VPN’s have always fascinated me. Here’s an ultra lightweight quick one.
Mistakes were made
I am running a cheapass AWS linux instance that is way to expensive for the service being provided from them, but that is besides the point.
What’s not besides the point is the fact that I’m running AWS linux on this cheap ass instance and it sucks because I have to
make build the wireguard package from source.
Yes you heard that correctly, instead of mind numbingly running some bash script someone put on the internet and pulling down the repo from a package manager I have to use my brain and think about the commands I am going to run in my bash prompt following some off the beaten path to install this VPN.
When there’s a will there’s a way and I damn sure wanted this so I was getting this package on my server whatever it took. Looked like this:
sudo yum install libmnl-devel elfutils-libelf-devel kernel-devel pkgconfig "@Development Tools" # Make sure this next one is up to date! wget https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191212.tar.xz # Extract tar -xf WireGuard-0.0.20191212.tar.xz cd WireGuard-0.0.20191212/src make sudo make install
And Viola it’s installed!
Generate Server Public and Private Keys only root can read
# Change to the wireguard directory cd /etc/wireguard/ # Drop into an interactive shell sudo -i # Any file created is only able to be executed or read by the owner, root umask 077 # Generate Keys wg genkey | tee privatekey | wg pubkey > publickey
wg0.conf file to look like this for the server you are hosting the vpn on:
[Interface] Address = 192.168.2.1 PrivateKey = ENV['SERVER_PRIVATE_KEY_HERE'] ListenPort = 54321 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = ENV['PHONE_PUBLCI_KEY'] AllowedIPs = 192.168.2.2/32 [Peer] PublicKey = ENV['LAPTOP_PUBLIC_KEY'] AllowedIPs = 192.168.2.3/32
After this config file is created, run the
wg-quick up wg0 on the interface and the vpn will be up on the server side.
PostDown allow for the clients to connect to the internet tunneling traffic through the VPN.
The client should look something similiar to this (this example comes from my phone):
[Interface] Address = 192.168.2.2/32 PrivateKey = ENV['CLIENT_PRIVATE_KEY'] [Peer] PublicKey = ENV['SERVER_PUBLIC_KEY'] Endpoint = ['SERVER_IP_ADDRESS']:54321 AllowedIPs = 0.0.0.0/0
AllowedIPs in the peer means the peer is allowed to connect to any IP.
After generating the peer configuration file for my phone and while still
ssh‘ed into the server, I ran
qrencode -t ansiutf8 < phone.conf and this generated a pretty qr code for me to scan and easily import the confiruation to my phone.
Initial Phone Issues
From my phone I scanned the qr from the wireguard app and ran into an issue with wireguard not routing any external traffic. To fix this, I added a dns provider (22.214.171.124) and checked if my dns was being leaked. After setting the dns, everything was working and I was able to connect both internally to my laptop on my home network and to external websites. I was then able to confirm this worked by routing through the network at work :) .