In these days and times privacy is number one concern for most people while browsing the internet. The
www ecosystem is designed and developed in such a way that forces its users to live in glass houses. Even if users have nothing to hide it doesn’t mean that the corporation behind the web services gets a free pass to log and monitor all of their activities and make a business plan out of it. The Internet is supposed to be a public space that should have no boundaries like we have in the physical world. Even with ad-blockers, anti-trackers there is no way to completely avoid services from logging you. Only sure way is to provide an assumed identity at the time of check-in and tear down the trail once you leave. The VPN does exactly that for you.
Using commercial VPN is not that bad actually but the cost and lack of available bandwidth might be a bottleneck. Also VPN at least allows you to avoid monitoring by any middle-man, like ISPs, the end service is bound to know you.
Privately setting up a VPN has never been easier. With services like DigitalOcean and Lightsail, spinning up a private server in a location of your choice is a matter of a few clicks and happens in minutes.
There are multiple open-source options to set up a VPN server and clients. Also, there are automated one-click suites to setup everything like AlgoVPN.This post is about getting to know a little bit better how a VPN works and why setting up your own could be more cost-effective and actually useful.
WireGuard is one of the options to set up your own VPN beside other popular options like IPSec, OpenVPN etc. originally written for Linux it is now a cross platform high performing VPN Tunnel loved by people all around the world. I’m not going to explain all the goodness that it offers but will try to visualize the overview of its working.
WireGuard takes some unique approaches in setting up a VPN.
- Creates a kernel virtual network interface
- 32 byte public key represented as base64 whose exchange is not the responsibility of WireGuard layer
- Cryptographically opinionated makes it less complex and vulnerabilities discovery affects all endpoints
- layer-3 only
The virtual interface has its own public and private key along with a UDP listening port. Each interface maintains a routing table which maps a public key with a set of allowed IPs. The static information is used for handshake and establishing a secure session. Once established the client can start using VPN server peers to communicate with the internet.
Outgoing packets consult the routing table based on the destination IP and use the mapped public key to encrypt IP frames.
Incoming UDP datagram destined to wg0 configured port reach wireguard stack. The header inserted by wireguard is used to determine the session key for decryption. Packet is dropped if session key lookup fails, or if post decryption the data is not an IP datagram or the if the src_ip is not matching the routing table. Once satisfied the header and IP info is used to update the endpoint info and the packet is pushed up the stack.
I highly recommend using AlgoVPN to setup wireguard seamlessly, but knowing the manual is beneficial to understanding the working of Wireguard.
I am using DigitalOcean to spin up a basic Ubuntu 20.04 VM with a good enough transfer limit. My client is a windows laptop.
Things to consider and note down while setting up the server are, public IP, login credentials or keys and region.
Setting up Manually
sudo apt install wireguard
before setting up anything else, you should ideally see three interfaces on the machine
- lo: localhost
- eth0: public IP
- eth1: backplane traffic IP
Enable IPv4 forward
do this before doing anything else
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
Create public and private keys
It is not advisable to keep keys on the machine but for this tutorial we will make an exception.
wg genkey > private_key
wg pubkey < private_key > public_key
wg genkey > ranuzz_private_key
wg pubkey < ranuzz_private_key > ranuzz_public_key
; create wg0
ip link add dev wg0 type wireguard
; assign IP
ip address add dev wg0 192.168.0.1/24
; set server private key
wg set wg0 listen-port 51820 private-key ./private_key
; activate wg0
ip link set up dev wg0
; add peer (replace ranuzz_public_key with its conten)
wg set wg0 peer ranuzz_public_key allowed-ips 192.168.0.2/32
wg0 interfaces configuration should look like this
ListenPort = 51820
PrivateKey = private_key
PublicKey = ranuzz_public_key
AllowedIPs = 192.168.0.2/32
Creating client config file
Based on the keys generated and information above you should be able to write a configuration file for the client/peer. DNS configuration is required to access the internet, you can use any public DNS like google or cloudflare.
PrivateKey = ranuzz_private_key
Address = 192.168.0.2/32
DNS = 184.108.40.206
PublicKey = public_key
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = server_public_ip:51820
install wireguard on windows
load client config via UI
Import tunnel from config file and click activate
AlgoVPN Setup (alternate)
Setting manually is all well and good but there could be a lot of variables depending on the type of system or configuration you are using. Using an automated solution is always a safe bet and AlgoVPN is the most suitable choice. There github has a detailed installation instruction. I’m including what I used to configure my Ubuntu 20.04 VM.
Run this once you login to your fresh installation
sudo apt-get update
sudo apt install -y --no-install-recommends python3-virtualenv
git clone https://github.com/trailofbits/algo.git
python3 -m virtualenv .env
pip install -U pip virtualenv
pip install -r requirements.txt
config.cfg file and add a user if you want. But it’s ok to go with default three users. Then execute the script and follow the prompts
What provider would you like to use ?
12 (Ubuntu Server Local installation)
Cellular on demand: N
Wifi on demand: N
retain PKI: N
DNS ad Block: N
SSH Tunelling: N
Enter the IP address of your server:
Enter the public IP address or domain name of your server:
Once done you should find all client config files in
~/algo/configs/server_public_ip/wireguard. Use one of the clients to add a tunnel.
could not locate file in lookup
If you encounter this error in the ‘.pki’ folder then simply generate the keys yourself using
wg genkey command.
Feel free to send me an email for any suggestion or feedback. Follow me on twitter and github.