++ +title = "Goodbye OpenVPN, hello Wireguard" +date = 2020-06-06T02:13:28Z ++++ + +I had been using OpenVPN for quite some time for my internet privacy purposes. +However, I recently decided to switch to Wireguard. I am going to layout the +reason why I chose to do it, and how I setup the Wireguard VPN for my purposes. +I had been meaning to write about this for some time. Unfortunately, I have been +quite busy finishing my last year of university. + +<!-- more --> + +I had heard about this new VPN thing-y called Wireguard last year and how it is +supposed to be so much better than other VPN technologies such as IPsec and +OpenVPN. It sounded nice to me and all, but it still wasn't considered stable +back then, and I really didn't feel like switching when I had a setup that "just +works™". + +But then, something happened. My then hosting provider decided to cancel their +VPS hosting plans, so I had to migrate everything that I had on my VPS to a new +hosting provider, which included this site and my VPN. Also by this time, the +stable release of Wireguard had been release, and the kernel module added to +upstream. When I was in the process of migrating to my new VPS, I actually +started to setup OpenVPN first, but some things had changed since the last time +I had setup OpenVPN, and I didn't really want to deal with OpenVPN at this +point. That's when I remembered about Wireguard. Good timing, if I do say so +myself. + +I have been using Wireguard for over a month now, and I have to say, I am really +happy with it. It really is better than OpenVPN. The main advantages that +Wireguard has over OpenVPN for me are the following: + +* It is so much easier to setup. No need to mess around with certificates. +* Adding new clients or peers is also much easier and straightforward. +* Latency and speed are slightly better than OpenVPN, especially latency. It + might not be such a big difference, but I no longer feel the need to turn off + my VPN when videoconferencing. +* It brings up the network interface(s) much faster than OpenVPN. +* It consumes less resources. +* I had to disconnect and manually reconnect OpenVPN every time I resumed my + computer from sleep or when I changed networks. With Wireguard, not anymore. + It has a built-in roaming feature, so it doesn't matter if I suspend my + computer, after waking up it "keeps" the connection for me, the same when I, + for example, disconnect from WiFi and connect to ethernet, etc. + +If these advantages haven't convinced you yet, I don't know what will. + +## Set up instructions + +There are something that are worth keeping in mind while setting up Wireguard. +One of them is that unlike other VPN protocols, like OpenVPN, there is no server +and client per se. There are just peers. Of course, that doesn't mean that you +cannot use Wireguard like you would use OpenVPN, quite the contrary. It just +means there is more flexibility and that you need to configure the peer that +you're going to use as a server, such that it tunnels all the internet traffic +it receives from the other peers and reroutes it. + +Before setting up Wireguard, you'll need to install it on each peer. Check out +this link on how to install Wireguard on your system: +[https://www.wireguard.com/install/](https://www.wireguard.com/install/) + +### Server configuration + +Before setting up Wireguard, you might want to setup a firewall such as `ufw`. +After installing Wireguard and setting up your firewall, it's time to create a +new profile for your connection. + +First, as root, change to the `/etc/wireguard/` directory. + +You'll need to create a private key, and from that private key you should get +the public key for your clients. + +Generating a private key is as simple as this: + +```sh +wg genkey +``` + +Then you'll need to create the profile, for that create file wg0.conf with the +following contents: + +``` +[Interface] +Address = 10.0.0.1/24 +Address = fd86:ea04:1115::1/64 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE +ListenPort = 51820 +PrivateKey = <server private key> +``` + +You should put the private key that you generated before in the wg0.conf file in +the "PrivateKey" field. + +Now is a good time to get the public key. It would be convenient to have it +saved in a file so that you can easily retrieve in the future when you need to +add new peers: + +```sh +echo "<server private key>" | wg pubkey > wg0.pubkey +``` + +If you