VPN for 2.99€/month
Here are some quick notes about running your own Wireguard VPN on an OVH VPS.
These notes follow pretty much the howto from Kudelski above, with the following differences:
- how to dist-upgrade the VPS
- solving a little chicken & egg problem concerning the client public key known by the server
- less detailed so go back to the original links for more details
Wireguard is now available for many distributions including Debian Unstable. It requires a fairly recent kernel and even if older distros could probably be used,
wg-quick is expecting recent versions of
iproute2 syntax, therefore we choose to update the VPS to the freshly new Debian 9 Stretch.
Step 1 is to buy a VPS instance, the cheapest one is at the moment of writing the "VPS SSD 1": 1 vCore, 2.4GHz, 2Gb RAM, 10Gb SSD.
Check if a Debian 9 image is available officially by OVH. At time of writing, only Debian 7 and Debian 8 were available, therefore these notes no how to upgrade the Debian 8 to Debian 9.
You'll get a mail with its IP and a root password for ssh.
All commands are executed as root, both on the server and on the client.
/etc/apt/sources.list: jessie -> stretch
deb http://ftp.debian.org/debian/ stretch main deb http://security.debian.org/ stretch/updates main
When I did it 5 days after Debian Stretch release, I got a gpg error about the distro key being not found, which seemed normal at that point, yolo!
apt-get upgrade apt-get dist-upgrade
Two configuration files were prompted to validate the changes.
--- /etc/ssh/ssh_config 2017-06-21 11:25:20.572000000 +0200 +++ /etc/ssh/ssh_config.dpkg-new 2017-03-30 12:19:04.000000000 +0200 - GSSAPIDelegateCredentials no -UseRoaming no
We can accept that change,
GSSAPIDelegateCredentials no is already the default value and
UseRoaming no was a workaround for CVE-2016-0777, now fixed ().
The other configuration file is
/etc/cloud/cloud.cfg. We may accept the changes but we've to re-inject the configuration lines specific to this VPS (adapt to yours):
--- cloud.cfg 2017-02-02 14:23:41.000000000 +0100 +++ cloud.cfg 2017-06-23 09:01:44.351556105 +0200 @@ -1,3 +1,5 @@ +ssh_pwauth: 1 +hostname: vps123456.ovh.net # The top level settings are used as module # and system configuration. @@ -8,11 +10,12 @@ - default # If this is set, 'root' will not be able to ssh in and they. # will get a message to login instead as the above $user (debian) -disable_root: true +disable_root: 0 # This will cause the set+update hostname module to not operate (if true) -preserve_hostname: false +preserve_hostname: vps123456.ovh.net +manage_etc_hosts: true # Example datasource config # datasource:. @@ -84,6 +87,8 @@ # Default user name + that default users groups (if added/used) default_user: name: debian + sudo: ["ALL=(ALL) NOPASSWD:ALL"] + shell: /bin/bash lock_passwd: True gecos: Debian groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
Once upgraded, Debian Stretch allows you to use ed25519 SSH keys so it's the good time to move from the hardcoded OVH password to a public key authentication (ssh-copy-id etc). Remember the VPS comes completely naked and exposed to the Net, up to you to make it more secure and suited to your needs.
Now restart your instance from the OVH management console, to make sure everything is ok.
On the server:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable apt update apt install wireguard-dkms wireguard-tools sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf sysctl -p umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF [Interface] Address = 192.168.3.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PrivateKey = $(wg genkey) SaveConfig = true _EOF
Adapt the configuration above to your output interface if needed, should be
eth0 on an OVH VPS.
wg-quick up wg0 wg show
It will display the server public key, take note of it.
On the client:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable apt update apt install wireguard-dkms wireguard-tools umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF [Interface] Address = 192.168.3.2 PostUp = echo nameserver 126.96.36.199 | resolvconf -a tun.%i -m 0 -x PostDown = resolvconf -d tun.%i PrivateKey = $(wg genkey) [Peer] PublicKey = COPY_SERVER_PUBLIC_KEY_HERE AllowedIPs = 0.0.0.0/0 Endpoint = COPY_SERVER_PUBLIC_IP_HERE:51820 _EOF
Adapt the nameserver IP to your taste.
wg-quick up wg0 wg show
It will display the client public key, take note of it.
On the server, complete the configuration with the client public key:
wg set wg0 peer COPY_CLIENT_PUB_KEY_HERE allowed-ips COPY_CLIENT_VPN_IP_HERE/32
It will be saved automatically in
/etc/wireguard/wg0.conf next time the VPN is brought down.
On the client, you can now activate and deactivate the VPN with:
wg-quick up wg0 wg-quick down wg0