WireGuard: Difference between revisions

Revision as of 02:59, 15 July 2020

Hot new VPN with many features

Handles handoff between connections (WiFi and Cellular)
Much faster connections
Smaller codebase

Server

How to setup a WireGuard VPN server on Ubuntu

If using Ubuntu <= 19.04, add the WireGuard PPA

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt update

Install WireGuard.
```
sudo apt install wireguard
```

Generate server private and public keys.

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

Write the config file /etc/wireguard/wg0.conf.

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

Fix permissions and start the interface.

sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}
sudo wg-quick up wg0
sudo wg show wg0

Open up and forward port 51820.

sudo ufw allow 51820/udp comment wireguard

Enable WireGuard systemd service.
```
sudo systemctl enable wg-quick@wg0
```

References

Front-ends

Managing connections manually is a large pain.

Subspace provides a front end you can use.

Below is my setup. I have subspace running on port 52395. Apache and certbot manages SSL/TLS and proxies to this local port.

mkdir -p /home/$USER/wireguard/data
docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /usr/bin/wg:/usr/bin/wg \
    --volume /home/$USER/wireguard/data:/data \
    --env SUBSPACE_HTTP_HOST=wireguard.davidl.me \
    --env SUBSPACE_HTTP_ADDR="localhost:52395" \
    --env SUBSPACE_HTTP_INSECURE="true" \
    --env SUBSPACE_LETSENCRYPT="false" \
    subspacecloud/subspace:latest

sudo docker start subspace
sudo docker logs subspace