How to set up your own VPN using WireGuard on Ubuntu 20.04

So want to forward all your traffic through a cloud server, including your DNS? This is a great way to protect your traffic when using insecure . WireGuard performs very well. This also has the side benefit of bypassing AT&T Wireless’s transparent HTTP proxy, which has performance issues. Read on.

Allow udp port 51820 through your firewall in whatever cloud service you are using.

Allow tWireguard and DNS through local ufw firewall

ufw allow proto udp from any to any port 51820
ufw allow proto tcp from any to any port 53

WireGuard

From: www.stavros.io/posts/how…

Install Wireguard on both client and server

apt install wireguard
#create keys on both
cd /etc/wireguard
umask 077  # This makes sure credentials don't leak in a race condition.
wg genkey | tee privatekey | wg pubkey > publickey
nano -w wg0.conf

Server conf

[Interface]
Address = 10.5.5.1
PrivateKey = 
ListenPort = 51820

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.5/32

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.25/32

Client conf

Interface]
Address = 10.5.5.25
PrivateKey =   
#DNS = 10.5.5.1 #Server caching dnsmasq that forwards to azure in my case
#DNS = 168.63.129.16 #Azure
#DNS = 1.1.1.1 #Cloudflare
DNS = 176.103.130.130, 176.103.130.131 #AdGuard

[Peer]
PublicKey =
Endpoint = <serverip>:51820
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.5.5.25/32

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

To turn your conf file into a qr code use:

qrencode -t ansiutf8 < wg0.conf

Start wireguard on server and client

sudo wg-quick up wg0

Securing and running on startup

After you’re done, run the following to make the directory and files readable only by administrators (it does contain secret keys, after all):

sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*

After you’ve created and secured the file, you can easily set WireGuard to initialize the VPN on startup if your OS is using systemd:

sudo systemctl enable [email protected]

Similarly, to start or stop the service:

sudo systemctl start [email protected]
sudo systemctl stop [email protected]

DNS

From: askubuntu.com/questions/…

Install openresolv on client

apt install openresolv

Install dnsmasq on server

apt install dnsmasq
nano -w /etc/dnsmasq.conf
server=168.63.129.16 #Azure
#server=176.103.130.130, 176.103.130.131 #Adguard
interface=lo
listen-address=10.5.5.1
bind-interfaces

Make DNSMasq start after our wg-quick service:

systemctl edit dnsmasq

paste

[Unit]
[email protected]
[email protected]

Firewall

From: ubuntu.com/server/docs/s…

Make sure to edit the firewall policy’s in your cloud server’s management dashboard as well to allow port 52820. In my case, Azure.

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
53                         ALLOW       Anywhere             

/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1

Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
sudo service ufw restart

Test what is my ip, and dns leak

Gnome shell Indicator extension: extensions.gnome.org/ext…

Add a quicklaunch shortcut: blog.linuxserver.io/2019…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.