aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--content/weblog/2020-06-06_wireguard-vpn/index.md (renamed from content/weblog/2020-06-04_wireguard-vpn/index.md)136
-rw-r--r--content/weblog/2020-06-06_wireguard-vpn/qrexample.pngbin0 -> 8426 bytes
2 files changed, 126 insertions, 10 deletions
diff --git a/content/weblog/2020-06-04_wireguard-vpn/index.md b/content/weblog/2020-06-06_wireguard-vpn/index.md
index 5d68389..04dd969 100644
--- a/content/weblog/2020-06-04_wireguard-vpn/index.md
+++ b/content/weblog/2020-06-06_wireguard-vpn/index.md
@@ -1,13 +1,13 @@
+++
title = "Goodbye OpenVPN, hello Wireguard"
-date = 2020-06-05T13:00:00Z
+date = 2020-06-06T02:13:28Z
+++
-I have been using OpenVPN for quite some time for my internet privacy purposes.
-However, recently I decided to switch to Wireguard. I am going to layout the
+I had been using OpenVPN for quite some time for my internet privacy purposes.
+However, I recently decided to switch to Wireguard. I am going to layout the
reason why I chose to do it, and how I setup the Wireguard VPN for my purposes.
-I had been meaning to write about this for some time, unfortunately, I have been
-quite busy with finishing my last year of university.
+I had been meaning to write about this for some time. Unfortunately, I have been
+quite busy finishing my last year of university.
<!-- more -->
@@ -32,7 +32,7 @@ happy with it. It really is better than OpenVPN. The main advantages that
Wireguard has over OpenVPN for me are the following:
* It is so much easier to setup. No need to mess around with certificates.
-* Adding new clients or peers is also much easier are straightforward.
+* Adding new clients or peers is also much easier and straightforward.
* Latency and speed are slightly better than OpenVPN, especially latency. It
might not be such a big difference, but I no longer feel the need to turn off
my VPN when videoconferencing.
@@ -87,7 +87,7 @@ Address = fd86:ea04:1115::1/64
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820
-PrivateKey = <your private key here>
+PrivateKey = <server private key>
```
You should put the private key that you generated before in the wg0.conf file in
@@ -98,7 +98,7 @@ saved in a file so that you can easily retrieve in the future when you need to
add new peers:
```sh
-echo "<your private key here>" | wg pubkey > wg0.pubkey
+echo "<server private key>" | wg pubkey > wg0.pubkey
```
If you already have setup a firewall on your server, don't forget to allow
@@ -106,7 +106,34 @@ connections on the port being used by Wireguard. For example, for ufw you would
run the following:
```sh
-ufw allow 5182/udp
+ufw allow 51820/udp
+```
+
+Now you can bring up your Wireguard tunnel by using this command:
+
+```sh
+wg-quick up wg0
+```
+
+You can make sure that it's running by entering:
+
+```sh
+wg show
+```
+
+However, if you want to bring up your Wireguard VPN tunnel every time your
+server restarts, you might prefer to manage your connection with systemd. First
+we have to bring down the tunnel we just brought up:
+
+```sh
+wg-quick down wg0
+```
+
+And now we can enable and start our respective systemd service:
+
+```sh
+systemctl enable wg-quick@wg0
+systemctl start wg-quick@wg0
```
### Client configuration
@@ -114,10 +141,99 @@ ufw allow 5182/udp
The configuration for the client side of things is pretty similar to the server
side of things, since after all, to Wireguard there is no server or client.
+You can save your Wireguard profile in the same directory as in the server, i.e.
+`/etc/wireguard/`. However, I prefer to keep it inside my home directory (e.g.
+`~/docs/wireguard`), since I want to manage my VPN connection on my client
+machine by using NetworkManager. The client profile should look something like
+this:
+
+```
+[Interface]
+Address = 10.0.0.2/24
+PrivateKey = <client private key>
+ListenPort = 51820
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = <server public key>
+AllowedIPs = 0.0.0.0/0
+Endpoint = <server IP>:51820
+```
+
Back on the server, append an entry for your client device to the end of the
wg.conf file:
```
[Peer]
-PublicKey = <your public key here>
+PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32
+```
+
+Now you have to restart the service on the server, for example:
+
+```sh
+systemctl restart wg-quick@wg0
+```
+
+After that you can connect your client machine to the server using the Wireguard
+tunnel. You can use the `wg-quick up wg0` command, but as I mentioned before, I
+want to manage the VPN with NetworkManager. For that you'll first need to import
+the profile into NetworkManager:
+
+```sh
+nmcli connection import type wireguard file $PROFILE_LOCATION
+```
+
+After importing the profile you can bring up the tunnel by issuing the following
+command (note: the connection will be called "wg0" if the filename of your
+profile was "wg0.conf"):
+
+```sh
+nmcli connection up wg0
+```
+
+You can bring it down by issuing the following command:
+
+```sh
+nmcli connection down wg0
+```
+
+I should say that by default NetworkManager will connect to the VPN each that
+you reboot. If you want to change this or any other setting check `man nmcli`
+and `man nm-settings`.
+
+### Setting it up on your phone or other devices
+
+If you want to connect to your VPN server from other devices, you just have to
+basically make a new profile the same way you did in the previous section. Just
+keep in mind that you need to generate a new private/public key pair for each
+new profile, and that each peer (including your server) such have a different IP
+address assigned.
+
+If you have an Android phone, after making the profile for your phone and adding
+the appropriate entry in your server's config file, you can then copy that file
+to your phone and import it in the Wireguard app. Or even better, you can make
+a QR code of the profile file, and then import that file using the QR code
+function of the Wireguard app.
+
+To generate a QR code of the profile app you can use the command line program
+`qrencode`, like so:
+
+```sh
+qrencode -t ansiutf8 -r $PROFILE_LOCATION
+```
+
+After that a QR code should appear on your terminal window. It should look
+similar to this:
+
+![QR code example](qrexample.png)
+
+## Final words
+
+In this post I described how to setup a Wireguard VPN in which one of the peers
+works as the server, redirecting all internet traffic from all of the other
+peers through itself. While this is the configuration that most suits my needs,
+and probably also of most people that see a VPN as a privacy tool first and
+foremost, there are other possible configurations of Wireguard.
+
+You should take a look at the [official Wireguard site](https://www.wireguard.com).
diff --git a/content/weblog/2020-06-06_wireguard-vpn/qrexample.png b/content/weblog/2020-06-06_wireguard-vpn/qrexample.png
new file mode 100644
index 0000000..9d3cfa9
--- /dev/null
+++ b/content/weblog/2020-06-06_wireguard-vpn/qrexample.png
Binary files differ