How to set up your own VPN using WireGuard on Ubuntu 21.10

So, you want to forward all your traffic through a cloud server, including your DNS? This is a great way to protect your traffic when using insecure wifi. WireGuard performs very well. This also has the side benefit of bypassing AT&T Wireless's transparent HTTP proxy, which has performance issues. Read on.

Install and Configure WireGuard

From: www.stavros.io/posts/how…

Note: for the client configuration to work you must first have a working wireguard server.

#become root
sudo -i 

#install wireguard
apt install wireguard

#create keys
cd /etc/wireguard
umask 077  # This makes sure credentials don't leak in a race condition.
wg genkey | tee privatekey | wg pubkey > publickey
#edit the config
nano -w wg0.conf

Client (Example config file) – wg0.conf

Add the client private key, the server public key, and the server IP address.

[Interface]
Address = 10.5.5.25
PrivateKey = client private key

#-------------DNS
#DNS = 10.5.5.1 #Server caching dnsmasq that forwards to azure in my case
#DNS = 168.63.129.16 #Azure
#DNS = 1.1.1.1 #Cloudflare
DNS = 176.103.130.130, 176.103.130.131 #AdGuard

#-------------MTU
MTU = 1280 #This may need to be changed depending on your connection to the internet.
#MTU = 1384
MTU = 1360

#-------------MSS Clamping
#PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


[Peer]
PublicKey = server public key
Endpoint = server IP address:51820
#AllowedIPs = 0.0.0.0/0 #Use this if you want all your traffic to pass through the VPN
AllowedIPs = 10.5.5.25/32

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

Server (Example config file) – wg0.conf

Add the server private key, and each client's public key.

[Interface]
Address = 10.5.5.1
PrivateKey = 
ListenPort = 51820

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.5/32

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.25/32

Securing

After you're done, run the following to make the directory and files readable only by administrators (it does contain secret keys, after all):

exit # exit root

sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*

Start and test wireguard

On both server, and client run:

sudo wg-quick up wg0; wg
#to bring it down
sudo wg-quick down wg0

Automatically run at startup

After you've created and secured the file, you can easily set WireGuard to initialize the VPN on startup if your OS is using systemd:

sudo systemctl enable [email protected]

Similarly, to start or stop the service:

sudo systemctl start [email protected]
sudo systemctl stop [email protected]

android or ios client

To turn your conf file into a qr code use:

Set up DNS on the server

From: askubuntu.com/questions/…

Install openresolv on client

apt install openresolv

Install dnsmasq on server

apt install dnsmasq
nano -w /etc/dnsmasq.conf

server=168.63.129.16 #Azure
#server=176.103.130.130, 176.103.130.131 #Adguard
interface=lo
listen-address=10.5.5.1
bind-interfaces

Make DNSMasq start after our wg-quick service:

systemctl edit dnsmasq

paste

[Unit]
[email protected]
[email protected]

Firewall on server

Allow udp port 51820 through your firewall in whatever cloud service you are using.

Allow Wireguard and DNS through local ufw firewall

ufw allow proto udp from any to any port 51820
ufw allow proto tcp from any to any port 53

From: ubuntu.com/server/docs/s…

Make sure to edit the firewall policy's in your cloud server's management dashboard as well to allow port 52820. In my case, Azure.

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
53                         ALLOW       Anywhere             

/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1

Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

sudo service ufw restart

Test what is my ip, and dns leak

Gnome shell Indicator extension: extensions.gnome.org/ext…

Add a quicklaunch shortcut: blog.linuxserver.io/2019…