aboutsummaryrefslogtreecommitdiff
path: root/content/weblog/2020-06-06_wireguard-vpn/index.md
blob: 08203d95fc9c2a66b18cbdbeabf066a0f939498f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
+++
title = "Goodbye OpenVPN, hello Wireguard"
date = 2020-06-06T02:13:28Z
updated = 2021-03-28T21:23:16Z
+++

I had been using OpenVPN for quite some time for my internet privacy purposes.
However, I recently decided to switch to Wireguard. I am going to layout the
reason why I chose to do it, and how I setup the Wireguard VPN for my purposes.
I had been meaning to write about this for some time. Unfortunately, I have been
quite busy finishing my last year of university.

<!-- more -->

I had heard about this new VPN thing-y called Wireguard last year and how it is
supposed to be so much better than other VPN technologies such as IPsec and
OpenVPN. It sounded nice to me and all, but it still wasn't considered stable
back then, and I really didn't feel like switching when I had a setup that "just
works™".

But then, something happened. My then hosting provider decided to cancel their
VPS hosting plans, so I had to migrate everything that I had on my VPS to a new
hosting provider, which included this site and my VPN. Also by this time, the
stable release of Wireguard had been release, and the kernel module added to
upstream. When I was in the process of migrating to my new VPS, I actually
started to setup OpenVPN first, but some things had changed since the last time
I had setup OpenVPN, and I didn't really want to deal with OpenVPN at this
point. That's when I remembered about Wireguard. Good timing, if I do say so
myself.

I have been using Wireguard for over a month now, and I have to say, I am really
happy with it. It really is better than OpenVPN. The main advantages that
Wireguard has over OpenVPN for me are the following:

* It is so much easier to setup. No need to mess around with certificates.
* Adding new clients or peers is also much easier and straightforward.
* Latency and speed are slightly better than OpenVPN, especially latency. It
  might not be such a big difference, but I no longer feel the need to turn off
  my VPN when videoconferencing.
* It brings up the network interface(s) much faster than OpenVPN.
* It consumes less resources.
* I had to disconnect and manually reconnect OpenVPN every time I resumed my
  computer from sleep or when I changed networks. With Wireguard, not anymore.
  It has a built-in roaming feature, so it doesn't matter if I suspend my
  computer, after waking up it "keeps" the connection for me, the same when I,
  for example, disconnect from WiFi and connect to ethernet, etc.

If these advantages haven't convinced you yet, I don't know what will.

## Set up instructions

There are some things that are worth keeping in mind while setting up Wireguard.
One of them is that unlike other VPN protocols, like OpenVPN, there is no server
and client per se. There are just peers. Of course, that doesn't mean that you
cannot use Wireguard like you would use OpenVPN, quite the contrary. It just
means there is more flexibility and that you need to configure the peer that
you're going to use as a server, such that it tunnels all the internet traffic
it receives from the other peers and reroutes it.

Before setting up Wireguard, you'll need to install it on each peer. Check out
this link on how to install Wireguard on your system:
[https://www.wireguard.com/install/](https://www.wireguard.com/install/)

### Server configuration

Before setting up Wireguard, you might want to setup a firewall such as `ufw`.
After installing Wireguard and setting up your firewall, it's time to create a
new profile for your connection.

First, as root, change to the `/etc/wireguard/` directory.

You'll need to create a private key, and from that private key you should get
the public key for your clients.

Generating a private key is as simple as this:

```sh
wg genkey
```

Then you'll need to create the profile, for that create file wg0.conf with the
following contents:

```
[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820
PrivateKey = <server private key>
```

You should put the private key that you generated before in the wg0.conf file in
the "PrivateKey" field.

Now is a good time to get the public key. It would be convenient to have it
saved in a file so that you can easily retrieve in the future when you need to
add new peers:

```sh
echo "<server private key>" | wg pubkey > wg0.pubkey
```

If you already have setup a firewall on your server, don't forget to allow
connections on the port being used by Wireguard. For example, for ufw you would
run the following:

```sh
ufw allow 51820/udp
```

Now you can bring up your Wireguard tunnel by using this command:

```sh
wg-quick up wg0
```

You can make sure that it's running by entering:

```sh
wg show
```

However, if you want to bring up your Wireguard VPN tunnel every time your
server restarts, you might prefer to manage your connection with systemd. First
we have to bring down the tunnel we just brought up:

```sh
wg-quick down wg0
```

And now we can enable and start our respective systemd service:

```sh
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
```

Since in this configuration we want to be able to forward all of the peers'
traffic through the VPS, we need to enable packet forwarding in the kernel by
adding or uncommenting the following lines to `/etc/sysctl.conf`, or creating a
new file in `/etc/sysctl.d/` with these lines:

```
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
```

After adding them, to immediately load the config we run

```sh
sysctl --system
```

### Client configuration

The configuration for the client side of things is pretty similar to the server
side of things, since after all, to Wireguard there is no server or client.

You can save your Wireguard profile in the same directory as in the server, i.e.
`/etc/wireguard/`. However, I prefer to keep it inside my home directory (e.g.
`~/docs/wireguard`), since I want to manage my VPN connection on my client
machine by using NetworkManager. The client profile should look something like
this:

```
[Interface]
Address = 10.0.0.2/24
PrivateKey = <client private key>
ListenPort = 51820
DNS = 1.1.1.1

[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server IP>:51820
```

Back on the server, append an entry for your client device to the end of the
wg.conf file:

```
[Peer]
PublicKey = <client public key>
AllowedIPs = 10.0.0.2/32
```

Now you have to restart the service on the server, for example:

```sh
systemctl restart wg-quick@wg0
```

After that you can connect your client machine to the server using the Wireguard
tunnel. You can use the `wg-quick up wg0` command, but as I mentioned before, I
want to manage the VPN with NetworkManager. For that you'll first need to import
the profile into NetworkManager:

```sh
nmcli connection import type wireguard file $PROFILE_LOCATION
```

After importing the profile you can bring up the tunnel by issuing the following
command (note: the connection will be called "wg0" if the filename of your
profile was "wg0.conf"):

```sh
nmcli connection up wg0
```

You can bring it down by issuing the following command:

```sh
nmcli connection down wg0
```

I should say that by default NetworkManager will connect to the VPN each that
you reboot. If you want to change this or any other setting check `man nmcli`
and `man nm-settings`.

### Setting it up on your phone or other devices

If you want to connect to your VPN server from other devices, you just have to
basically make a new profile the same way you did in the previous section. Just
keep in mind that you need to generate a new private/public key pair for each
new profile, and that each peer (including your server) such have a different IP
address assigned.

If you have an Android phone, after making the profile for your phone and adding
the appropriate entry in your server's config file, you can then copy that file
to your phone and import it in the Wireguard app. Or even better, you can make
a QR code of the profile file, and then import that file using the QR code
function of the Wireguard app.

To generate a QR code of the profile app you can use the command line program
`qrencode`, like so:

```sh
qrencode -t ansiutf8 -r $PROFILE_LOCATION
```

After that a QR code should appear on your terminal window. It should look
similar to this:

![QR code example](qrexample.png)

## Final words

In this post I described how to setup a Wireguard VPN in which one of the peers
works as the server, redirecting all internet traffic from all of the other
peers through itself. While this is the configuration that most suits my needs,
and probably also of most people that see a VPN as a privacy tool first and
foremost, there are other possible configurations of Wireguard.

You should take a look at the [official Wireguard site](https://www.wireguard.com).