diff options
author | Yaroslav <contact@yaroslavps.com> | 2020-06-04 20:53:36 +0300 |
---|---|---|
committer | Yaroslav <contact@yaroslavps.com> | 2020-06-05 11:54:11 +0300 |
commit | 2fc8cc3911e9101370e5fbca883ed337fd76b0e4 (patch) | |
tree | 0b1df99dfcc89b8c1b252319e133b3f6209921fd /content | |
parent | f251f1ad331f8d13cbd2d6e15e65e6990570add6 (diff) | |
download | yaroslavps.com-2fc8cc3911e9101370e5fbca883ed337fd76b0e4.tar.gz yaroslavps.com-2fc8cc3911e9101370e5fbca883ed337fd76b0e4.zip |
wireguard vpn draft
Diffstat (limited to 'content')
-rw-r--r-- | content/weblog/2020-06-04_wireguard-vpn/index.md | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/content/weblog/2020-06-04_wireguard-vpn/index.md b/content/weblog/2020-06-04_wireguard-vpn/index.md new file mode 100644 index 0000000..5d68389 --- /dev/null +++ b/content/weblog/2020-06-04_wireguard-vpn/index.md @@ -0,0 +1,123 @@ ++++ +title = "Goodbye OpenVPN, hello Wireguard" +date = 2020-06-05T13:00:00Z ++++ + +I have been using OpenVPN for quite some time for my internet privacy purposes. +However, recently I decided to switch to Wireguard. I am going to layout the +reason why I chose to do it, and how I setup the Wireguard VPN for my purposes. +I had been meaning to write about this for some time, unfortunately, I have been +quite busy with finishing my last year of university. + +<!-- more --> + +I had heard about this new VPN thing-y called Wireguard last year and how it is +supposed to be so much better than other VPN technologies such as IPsec and +OpenVPN. It sounded nice to me and all, but it still wasn't considered stable +back then, and I really didn't feel like switching when I had a setup that "just +works™". + +But then, something happened. My then hosting provider decided to cancel their +VPS hosting plans, so I had to migrate everything that I had on my VPS to a new +hosting provider, which included this site and my VPN. Also by this time, the +stable release of Wireguard had been release, and the kernel module added to +upstream. When I was in the process of migrating to my new VPS, I actually +started to setup OpenVPN first, but some things had changed since the last time +I had setup OpenVPN, and I didn't really want to deal with OpenVPN at this +point. That's when I remembered about Wireguard. Good timing, if I do say so +myself. + +I have been using Wireguard for over a month now, and I have to say, I am really +happy with it. It really is better than OpenVPN. The main advantages that +Wireguard has over OpenVPN for me are the following: + +* It is so much easier to setup. No need to mess around with certificates. +* Adding new clients or peers is also much easier are straightforward. +* Latency and speed are slightly better than OpenVPN, especially latency. It + might not be such a big difference, but I no longer feel the need to turn off + my VPN when videoconferencing. +* It brings up the network interface(s) much faster than OpenVPN. +* It consumes less resources. +* I had to disconnect and manually reconnect OpenVPN every time I resumed my + computer from sleep or when I changed networks. With Wireguard, not anymore. + It has a built-in roaming feature, so it doesn't matter if I suspend my + computer, after waking up it "keeps" the connection for me, the same when I, + for example, disconnect from WiFi and connect to ethernet, etc. + +If these advantages haven't convinced you yet, I don't know what will. + +## Set up instructions + +There are something that are worth keeping in mind while setting up Wireguard. +One of them is that unlike other VPN protocols, like OpenVPN, there is no server +and client per se. There are just peers. Of course, that doesn't mean that you +cannot use Wireguard like you would use OpenVPN, quite the contrary. It just +means there is more flexibility and that you need to configure the peer that +you're going to use as a server, such that it tunnels all the internet traffic +it receives from the other peers and reroutes it. + +Before setting up Wireguard, you'll need to install it on each peer. Check out +this link on how to install Wireguard on your system: +[https://www.wireguard.com/install/](https://www.wireguard.com/install/) + +### Server configuration + +Before setting up Wireguard, you might want to setup a firewall such as `ufw`. +After installing Wireguard and setting up your firewall, it's time to create a +new profile for your connection. + +First, as root, change to the `/etc/wireguard/` directory. + +You'll need to create a private key, and from that private key you should get +the public key for your clients. + +Generating a private key is as simple as this: + +```sh +wg genkey +``` + +Then you'll need to create the profile, for that create file wg0.conf with the +following contents: + +``` +[Interface] +Address = 10.0.0.1/24 +Address = fd86:ea04:1115::1/64 +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE +ListenPort = 51820 +PrivateKey = <your private key here> +``` + +You should put the private key that you generated before in the wg0.conf file in +the "PrivateKey" field. + +Now is a good time to get the public key. It would be convenient to have it +saved in a file so that you can easily retrieve in the future when you need to +add new peers: + +```sh +echo "<your private key here>" | wg pubkey > wg0.pubkey +``` + +If you already have setup a firewall on your server, don't forget to allow +connections on the port being used by Wireguard. For example, for ufw you would +run the following: + +```sh +ufw allow 5182/udp +``` + +### Client configuration + +The configuration for the client side of things is pretty similar to the server +side of things, since after all, to Wireguard there is no server or client. + +Back on the server, append an entry for your client device to the end of the +wg.conf file: + +``` +[Peer] +PublicKey = <your public key here> +AllowedIPs = 10.0.0.2/32 |