diff options
-rw-r--r-- | content/weblog/2020-06-06_wireguard-vpn/index.md (renamed from content/weblog/2020-06-04_wireguard-vpn/index.md) | 136 | ||||
-rw-r--r-- | content/weblog/2020-06-06_wireguard-vpn/qrexample.png | bin | 0 -> 8426 bytes |
2 files changed, 126 insertions, 10 deletions
diff --git a/content/weblog/2020-06-04_wireguard-vpn/index.md b/content/weblog/2020-06-06_wireguard-vpn/index.md index 5d68389..04dd969 100644 --- a/content/weblog/2020-06-04_wireguard-vpn/index.md +++ b/content/weblog/2020-06-06_wireguard-vpn/index.md @@ -1,13 +1,13 @@ +++ title = "Goodbye OpenVPN, hello Wireguard" -date = 2020-06-05T13:00:00Z +date = 2020-06-06T02:13:28Z +++ -I have been using OpenVPN for quite some time for my internet privacy purposes. -However, recently I decided to switch to Wireguard. I am going to layout the +I had been using OpenVPN for quite some time for my internet privacy purposes. +However, I recently decided to switch to Wireguard. I am going to layout the reason why I chose to do it, and how I setup the Wireguard VPN for my purposes. -I had been meaning to write about this for some time, unfortunately, I have been -quite busy with finishing my last year of university. +I had been meaning to write about this for some time. Unfortunately, I have been +quite busy finishing my last year of university. <!-- more --> @@ -32,7 +32,7 @@ happy with it. It really is better than OpenVPN. The main advantages that Wireguard has over OpenVPN for me are the following: * It is so much easier to setup. No need to mess around with certificates. -* Adding new clients or peers is also much easier are straightforward. +* Adding new clients or peers is also much easier and straightforward. * Latency and speed are slightly better than OpenVPN, especially latency. It might not be such a big difference, but I no longer feel the need to turn off my VPN when videoconferencing. @@ -87,7 +87,7 @@ Address = fd86:ea04:1115::1/64 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE ListenPort = 51820 -PrivateKey = <your private key here> +PrivateKey = <server private key> ``` You should put the private key that you generated before in the wg0.conf file in @@ -98,7 +98,7 @@ saved in a file so that you can easily retrieve in the future when you need to add new peers: ```sh -echo "<your private key here>" | wg pubkey > wg0.pubkey +echo "<server private key>" | wg pubkey > wg0.pubkey ``` If you already have setup a firewall on your server, don't forget to allow @@ -106,7 +106,34 @@ connections on the port being used by Wireguard. For example, for ufw you would run the following: ```sh -ufw allow 5182/udp +ufw allow 51820/udp +``` + +Now you can bring up your Wireguard tunnel by using this command: + +```sh +wg-quick up wg0 +``` + +You can make sure that it's running by entering: + +```sh +wg show +``` + +However, if you want to bring up your Wireguard VPN tunnel every time your +server restarts, you might prefer to manage your connection with systemd. First +we have to bring down the tunnel we just brought up: + +```sh +wg-quick down wg0 +``` + +And now we can enable and start our respective systemd service: + +```sh +systemctl enable wg-quick@wg0 +systemctl start wg-quick@wg0 ``` ### Client configuration @@ -114,10 +141,99 @@ ufw allow 5182/udp The configuration for the client side of things is pretty similar to the server side of things, since after all, to Wireguard there is no server or client. +You can save your Wireguard profile in the same directory as in the server, i.e. +`/etc/wireguard/`. However, I prefer to keep it inside my home directory (e.g. +`~/docs/wireguard`), since I want to manage my VPN connection on my client +machine by using NetworkManager. The client profile should look something like +this: + +``` +[Interface] +Address = 10.0.0.2/24 +PrivateKey = <client private key> +ListenPort = 51820 +DNS = 1.1.1.1 + +[Peer] +PublicKey = <server public key> +AllowedIPs = 0.0.0.0/0 +Endpoint = <server IP>:51820 +``` + Back on the server, append an entry for your client device to the end of the wg.conf file: ``` [Peer] -PublicKey = <your public key here> +PublicKey = <client public key> AllowedIPs = 10.0.0.2/32 +``` + +Now you have to restart the service on the server, for example: + +```sh +systemctl restart wg-quick@wg0 +``` + +After that you can connect your client machine to the server using the Wireguard +tunnel. You can use the `wg-quick up wg0` command, but as I mentioned before, I +want to manage the VPN with NetworkManager. For that you'll first need to import +the profile into NetworkManager: + +```sh +nmcli connection import type wireguard file $PROFILE_LOCATION +``` + +After importing the profile you can bring up the tunnel by issuing the following +command (note: the connection will be called "wg0" if the filename of your +profile was "wg0.conf"): + +```sh +nmcli connection up wg0 +``` + +You can bring it down by issuing the following command: + +```sh +nmcli connection down wg0 +``` + +I should say that by default NetworkManager will connect to the VPN each that +you reboot. If you want to change this or any other setting check `man nmcli` +and `man nm-settings`. + +### Setting it up on your phone or other devices + +If you want to connect to your VPN server from other devices, you just have to +basically make a new profile the same way you did in the previous section. Just +keep in mind that you need to generate a new private/public key pair for each +new profile, and that each peer (including your server) such have a different IP +address assigned. + +If you have an Android phone, after making the profile for your phone and adding +the appropriate entry in your server's config file, you can then copy that file +to your phone and import it in the Wireguard app. Or even better, you can make +a QR code of the profile file, and then import that file using the QR code +function of the Wireguard app. + +To generate a QR code of the profile app you can use the command line program +`qrencode`, like so: + +```sh +qrencode -t ansiutf8 -r $PROFILE_LOCATION +``` + +After that a QR code should appear on your terminal window. It should look +similar to this: + +![QR code example](qrexample.png) + +## Final words + +In this post I described how to setup a Wireguard VPN in which one of the peers +works as the server, redirecting all internet traffic from all of the other +peers through itself. While this is the configuration that most suits my needs, +and probably also of most people that see a VPN as a privacy tool first and +foremost, there are other possible configurations of Wireguard. + +You should take a look at the [official Wireguard site](https://www.wireguard.com). diff --git a/content/weblog/2020-06-06_wireguard-vpn/qrexample.png b/content/weblog/2020-06-06_wireguard-vpn/qrexample.png Binary files differnew file mode 100644 index 0000000..9d3cfa9 --- /dev/null +++ b/content/weblog/2020-06-06_wireguard-vpn/qrexample.png |