+
posts   tags   about  

Host your VPN

Wireguard

Looking for lightweight privacy on the go? Then consider hosting a WireGuard VPN service.

There are basically two ways to install Wireguard VPN on your server.

First method: use this script. It will do everything easiy and fast, and will give you client configs.

Second method: We will do everything manually

As an example, we’ll be using a virtual 172.16.0.0/24 network, but any private ip range will suffice.

On the Server

I will be using debian as example, because my server is debian as it is easy to maintain, easy to install packages, secure enough, updates are fast enough.

apt install wireguard

Enable IPv4 forwarding by adding/uncommenting the following like in /etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward=1

then run following to apply change

sysctl -w net.ipv4.ip_forward=1

On the Client

Install wireguard Management tools, for Arch, it is wireguard-tools. For debian you can see above.

Create public and private keys for your machine:

sudo bash -c "umask 077 ; wg genkey > /etc/wireguard/client_priv.key"

sudo bash -c "wg pubkey < /etc/wireguard/client_priv.key > /etc/wireguard/client_pub.key"

On the Server

Generate public and private keys for server as well:

umask 077 ; wg genkey > /etc/wireguard/server_priv.key

wg pubkey < /etc/wireguard/server_priv.key > /etc/wireguard/server_pub.key

Then create Wireguard config file /etc/wireguard/wg0.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = (server's private key goes here)
# Firewall rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client #1 details
PublicKey = (client's public key goes here)
# Traffic to route to this client
AllowedIPs = 172.16.0.2/32

Then enable it with the following code

systemctl enable --now wg-quick@wg0.service

On the Client

Create another WireGuard configuration file in /etc/wireguard/myvpn.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[Interface]
Address = 172.16.0.2/24
PrivateKey = (client's private key goes here)
# Set to your desired DNS server
# DNS = 9.9.9.9

[Peer]
PublicKey = (server's public key goes here)
# Endpoint (server) can be a domain name or IP address
Endpoint = (server's IP address goes here):51820
# Traffic to route to server
AllowedIPs = 0.0.0.0/0, ::/0

Then it is time to go and test:

sudo wg-quick up myvpn


🌊⛰🔥