So want to forward all your traffic through a cloud server, including your DNS? This is a great way to protect your traffic when using insecure WiFi. WireGuard performs very well. This also has the side benefit of bypassing AT&T Wireless’s transparent HTTP proxy, which has performance issues. Read on.
Allow udp port 51820 through your firewall in whatever cloud service you are using.
Allow tWireguard and DNS through local ufw firewall
ufw allow proto udp from any to any port 51820
ufw allow proto tcp from any to any port 53
WireGuard
From: www.stavros.io/posts/how…
Install Wireguard on both client and server
apt install wireguard
#create keys on both
cd /etc/wireguard
umask 077 # This makes sure credentials don't leak in a race condition.
wg genkey | tee privatekey | wg pubkey > publickey
nano -w wg0.conf
Server conf
[Interface]
Address = 10.5.5.1
PrivateKey =
ListenPort = 51820
[Peer]
PublicKey =
AllowedIPs = 10.5.5.5/32
[Peer]
PublicKey =
AllowedIPs = 10.5.5.25/32
Client conf
Interface]
Address = 10.5.5.25
PrivateKey =
#DNS = 10.5.5.1 #Server caching dnsmasq that forwards to azure in my case
#DNS = 168.63.129.16 #Azure
#DNS = 1.1.1.1 #Cloudflare
DNS = 176.103.130.130, 176.103.130.131 #AdGuard
[Peer]
PublicKey =
Endpoint = <serverip>:51820
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.5.5.25/32
# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25
To turn your conf file into a qr code use:
qrencode -t ansiutf8 < wg0.conf
Start wireguard on server and client
sudo wg-quick up wg0
Securing and running on startup
After you’re done, run the following to make the directory and files readable only by administrators (it does contain secret keys, after all):
sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*
After you’ve created and secured the file, you can easily set WireGuard to initialize the VPN on startup if your OS is using systemd
:
sudo systemctl enable [email protected]
Similarly, to start or stop the service:
sudo systemctl start [email protected] sudo systemctl stop [email protected]
DNS
From: askubuntu.com/questions/…
Install openresolv on client
apt install openresolv
Install dnsmasq on server
apt install dnsmasq
nano -w /etc/dnsmasq.conf
server=168.63.129.16 #Azure
#server=176.103.130.130, 176.103.130.131 #Adguard
interface=lo
listen-address=10.5.5.1
bind-interfaces
Make DNSMasq start after our wg-quick service:
systemctl edit dnsmasq
paste
[Unit]
[email protected]
[email protected]
Firewall
From: ubuntu.com/server/docs/s…
Make sure to edit the firewall policy’s in your cloud server’s management dashboard as well to allow port 52820. In my case, Azure.
sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
51820 ALLOW Anywhere
53 ALLOW Anywhere
/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
DEFAULT_FORWARD_POLICY="ACCEPT"
Then edit /etc/ufw/sysctl.conf and uncomment:
net/ipv4/ip_forward=1
Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
sudo service ufw restart
Test what is my ip, and dns leak
Gnome shell Indicator extension: extensions.gnome.org/ext…
Add a quicklaunch shortcut: blog.linuxserver.io/2019…