Access Internet via private VPN using altuntun

This guide will walk you through establishing a secure WireGuard tunnel using altunTun between two Linux computers, where one acts as a server providing internet access to the client through the VPN connection.

Overview

altunTun is based on Cloudflare's userspace WireGuard implementation written in Rust (altunTun(. Unlike kernel-based WireGuard, altunTun runs entirely in userspace, making it useful for environments where kernel modules cannot be loaded or for testing purposes.

Prerequisites

• Two Linux computers with network connectivity
• Rust and Cargo installed (for building altunTun)
• Root or sudo access on both machines
• WireGuard tools installed
• Install and compile altuntun from github

Step 1: Generate Key Pairs

On both computers, generate WireGuard key pairs:

wg genkey | tee privatekey | wg pubkey > publickey

This creates two files:

• privatekey: Your private key (keep this secure)
• publickey: Your public key (share with the peer)

Step 2: Create the Tunnel Interface

On both machines, create the tunnel interface using altunTun. The interface name can be customized (here we use cg33):

sudo ./target/release/altuntun-cli cg33

Note: This tunnel will not survive a reboot. For persistent tunnels, you'll need to create systemd services or startup scripts.

Step 3: Configure IP Addresses

Assign IP addresses to each end of the tunnel. Use a private subnet like 10.0.0.0/24:

Server (Icarus22):

sudo ip addr add 10.0.0.1/24 dev cg33

Client (Icarus23):

sudo ip addr add 10.0.0.2/24 dev cg33

Step 4: Associate Private Keys

On both machines, associate the private key with the tunnel device:

sudo wg set cg33 private-key privatekey

Step 5: Bring Up the Interface

Activate the tunnel interface on both machines:

sudo ip link set cg33 up

Step 6: Check Configuration

Verify the tunnel configuration and note the listening ports:

sudo wg

This displays the current WireGuard configuration, including the listening port that will be used for the connection.

Step 7: Exchange Public Keys

Display the public key on each machine:

cat publickey

You'll need to exchange these public keys between the two machines.

Step 8: Configure Peers

Set up the peer configuration on each machine. Replace the placeholder values with actual public keys and IP addresses:

Server (Icarus22):

sudo wg set cg33 peer ICARUS23_PUBLIC_KEY allowed-ips 10.0.0.2/32 endpoint CLIENT_PUBLIC_IP:PORT

Client (Icarus23):

sudo wg set cg33 peer ICARUS22_PUBLIC_KEY allowed-ips 0.0.0.0/0 endpoint SERVER_PUBLIC_IP:PORT

Note the key difference: the client uses allowed-ips 0.0.0.0/0 to route all traffic through the VPN.

Step 9: Enable Internet Access Through the Server

To allow the client to access the internet through the server, additional configuration is needed on the server side.

Enable IP Forwarding

On the server, enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

To make this permanent, add the following line to /etc/sysctl.conf:

net.ipv4.ip_forward=1

Configure NAT (Network Address Translation)

Set up NAT rules to allow traffic from the VPN to access the internet. Replace eth0 with your server's internet-facing interface:

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i cg33 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o cg33 -m state --state RELATED,ESTABLISHED -j ACCEPT

Configure DNS (Optional)

On the client, you may want to configure DNS servers that will work through the VPN:

echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf

Step 10: Test the Connection

Test VPN Connectivity

From the client, ping the server through the VPN:

ping 10.0.0.1

Test Internet Access

From the client, test internet connectivity through the VPN:

curl -4 icanhazip.com

This should return the server's public IP address, confirming that internet traffic is being routed through the VPN.

Troubleshooting

Common Issues

1. Connection timeouts: Verify that firewall rules allow UDP traffic on the WireGuard ports
2. No internet access: Check that IP forwarding is enabled and NAT rules are correctly configured
3. Interface creation fails: Ensure altunTun has the necessary capabilities: sudo setcap cap_net_admin+epi $(which altuntun-cli)

Firewall Configuration

If using UFW, allow the WireGuard port:

sudo ufw allow PORT/udp

Monitoring

Monitor the tunnel status:

sudo wg show

Check altunTun logs:

tail -f /tmp/altuntun.out

Making the Configuration Persistent

To make the VPN configuration survive reboots, consider creating systemd services or adding the commands to startup scripts. You can also use wg-quick with configuration files for easier management.

Security Considerations

• Keep private keys secure and never share them
• Use strong, randomly generated keys
• Consider implementing additional firewall rules to restrict access
• Regularly update altunTun and system packages
• Monitor VPN usage and logs for suspicious activity

This setup provides a secure tunnel where the client can access the internet through the server, with all traffic encrypted using WireGuard's robust cryptography.