VPN’s have always fascinated me. Here’s an ultra lightweight quick one.
Mistakes were made
I am running a cheapass AWS linux instance that is way to expensive for the service being provided from them, but that is besides the point.
What’s not besides the point is the fact that I’m running AWS linux on this cheap ass instance and it sucks because I have to make build the wireguard package from source.
Yes you heard that correctly, instead of mind numbingly running some bash script someone put on the internet and pulling down the repo from a package manager I have to use my brain and think about the commands I am going to run in my bash prompt following some off the beaten path to install this VPN.
When there’s a will there’s a way and I damn sure wanted this so I was getting this package on my server whatever it took. Looked like this:
sudo yum install libmnl-devel elfutils-libelf-devel kernel-devel pkgconfig "@Development Tools"
# Make sure this next one is up to date!
wget https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191212.tar.xz
# Extract
tar -xf WireGuard-0.0.20191212.tar.xz
cd WireGuard-0.0.20191212/src
make
sudo make install
And Viola it’s installed!
Configure
Generate Server Public and Private Keys only root can read
# Change to the wireguard directory
cd /etc/wireguard/
# Drop into an interactive shell
sudo -i
# Any file created is only able to be executed or read by the owner, root
umask 077
# Generate Keys
wg genkey | tee privatekey | wg pubkey > publickey
Create a wg0.conf file to look like this for the server you are hosting the vpn on:
[Interface]
Address = 192.168.2.1
PrivateKey = ENV['SERVER_PRIVATE_KEY_HERE']
ListenPort = 54321
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = ENV['PHONE_PUBLCI_KEY']
AllowedIPs = 192.168.2.2/32
[Peer]
PublicKey = ENV['LAPTOP_PUBLIC_KEY']
AllowedIPs = 192.168.2.3/32
After this config file is created, run the wg-quick up wg0 on the interface and the vpn will be up on the server side.
The PostUp and PostDown allow for the clients to connect to the internet tunneling traffic through the VPN.
The client should look something similiar to this (this example comes from my phone):
[Interface]
Address = 192.168.2.2/32
PrivateKey = ENV['CLIENT_PRIVATE_KEY']
[Peer]
PublicKey = ENV['SERVER_PUBLIC_KEY']
Endpoint = ['SERVER_IP_ADDRESS']:54321
AllowedIPs = 0.0.0.0/0
The AllowedIPs in the peer means the peer is allowed to connect to any IP.
After generating the peer configuration file for my phone and while still ssh‘ed into the server, I ran qrencode -t ansiutf8 < phone.conf and this generated a pretty qr code for me to scan and easily import the confiruation to my phone.
Initial Phone Issues
From my phone I scanned the qr from the wireguard app and ran into an issue with wireguard not routing any external traffic. To fix this, I added a dns provider (1.1.1.1) and checked if my dns was being leaked. After setting the dns, everything was working and I was able to connect both internally to my laptop on my home network and to external websites. I was then able to confirm this worked by routing through the network at work :) .