Setting up your own Wireguard VPN for added online privacy

Why use a VPN?

VPNs are a useful for tool for keeping your browsing online more private. Using a VPN is a good way to protect your online browsing from your IP spying on what you’re looking at or downloading, or keeping your data private on public wifi networks, like at the coffeshop, where anyone can be snooping. In the ethos of self-hosting, DIY, and FOSS, we will be hosting our own VPN to have full control over our data, and to learn how to use a free software VPN app.

There is one caveat, while a VPN may keep you more private, it will not make you anonymous. There is a very important difference between anonymity and privacy, so don’t mistake them.

Privacy means that the content that you’re viewing, sites you’re visiting, or files you’re downloading will be confidential, although your identity and/or location may or may not be known. Anonymity, on the other hand, means that your identity and location will be unknown, and most likely will also include the benefits of privacy described above.

In this tutorial we’ll set up a Wireguard VPN. Wireguard is a newer VPN protocol which is simple to get up and running and uses state of the art encryption. It is way easier to set up than OpenVPN or IPsec, and it is faster also. We’ll set up the VPN server and also link it to our laptop, and mobile.

Getting started with Wireguard

To set it up, we need either an old laptop, server, or VPS running Ubuntu. My VPS is running Ubuntu 20.04.2 LTS server edition. I won’t go over how to install Ubuntu, there’s plenty of info which is better written than I could do. Here’s a great tutorial.

You’ll use this computer, server or VPS ,to host your vpn. I’m using a VPS, which also has my next cloud instance on it. It costs anywhere from around $3-10 bucks/month, depending on your hosting provider, which is what I’d pay for a VPN anyway, with a paid VPN service provider.

This way I get the added bonus of keeping my data private, and an almost free Nextcloud instance, to keep my personal documents, pictures, calendar data private with, also. Nextcloud is like a FOSS version of Google Drive, which you host yourself. I’ll show you how to set it up on your VPN server, in a future post.

Once you’ve installed Ubuntu server edition, you’ll need to ssh into your server & install Wireguard:

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update 
sudo apt-get install wireguard
# Then add the wireguard kernel module with modprobe
sudo modprobe wireguard

You can verify that all is well with grep:

lsmod | grep wireguard

If everything is successful, you’ll see some output like this:

wireguard              94208  0
curve25519_x86_64      36864  1 wireguard
libchacha20poly1305    16384  1 wireguard
libblake2s             16384  1 wireguard
libcurve25519_generic    49152  2curve25519_x86_64,wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard

Now that, Wireguard is installed we’ll need to generate public and private keys for our VPN server:

cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

This will output your public key which will look something like this:

d5gEplwyzad6WgXNq/BJuuDNN4TgsRwNRXL+6i/G3TE=

Your private & public keys will be in your /etc/wireguard directory. To see your private key:

$ sudo cat privatekey
# again it should output something like this
8HQqxGKoRNSfBndA33uz/tmzkrJCs54mAJl3JVmMeV0=

Now that you have your keys we can create the config file. With a text editor, create a file called:

/etc/wireguard/wg0.conf

add the following to you /etc/wireguard/wg0.conf file:

[Interface]
PrivateKey = <your server private key here>
Address = 10.10.0.1/24
Address = fd86:ea04:1111::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820

Make sure you set the correct permissions so nobody can mess with your config file:

chmod 600 /etc/wireguard/wg0.conf

Now we need to setup domain forwarding. Edit your server’s /etc/sysctl.conf file and add the following:

cat << EOF >> /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
EOF
sysctl -p

Now let’s start the interface for our tunnel:

$ sudo wg-quick up wg0

You can check and make sure that it worked by typing from your server’s command line :

$ sudo wg

It should output something similar to this:

interface: wg0
  public key: d5gEplwyzad6WgXNq/BJuuDNN4TgsRwNRXL+6i/G3TE=  
  private key: (hidden)
  listening port: 51820

To add a client device as a peer, you’ll need to install the wireguard package on your client device, and then follow the same steps as above to generate public and private keys on your client device:

cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

Follow the same steps as above to see your private key.

$ sudo cat privatekey

Next, we’ll need to use our text editor to create a /etc/wireguard/wg0.conf file, add this info to the file, on your client device:

[Interface]
Address = 10.10.0.2/32
Address = fd86:ea04:1111::2/128
SaveConfig = true
PrivateKey = <your client private key here>
DNS = 1.1.1.1

[Peer]
PublicKey = <your server public key here>
Endpoint = <your server public ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Make sure you set the correct permissions so nobody can mess with your config file:

chmod 600 /etc/wireguard/wg0.conf

Now, ssh back into your server and add your client device’s public keys, to your wireguard server:

root# wg set wg0 peer J5xdcKkYjddw0fyIUm17JtosGsqwsh5VRrWEsu/S4BQ= allowed-ips 10.10.0.2/32,fd86:ea04:1111::2/128

Once your clients public key has been added to your server, start the VPN tunnel from your client device:

$ sudo wg-quick up wg0

If all is well, you’ll get an output like this:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.0.7/32 dev wg0
[#] ip -6 address add fd86:ea04:1111::2/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1[#] iptables-restore -n

You can check your IP address, and it should now be the IP address of your VPN, not your home IP. If it did not work, you may need to install the openresolv package on your client device, or open your firewall’s 51820/udp port on the client device and server:

ufw allow 51820/udp

To make the Wireguard VPN tunnel automatically start when your computer boots up, type the following command on your client device:

systemctl enable wg-quick@wg0

Now to connect our phone or tablet to our brand new Wireguard VPN, we’ll need to generate a QR code. We can do it with an app called qrencode. Install on your VPN server by typing:

sudo apt install qrencode

Generate the public and private keys for your mobile client with the following command:

sudo mkdir -p /etc/wireguard/clients; wg genkey | sudo tee /etc/wireguard/clients/mobile.key | wg pubkey | sudo tee /etc/wireguard/clients/mobile.key.pub

Now we’ll need to create the mobile client’s conf file /etc/clients/mobile.conf, with a text editor add:

[Interface]
PrivateKey = <YOUR_MOBILE_CLIENT_PRIVATE_KEY> (mobile.key)
Address = <YOUR_VPN_IP/24>
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = <YOUR_VPN_SERVER_PUBLIC_KEY>
AllowedIPs = 0.0.0.0/0
Endpoint = YOUR_SERVER_IP:51820

Once the file is created, you can generate a QR code which you scan with your mobile device’s Wireguard app, which is available for both iOS and Android:

qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf

Once the QR code is generated scan it with the Wireguard appojn your mobile device, and you’ll connect automatically.

I hope this helps and was easy to follow for anyone who wants to get their own Wireguard VPN up and running. Own your own data, don’t let third parties spy on you or your online activities.

If you’d like to support my work

You can donate here with Bitcoin, Lightning Network, or Monero
https://runfox.tk/wp/product/album/

Or you can donate to my crowdfund with Bitcoin, Lightning Network, or Monero:
https://cipherassetanalysis.com/apps/4VKDJ6Yjsg24F2otzXmFv1rBzZPJ/crowdfund

You can also become a monthly Librepatron, with Bitcoin, Lightning Network, or Monero:
https://libre.cipherassetanalysis.com/

Leave a Reply

Your email address will not be published. Required fields are marked *