So, you want to forward all your traffic through a cloud server, including your DNS? This is a great way to protect your traffic when using insecure WiFi. WireGuard performs very well. This also has the side benefit of bypassing AT&T Wireless’s transparent HTTP proxy, which has performance issues. Read on.
Install and Configure WireGuard
Note: for the client configuration to work you must first have a working wireguard server.
#become root sudo -i #install wireguard apt install wireguard #create keys cd /etc/wireguard umask 077 # This makes sure credentials don't leak in a race condition. wg genkey | tee privatekey | wg pubkey > publickey #edit the config nano -w wg0.conf
Client (Example config file) – wg0.conf
Add the client private key, the server public key, and the server IP address.
[Interface] Address = 10.5.5.25 PrivateKey = client private key #-------------DNS #DNS = 10.5.5.1 #Server caching dnsmasq that forwards to azure in my case #DNS = 18.104.22.168 #Azure #DNS = 22.214.171.124 #Cloudflare DNS = 126.96.36.199, 188.8.131.52 #AdGuard #-------------MTU MTU = 1280 #This may need to be changed depending on your connection to the internet. #MTU = 1384 MTU = 1360 #-------------MSS Clamping #PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu [Peer] PublicKey = server public key Endpoint = server IP address:51820 #AllowedIPs = 0.0.0.0/0 #Use this if you want all your traffic to pass through the VPN AllowedIPs = 10.5.5.25/32 # This is for if you're behind a NAT and # want the connection to be kept alive. PersistentKeepalive = 25
Server (Example config file) – wg0.conf
Add the server private key, and each client’s public key.
[Interface] Address = 10.5.5.1 PrivateKey = ListenPort = 51820 [Peer] PublicKey = AllowedIPs = 10.5.5.5/32 [Peer] PublicKey = AllowedIPs = 10.5.5.25/32
After you’re done, run the following to make the directory and files readable only by administrators (it does contain secret keys, after all):
exit # exit root
sudo chown -R root:root /etc/wireguard/ sudo chmod -R og-rwx /etc/wireguard/*
Start and test wireguard
On both server, and client run:
sudo wg-quick up wg0; wg #to bring it down sudo wg-quick down wg0
Automatically run at startup
After you’ve created and secured the file, you can easily set WireGuard to initialize the VPN on startup if your OS is using
sudo systemctl enable [email protected]
Similarly, to start or stop the service:
sudo systemctl start [email protected] sudo systemctl stop [email protected]
To turn your conf file into a qr code use:
qrencode -t ansiutf8 < wg0.conf
Set up DNS on the server
Install openresolv on client
apt install openresolv
Install dnsmasq on server
apt install dnsmasq nano -w /etc/dnsmasq.conf
server=184.108.40.206 #Azure #server=220.127.116.11, 18.104.22.168 #Adguard interface=lo listen-address=10.5.5.1 bind-interfaces
Make DNSMasq start after our wg-quick service:
systemctl edit dnsmasq
Firewall on server
Allow udp port 51820 through your firewall in whatever cloud service you are using.
Allow Wireguard and DNS through local ufw firewall
ufw allow proto udp from any to any port 51820 ufw allow proto tcp from any to any port 53
Make sure to edit the firewall policy’s in your cloud server’s management dashboard as well to allow port 52820. In my case, Azure.
sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 51820 ALLOW Anywhere 53 ALLOW Anywhere
/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
Then edit /etc/ufw/sysctl.conf and uncomment:
Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT
sudo service ufw restart
Test what is my ip, and dns leak
Gnome shell Indicator extension: extensions.gnome.org/ext…
Add a quicklaunch shortcut: blog.linuxserver.io/2019…