Wireguard

From YobiWiki
Jump to navigation Jump to search

VPN for 2.99€/month

Here are some quick notes about running your own Wireguard VPN on an OVH VPS.

Links

These notes follow pretty much the howto from Kudelski above, with the following differences:

  • how to dist-upgrade the VPS
  • solving a little chicken & egg problem concerning the client public key known by the server
  • less detailed so go back to the original links for more details

Howto

Wireguard is now available for many distributions including Debian Unstable. It requires a fairly recent kernel and even if older distros could probably be used, wg-quick is expecting recent versions of iproute2 syntax, therefore we choose to update the VPS to the freshly new Debian 9 Stretch.

Step 1 is to buy a VPS instance, the cheapest one is at the moment of writing the "VPS SSD 1": 1 vCore, 2.4GHz, 2Gb RAM, 10Gb SSD.

Check if a Debian 9 image is available officially by OVH. At time of writing, only Debian 7 and Debian 8 were available, therefore these notes no how to upgrade the Debian 8 to Debian 9.

You'll get a mail with its IP and a root password for ssh.

All commands are executed as root, both on the server and on the client.

VPS dist-upgrade

Edit /etc/apt/sources.list: jessie -> stretch

deb http://ftp.debian.org/debian/ stretch main
deb http://security.debian.org/ stretch/updates main
apt-get update

When I did it 5 days after Debian Stretch release, I got a gpg error about the distro key being not found, which seemed normal at that point, yolo!

apt-get upgrade
apt-get dist-upgrade

Two configuration files were prompted to validate the changes.

--- /etc/ssh/ssh_config 2017-06-21 11:25:20.572000000 +0200
+++ /etc/ssh/ssh_config.dpkg-new        2017-03-30 12:19:04.000000000 +0200
-    GSSAPIDelegateCredentials no
-UseRoaming no

We can accept that change, GSSAPIDelegateCredentials no is already the default value and UseRoaming no was a workaround for CVE-2016-0777, now fixed ([1]).

The other configuration file is /etc/cloud/cloud.cfg. We may accept the changes but we've to re-inject the configuration lines specific to this VPS (adapt to yours):

--- cloud.cfg 2017-02-02 14:23:41.000000000 +0100
+++ cloud.cfg 2017-06-23 09:01:44.351556105 +0200
@@ -1,3 +1,5 @@
+ssh_pwauth: 1
+hostname: vps123456.ovh.net
 # The top level settings are used as module
 # and system configuration.
 
@@ -8,11 +10,12 @@
    - default
 
 # If this is set, 'root' will not be able to ssh in and they.
 # will get a message to login instead as the above $user (debian)
-disable_root: true
+disable_root: 0
 
 # This will cause the set+update hostname module to not operate (if true)
-preserve_hostname: false
+preserve_hostname: vps123456.ovh.net
+manage_etc_hosts: true
 
 # Example datasource config
 # datasource:.
@@ -84,6 +87,8 @@
    # Default user name + that default users groups (if added/used)
    default_user:
      name: debian
+     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+     shell: /bin/bash
      lock_passwd: True
      gecos: Debian
      groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]

Once upgraded, Debian Stretch allows you to use ed25519 SSH keys so it's the good time to move from the hardcoded OVH password to a public key authentication (ssh-copy-id etc). Remember the VPS comes completely naked and exposed to the Net, up to you to make it more secure and suited to your needs.

Now restart your instance from the OVH management console, to make sure everything is ok.

Installing Wireguard

On the server:

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools
sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sysctl -p
umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF
[Interface]
Address = 192.168.3.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PrivateKey = $(wg genkey)
SaveConfig = true
_EOF

Adapt the configuration above to your output interface if needed, should be eth0 on an OVH VPS.

wg-quick up wg0
wg show

It will display the server public key, take note of it.

On the client:

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools
umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF
[Interface]
Address = 192.168.3.2
PostUp = echo nameserver 8.8.8.8 | resolvconf -a tun.%i -m 0 -x
PostDown = resolvconf -d tun.%i
PrivateKey = $(wg genkey)

[Peer]
PublicKey = COPY_SERVER_PUBLIC_KEY_HERE
AllowedIPs = 0.0.0.0/0
Endpoint = COPY_SERVER_PUBLIC_IP_HERE:51820
_EOF

Adapt the nameserver IP to your taste.

wg-quick up wg0
wg show

It will display the client public key, take note of it.

On the server, complete the configuration with the client public key:

wg set wg0 peer COPY_CLIENT_PUB_KEY_HERE allowed-ips COPY_CLIENT_VPN_IP_HERE/32

It will be saved automatically in /etc/wireguard/wg0.conf next time the VPN is brought down.

On the client, you can now activate and deactivate the VPN with:

wg-quick up wg0
wg-quick down wg0