already have setup a firewall on your server, don't forget to allow +connections on the port being used by Wireguard. For example, for ufw you would +run the following: + +```sh +ufw allow 51820/udp +``` + +Now you can bring up your Wireguard tunnel by using this command: + +```sh +wg-quick up wg0 +``` + +You can make sure that it's running by entering: + +```sh +wg show +``` + +However, if you want to bring up your Wireguard VPN tunnel every time your +server restarts, you might prefer to manage your connection with systemd. First +we have to bring down the tunnel we just brought up: + +```sh +wg-quick down wg0 +``` + +And now we can enable and start our respective systemd service: + +```sh +systemctl enable wg-quick@wg0 +systemctl start wg-quick@wg0 +``` + +### Client configuration + +The configuration for the client side of things is pretty similar to the server +side of things, since after all, to Wireguard there is no server or client. + +You can save your Wireguard profile in the same directory as in the server, i.e. +`/etc/wireguard/`. However, I prefer to keep it inside my home directory (e.g. +`~/docs/wireguard`), since I want to manage my VPN connection on my client +machine by using NetworkManager. The client profile should look something like +this: + +``` +[Interface] +Address = 10.0.0.2/24 +PrivateKey = <client private key> +ListenPort = 51820 +DNS = 1.1.1.1 + +[Peer] +PublicKey = <server public key> +AllowedIPs = 0.0.0.0/0 +Endpoint = <server IP>:51820 +``` + +Back on the server, append an entry for your client device to the end of the +wg.conf file: + +``` +[Peer] +PublicKey = <client public key> +AllowedIPs = 10.0.0.2/32 +``` + +Now you have to restart the service on the server, for example: + +```sh +systemctl restart wg-quick@wg0 +``` + +After that you can connect your client machine to the server using the Wireguard +tunnel. You can use the `wg-quick up wg0` command, but as I mentioned before, I +want to manage the VPN with NetworkManager. For that you'll first need to import +the profile into NetworkManager: + +```sh +nmcli connection import type wireguard file $PROFILE_LOCATION +``` + +After importing the profile you can bring up the tunnel by issuing the following +command (note: the connection will be called "wg0" if the filename of your +profile was "wg0.conf"): + +```sh +nmcli connection up wg0 +``` + +You can bring it down by issuing the following command: + +```sh +nmcli connection down wg0 +``` + +I should say that by default NetworkManager will connect to the VPN each that +you reboot. If you want to change this or any other setting check `man nmcli` +and `man nm-settings`. + +### Setting it up on your phone or other devices + +If you want to connect to your VPN server from other devices, you just have to +basically make a new profile the same way you did in the previous section. Just +keep in mind that you need to generate a new private/public key pair for each +new profile, and that each peer (including your server) such have a different IP +address assigned. + +If you have an Android phone, after making the profile for your phone and adding +the appropriate entry in your server's config file, you can then copy that file +to your phone and import it in the Wireguard app. Or even better, you can make +a QR code of the profile file, and then import that file using the QR code +function of the Wireguard app. + +To generate a QR code of the profile app you can use the command line program +`qrencode`, like so: + +```sh +qrencode -t ansiutf8 -r $PROFILE_LOCATION +``` + +After that a QR code should appear on your terminal window. It should look +similar to this: + +![QR code example](qrexample.png) + +## Final words + +In this post I described how to setup a Wireguard VPN in which one of the peers +works as the server, redirecting all internet traffic from all of the other +peers through itself. While this is the configuration that most suits my needs, +and probably also of most people that see a VPN as a privacy tool first and +foremost, there are other possible configurations of Wireguard. + +You should take a look at the [official Wireguard site](https://www.wireguard.com). diff --git a/content/weblog/2020-06-06_wireguard-vpn/qrexample.png b/content/weblog/2020-06-06_wireguard-vpn/qrexample.png Binary files differnew file mode 100644 index 0000000..9d3cfa9 --- /dev/null +++ b/content/weblog/2020-06-06_wireguard-vpn/qrexample.png |