- https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
- https://gist.github.com/nealfennimore/92d571db63404e7ddfba660646ceaf0d
- https://angristan.xyz/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/
- https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
- https://www.procustodibus.com/blog/2020/10/wireguard-topologies/
- https://jamesmcm.github.io/blog/no-ipv4/ (use SNAT instead of MASQUERADE; it's faster)
NB;
- the private IP address
192.168.3.XXdoesn't have to be an IP you own. - Create a new vps/ip on ua cloud provider and check IP location on https://www.whatismyip.com/ip-address-lookup
it should show location as the location u want.
apt -y update && \
apt -y install wireguard# this will generate server private key & public key
wg genkey | tee ServerPrivatekey | wg pubkey > ServerPublickeycat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.3.1/24, fd86:ea04:1115::1/64 # server-IPs
ListenPort = 5555
PrivateKey = <value-of-ServerPrivatekey>
# the following two lines may not be neccesary
# If you only want to create a tunnel but not forward all your traffic through the server you can skip those.
# todo: use SNAT instead of MASQUERADE; it's faster. https://jamesmcm.github.io/blog/no-ipv4/
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# eth0 is the servers public interface. You can find what yours is by;
# ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1
PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
PostUp = echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
[Peer]
PublicKey = <value-of-ClientPublickey>
AllowedIPs = 192.168.3.2/32, fd86:ea04:1115::2/64 # client-IPs# Enable packet forwarding
# This is only needed if wireguard config does not have the `PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/forwarding` stuff
echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
sysctl --systemapt -y update && \
apt -y install wireguard
# apt -y install openresolv # may be required if wg is unable to start
# if using a custom local dns-server(eg, dnscrypt),
# u do not need to install openresolv; just comment out the `DNS=` line.# this will generate client private key & public key
wg genkey | tee ClientPrivatekey | wg pubkey > ClientPublickeycat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.3.2/32, fd86:ea04:1115::2/64 # client-IPs
ListenPort = 5555
PrivateKey = <value-of-ClientPrivatekey>
# For DNS you can;
# (a) use a dns server from uk; https://public-dns.info/nameserver/gb.html
# (b) use <ServerPublicIPadress>
# (c) use google(8.8.8.8)
# (d) comment it out. This is good if u r using a custom local dns-server like dnscrypt-proxy
DNS = 1.1.1.1, 8.8.8.8
# the following two lines may not be neccesary
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = <value-of-ServerPublickey>
# This can be narrowed down if you only want some traffic to go over VPN.
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <ServerPublicIPadress>:5555
PersistentKeepalive = 180 # Optional. Needed for clients behind NAT.systemctl stop wg-quick@wg0
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0
journalctl -xf -n10 -u [email protected]
sudo wgNB: you may have to install apt-get -y install openresolv if wire-guard is unable to start
if using a custom local dns-server(eg, dnscrypt),
u do not need to install openresolv; just comment out the DNS= line.
to edit /etc/wireguard/wg0.conf you need to;
- a. stop wg
- b. edit files
- c. restart wg
NB: edits made while wg is still running may not be persisted
NB: check dns leaks at https://mullvad.net/en/check
NB: regarding dns leaks. I had a chat on the wireguard irc and;
zx2c4:
on the client, to fix dns leaks you can either
1) not use debian/ubuntu
2) add this "kill switch" to your config file:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
amdj:
- just settle for confirming that your query is being sent over wireguard and call it a day.
this is easy with e.g. tcpdump, or you can enforce it with the rules zx2c4 gave you.
- if you're talking to 1.1.1.1 over the wireguard tunnel then as far as cloudflare is concerned they can't see your real address
but a leak test is still going to tell you that you have a leak because the query isn't coming from your server (but rather from cloudflare).
- what's ironic is that satisfying the conditions of these tests(dns leak test services) when you're running your own VPN will actually
give you less privacy in many circumstances.
- the operators of authoritative nameservers can see the address of the recursor that's asking them questions.
if that recursor is running on your endpoint using an IP address registered to you (e.g. in whois data) then you've given your identity
away to every domain admin you do lookups for.NB: zx2c4 is main author of wireguard