WireGuard

Hot new VPN with many features

• Handles handoff between connections (WiFi and Cellular)
• Much faster connections
• Smaller codebase

Server

How to setup a WireGuard VPN server on Ubuntu. This is based on linuxize.

• Install WireGuard.

  sudo apt install wireguard
  

• Generate server private and public keys.

  wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
  

• Write the config file /etc/wireguard/wg0.conf.

  [Interface]
  Address = 10.0.0.1/24
  SaveConfig = true
  ListenPort = 51820
  PrivateKey = SERVER_PRIVATE_KEY
  PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
  PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
  

  • Replace ens3 with your network interface ip -o -4 route show to default | awk '{print $5}'
• Fix permissions and start the interface.

  sudo chmod 600 /etc/wireguard/{privatekey,wg0.conf}
  sudo wg-quick up wg0
  sudo wg show wg0
  

• Open up and forward port 51820.

  sudo ufw allow 51820/udp comment wireguard
  # For DNS purposes if you use subspace
  sudo ufw allow from 10.99.97.0/24 to any port 53 comment dns
  

• Enable WireGuard systemd service.

  sudo systemctl enable wg-quick@wg0
  

References

• https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
• https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/
• https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/

Front-ends

Managing connections manually is a large pain.

Subspace provides a front end you can use.

Below is my setup. I have subspace running on port 52395. Apache and certbot manages SSL/TLS and proxies to this local port.

mkdir -p /home/$USER/wireguard/data
docker create \
    --name subspace \
    --restart always \
    --network host \
    --cap-add NET_ADMIN \
    --volume /home/$USER/wireguard/data:/data \
    --env SUBSPACE_HTTP_HOST=wireguard.davidl.me \
    --env SUBSPACE_NAMESERVER="1.1.1.1" \
    --env SUBSPACE_HTTP_ADDR="localhost:52395" \
    --env SUBSPACE_HTTP_INSECURE="true" \
    --env SUBSPACE_LETSENCRYPT="false" \
    subspacecommunity/subspace:latest

sudo docker start subspace
sudo docker logs subspace

To stop subspace:

sudo docker stop subspace
sudo docker rm subspace