With the rise in privacy concerns over tech giants battling for our data I thought it would be fit to have a small talk about creating your own VPN server. Now I know there are countless of other tutorials out there but there's never enough attention over this subject.
WireGuard is the new kid, the much needed tool in the VPN world to bring everything to the next step. It is a small, fast and effective new VPN protocol that stormed everything since its early days. Very quickly it received great reviews for its performance and it is now included in the new Kernels for Linux and Android. I don't recall ever hearing about any other library to be included so fast in the Kernel so that says a lot I guess.
Wireguard is much leaner and faster when compared with other protocols and this makes it the preferred choice for many. How much faster? You can read our Wireguard vs OpenVPN article to see a comparison of the two.
Not much at all - with as much as $5 you can get a good VPS that can host a VPN server which handles the traffic for your entire family without breaking a sweat. Creating a server used to be a challenge but now, you can do it in 2 minutes. I suggest having a look at Digitalocean, Linode, Hetzner Cloud and others alike. Plenty of options.
Simply because we cannot trust anybody. Most of the VPN providers have to abide the law which in many cases imposes that logs are kept and offered to gov. institutions for analyzing. We're trying to avoid being processed and analysed at every move so, sending our entire data stream to a VPN provider is nothing more than just adding an extra hop in the same chain.
Having your own VPN server will break this chain and put a stop to the leak of data that we experience with ISPs or VPN providers and the process is simple. You can either let others create a secure VPN server for you or build it yourself following guides like this one.
First of all, WireGuard does not have the notion of "servers". Everything is a
peer and peers are connected with one another. The config files consist of 2 parts: an
[Interface] which addresses the local instructions and multiple
[Peer] sections which define remote connections.
I recommend Debian, the latest you can find with the selected provider. I will use Debian 10 (Buster) for this tutorial.
The first thing to do is to go ahead and add the Wireguard release channel to your sources list. The sources are like search channels for software and, without them, your operating system cannot find anything:
$ sudo sh -c "echo 'deb http://deb.debian.org/debian/ unstable main' >> /etc/apt/sources.list.d/unstable.list" $ sudo sh -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-unstable"
Now issue an
apt update command to re-fetch the sources and we should be able to install Wireguard with
apt install wireguard.
Peers connect via IP addresses but they have to authenticate before a connection can be established. Keys come in pairs (public and private) and each peer must know the other peers beforehand which means writing down to the config file the public key for each peer.
With the install of Wireguard we now have access to the
wg-quick commands which allows us to create our keys:
$ (umask 077 && wg genkey > wg-private.key) $ wg pubkey < wg-private.key > wg-public.key
If you run
ls -la you will see the keys have been created. You can also run
cat wg-private.key to view the contents of each file.
Now that we have the keys we are almost done setting up the server. We have to create the config file and bring up the VPN interface that will listen on the selected port.
[Interface] Address = 10.10.10.1/24 ListenPort = 51820 PrivateKey = server+private+key+here PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
The only thing you have to change here is the
eth0 interface name. On some systems it may have a different name. To get yours you can execute this handy command:
route | grep '^default' | grep -o '[^ ]*$'
We have created the server config but haven't added any peers yet. That's because we need to generate the keys for the client now so we can add them to our peers list. The server will listen on the private address
10.10.0.1. You may be wondering what is the purpose of the public key because we haven't used it yet. It will be added to the client config in our next steps.
PostDown instructions are executed when the server is started and stopped and they enable IP forwarding so that you can exchange packets with your server. IP forwarding must also be enabled on the server by editing the
*/etc/sysctl.conf file and adding:
We also need the client keys so we can add authenticated peers to the server. Repeat the steps from the server in order to generate keys but this time on the local machine. If you're on windows or MacOS you can download the Wireguard gui package and copy the keys from there.
Once you have the keys we can create the local configuration file:
[Interface] Address = 10.10.10.2/24 PrivateKey = client+private+key+here DNS = 10.10.10.1 [Peer] AllowedIPs = 0.0.0.0/0 Endpoint = server_ip_address:51820
Our client config is done. It has a local description (
[Interface]), it will be allocated the
10.10.10.2 address, that's the next address after the server and it also forwards dns queries to the server.
[Peer] in this case is the server so, before attempting a connection, we also add a peer to the server that contains our public key otherwise our connection will be refused.
[Interface] Address = 10.10.10.1/24 ListenPort = 51820 PrivateKey = server+private+key+here [Peer] PublicKey = client+public+key+here AllowedIPs = 10.10.10.2/32
Time to bring up the server:
wg-quick up wg0.
To bring it up automatically after restart (at boot):
systemctl enable wg-quick@wg0
With all peers defined and keys ready to be exchanged it is now time to connect to our server. Remember that wireguard is stateless and it will probably report a successful connection even though it is not. You should test your IP address, dns leaks and other stuff to verify the connection was made.