Difference between revisions of "Wireguard"
(Created page with "=VPN for 2.99€/month= Here are some quick notes about running your own Wireguard VPN on an [https://www.ovh.ie/vps/vps-ssd.xml OVH VPS]. ==Links== * https://www.wireguard...") |
m |
||
(One intermediate revision by the same user not shown) | |||
Line 124: | Line 124: | ||
It will display the server public key, take note of it. |
It will display the server public key, take note of it. |
||
− | |||
⚫ | |||
− | wg-quick down wg0 |
||
− | </source> |
||
On the client: |
On the client: |
||
Line 158: | Line 154: | ||
It will display the client public key, take note of it. |
It will display the client public key, take note of it. |
||
− | |||
− | <source lang=bash> |
||
− | wg-quick down wg0 |
||
− | </source> |
||
On the server, complete the configuration with the client public key: |
On the server, complete the configuration with the client public key: |
||
<source lang=bash> |
<source lang=bash> |
||
+ | wg set wg0 peer COPY_CLIENT_PUB_KEY_HERE allowed-ips COPY_CLIENT_VPN_IP_HERE/32 |
||
− | cat >> /etc/wireguard/wg0.conf << _EOF |
||
⚫ | |||
+ | It will be saved automatically in <code>/etc/wireguard/wg0.conf</code> next time the VPN is brought down. |
||
− | [Peer] |
||
− | PublicKey = COPY_CLIENT_PUBLIC_KEY_HERE |
||
− | AllowedIPs = 192.168.3.2/32 |
||
− | _EOF |
||
− | wg-quick up wg0 |
||
− | </source> |
||
On the client, you can now activate and deactivate the VPN with: |
On the client, you can now activate and deactivate the VPN with: |
Latest revision as of 20:51, 24 June 2017
VPN for 2.99€/month
Here are some quick notes about running your own Wireguard VPN on an OVH VPS.
Links
- https://www.wireguard.io/install/
- https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
- https://linuxconfig.org/how-to-upgrade-debian-8-jessie-to-debian-9-stretch
These notes follow pretty much the howto from Kudelski above, with the following differences:
- how to dist-upgrade the VPS
- solving a little chicken & egg problem concerning the client public key known by the server
- less detailed so go back to the original links for more details
Howto
Wireguard is now available for many distributions including Debian Unstable. It requires a fairly recent kernel and even if older distros could probably be used, wg-quick
is expecting recent versions of iproute2
syntax, therefore we choose to update the VPS to the freshly new Debian 9 Stretch.
Step 1 is to buy a VPS instance, the cheapest one is at the moment of writing the "VPS SSD 1": 1 vCore, 2.4GHz, 2Gb RAM, 10Gb SSD.
Check if a Debian 9 image is available officially by OVH. At time of writing, only Debian 7 and Debian 8 were available, therefore these notes no how to upgrade the Debian 8 to Debian 9.
You'll get a mail with its IP and a root password for ssh.
All commands are executed as root, both on the server and on the client.
VPS dist-upgrade
Edit /etc/apt/sources.list
: jessie -> stretch
deb http://ftp.debian.org/debian/ stretch main deb http://security.debian.org/ stretch/updates main
apt-get update
When I did it 5 days after Debian Stretch release, I got a gpg error about the distro key being not found, which seemed normal at that point, yolo!
apt-get upgrade apt-get dist-upgrade
Two configuration files were prompted to validate the changes.
--- /etc/ssh/ssh_config 2017-06-21 11:25:20.572000000 +0200
+++ /etc/ssh/ssh_config.dpkg-new 2017-03-30 12:19:04.000000000 +0200
- GSSAPIDelegateCredentials no
-UseRoaming no
We can accept that change, GSSAPIDelegateCredentials no
is already the default value and UseRoaming no
was a workaround for CVE-2016-0777, now fixed ([1]).
The other configuration file is /etc/cloud/cloud.cfg
. We may accept the changes but we've to re-inject the configuration lines specific to this VPS (adapt to yours):
--- cloud.cfg 2017-02-02 14:23:41.000000000 +0100
+++ cloud.cfg 2017-06-23 09:01:44.351556105 +0200
@@ -1,3 +1,5 @@
+ssh_pwauth: 1
+hostname: vps123456.ovh.net
# The top level settings are used as module
# and system configuration.
@@ -8,11 +10,12 @@
- default
# If this is set, 'root' will not be able to ssh in and they.
# will get a message to login instead as the above $user (debian)
-disable_root: true
+disable_root: 0
# This will cause the set+update hostname module to not operate (if true)
-preserve_hostname: false
+preserve_hostname: vps123456.ovh.net
+manage_etc_hosts: true
# Example datasource config
# datasource:.
@@ -84,6 +87,8 @@
# Default user name + that default users groups (if added/used)
default_user:
name: debian
+ sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+ shell: /bin/bash
lock_passwd: True
gecos: Debian
groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
Once upgraded, Debian Stretch allows you to use ed25519 SSH keys so it's the good time to move from the hardcoded OVH password to a public key authentication (ssh-copy-id etc). Remember the VPS comes completely naked and exposed to the Net, up to you to make it more secure and suited to your needs.
Now restart your instance from the OVH management console, to make sure everything is ok.
Installing Wireguard
On the server:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools
sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sysctl -p
umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF
[Interface]
Address = 192.168.3.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PrivateKey = $(wg genkey)
SaveConfig = true
_EOF
Adapt the configuration above to your output interface if needed, should be eth0
on an OVH VPS.
wg-quick up wg0
wg show
It will display the server public key, take note of it.
On the client:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools
umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF
[Interface]
Address = 192.168.3.2
PostUp = echo nameserver 8.8.8.8 | resolvconf -a tun.%i -m 0 -x
PostDown = resolvconf -d tun.%i
PrivateKey = $(wg genkey)
[Peer]
PublicKey = COPY_SERVER_PUBLIC_KEY_HERE
AllowedIPs = 0.0.0.0/0
Endpoint = COPY_SERVER_PUBLIC_IP_HERE:51820
_EOF
Adapt the nameserver IP to your taste.
wg-quick up wg0
wg show
It will display the client public key, take note of it.
On the server, complete the configuration with the client public key:
wg set wg0 peer COPY_CLIENT_PUB_KEY_HERE allowed-ips COPY_CLIENT_VPN_IP_HERE/32
It will be saved automatically in /etc/wireguard/wg0.conf
next time the VPN is brought down.
On the client, you can now activate and deactivate the VPN with:
wg-quick up wg0
wg-quick down wg0