How to set up your own VPN using WireGuard on Ubuntu 20.04

Posted on by Jeffrey Hein

So want to forward all your traffic through a cloud server, including your DNS? This is a great way to protect your traffic when using insecure . WireGuard performs very well. Read on.

WireGuard

From: www.stavros.io/posts/how…

Install Wireguard on both client and server

apt install wireguard
#create keys on both
cd /etc/wireguard
umask 077  # This makes sure credentials don't leak in a race condition.
wg genkey | tee privatekey | wg pubkey > publickey
nano -w wg0.conf

Server conf

[Interface]
Address = 10.5.5.1
PrivateKey = 
ListenPort = 51820

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.5/32

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.25/32

Client conf

Interface]
Address = 10.5.5.25
PrivateKey =   
DNS = 10.5.5.1 #Server caching dnsmasq that forwards to systemd which forwards to azure in my case
#DNS = 168.63.129.16 #Azure
#DNS = 1.1.1.1 #Cloudflare

[Peer]
PublicKey =
Endpoint = <serverip>:59301
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.5.5.25/32

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

Start wireguard on server and client

wg-quick up wg0

Securing and running on startup

After you’re done, run the following to make the directory and files readable only by administrators (it does contain secret keys, after all):

$ sudo chown -R root:root /etc/wireguard/
$ sudo chmod -R og-rwx /etc/wireguard/*

After you’ve created and secured the file, you can easily set WireGuard to initialize the VPN on startup if your OS is using systemd:

$ sudo systemctl enable [email protected]

Similarly, to start or stop the service:

$ sudo systemctl start [email protected]
$ sudo systemctl stop [email protected]

DNS

From: askubuntu.com/questions/…

Install openresolv on client

apt install openresolv

Install dnsmasq on server

apt install dnsmasq
nano -w /etc/dnsmasq.conf
server=127.0.0.53
interface=lo
listen-address=10.5.5.1
bind-interfaces

Make DNSMasq start after our wg-quick service:

systemctl edit dnsmasq

paste

[Unit]
[email protected]
[email protected]

Firewall

From: ubuntu.com/server/docs/s…

Make sure to edit the firewall policy’s in your cloud server’s management dashboard as well to allow port 52820. In my case, Azure.

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
53                         ALLOW       Anywhere

/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1

Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

Test what is my ip, and dns leak

Gnome shell Indicator extension: extensions.gnome.org/ext…

Add a quicklaunch shortcut: blog.linuxserver.io/2019…

Tags: , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.