aboutsummaryrefslogtreecommitdiff
path: root/content/weblog/2020-06-04_wireguard-vpn/index.md
blob: 5d6838958564b7ea59f9cd19f9a334c75c708d4a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
+++
title = "Goodbye OpenVPN, hello Wireguard"
date = 2020-06-05T13:00:00Z
+++

I have been using OpenVPN for quite some time for my internet privacy purposes.
However, recently I decided to switch to Wireguard. I am going to layout the
reason why I chose to do it, and how I setup the Wireguard VPN for my purposes.
I had been meaning to write about this for some time, unfortunately, I have been
quite busy with finishing my last year of university.

<!-- more -->

I had heard about this new VPN thing-y called Wireguard last year and how it is
supposed to be so much better than other VPN technologies such as IPsec and
OpenVPN. It sounded nice to me and all, but it still wasn't considered stable
back then, and I really didn't feel like switching when I had a setup that "just
works™".

But then, something happened. My then hosting provider decided to cancel their
VPS hosting plans, so I had to migrate everything that I had on my VPS to a new
hosting provider, which included this site and my VPN. Also by this time, the
stable release of Wireguard had been release, and the kernel module added to
upstream. When I was in the process of migrating to my new VPS, I actually
started to setup OpenVPN first, but some things had changed since the last time
I had setup OpenVPN, and I didn't really want to deal with OpenVPN at this
point. That's when I remembered about Wireguard. Good timing, if I do say so
myself.

I have been using Wireguard for over a month now, and I have to say, I am really
happy with it. It really is better than OpenVPN. The main advantages that
Wireguard has over OpenVPN for me are the following:

* It is so much easier to setup. No need to mess around with certificates.
* Adding new clients or peers is also much easier are straightforward.
* Latency and speed are slightly better than OpenVPN, especially latency. It
  might not be such a big difference, but I no longer feel the need to turn off
  my VPN when videoconferencing.
* It brings up the network interface(s) much faster than OpenVPN.
* It consumes less resources.
* I had to disconnect and manually reconnect OpenVPN every time I resumed my
  computer from sleep or when I changed networks. With Wireguard, not anymore.
  It has a built-in roaming feature, so it doesn't matter if I suspend my
  computer, after waking up it "keeps" the connection for me, the same when I,
  for example, disconnect from WiFi and connect to ethernet, etc.

If these advantages haven't convinced you yet, I don't know what will.

## Set up instructions

There are something that are worth keeping in mind while setting up Wireguard.
One of them is that unlike other VPN protocols, like OpenVPN, there is no server
and client per se. There are just peers. Of course, that doesn't mean that you
cannot use Wireguard like you would use OpenVPN, quite the contrary. It just
means there is more flexibility and that you need to configure the peer that
you're going to use as a server, such that it tunnels all the internet traffic
it receives from the other peers and reroutes it.

Before setting up Wireguard, you'll need to install it on each peer. Check out
this link on how to install Wireguard on your system:
[https://www.wireguard.com/install/](https://www.wireguard.com/install/)

### Server configuration

Before setting up Wireguard, you might want to setup a firewall such as `ufw`.
After installing Wireguard and setting up your firewall, it's time to create a
new profile for your connection.

First, as root, change to the `/etc/wireguard/` directory.

You'll need to create a private key, and from that private key you should get
the public key for your clients.

Generating a private key is as simple as this:

```sh
wg genkey
```

Then you'll need to create the profile, for that create file wg0.conf with the
following contents:

```
[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820
PrivateKey = <your private key here>
```

You should put the private key that you generated before in the wg0.conf file in
the "PrivateKey" field.

Now is a good time to get the public key. It would be convenient to have it
saved in a file so that you can easily retrieve in the future when you need to
add new peers:

```sh
echo "<your private key here>" | wg pubkey > wg0.pubkey
```

If you already have setup a firewall on your server, don't forget to allow
connections on the port being used by Wireguard. For example, for ufw you would
run the following:

```sh
ufw allow 5182/udp
```

### Client configuration

The configuration for the client side of things is pretty similar to the server
side of things, since after all, to Wireguard there is no server or client.

Back on the server, append an entry for your client device to the end of the
wg.conf file:

```
[Peer]
PublicKey = <your public key here>
AllowedIPs = 10.0.0.2/32