Wireguard
VPN for 2.99€/month
Here are some quick notes about running your own Wireguard VPN on an OVH VPS.
Links
- https://www.wireguard.io/install/
- https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/
- https://linuxconfig.org/how-to-upgrade-debian-8-jessie-to-debian-9-stretch
These notes follow pretty much the howto from Kudelski above, with the following differences:
- how to dist-upgrade the VPS
- solving a little chicken & egg problem concerning the client public key known by the server
- less detailed so go back to the original links for more details
Howto
Wireguard is now available for many distributions including Debian Unstable. It requires a fairly recent kernel and even if older distros could probably be used, wg-quick
is expecting recent versions of iproute2
syntax, therefore we choose to update the VPS to the freshly new Debian 9 Stretch.
Step 1 is to buy a VPS instance, the cheapest one is at the moment of writing the "VPS SSD 1": 1 vCore, 2.4GHz, 2Gb RAM, 10Gb SSD.
Check if a Debian 9 image is available officially by OVH. At time of writing, only Debian 7 and Debian 8 were available, therefore these notes no how to upgrade the Debian 8 to Debian 9.
You'll get a mail with its IP and a root password for ssh.
All commands are executed as root, both on the server and on the client.
VPS dist-upgrade
Edit /etc/apt/sources.list
: jessie -> stretch
deb http://ftp.debian.org/debian/ stretch main deb http://security.debian.org/ stretch/updates main
apt-get update
When I did it 5 days after Debian Stretch release, I got a gpg error about the distro key being not found, which seemed normal at that point, yolo!
apt-get upgrade apt-get dist-upgrade
Two configuration files were prompted to validate the changes.
--- /etc/ssh/ssh_config 2017-06-21 11:25:20.572000000 +0200
+++ /etc/ssh/ssh_config.dpkg-new 2017-03-30 12:19:04.000000000 +0200
- GSSAPIDelegateCredentials no
-UseRoaming no
We can accept that change, GSSAPIDelegateCredentials no
is already the default value and UseRoaming no
was a workaround for CVE-2016-0777, now fixed ([1]).
The other configuration file is /etc/cloud/cloud.cfg
. We may accept the changes but we've to re-inject the configuration lines specific to this VPS (adapt to yours):
--- cloud.cfg 2017-02-02 14:23:41.000000000 +0100
+++ cloud.cfg 2017-06-23 09:01:44.351556105 +0200
@@ -1,3 +1,5 @@
+ssh_pwauth: 1
+hostname: vps123456.ovh.net
# The top level settings are used as module
# and system configuration.
@@ -8,11 +10,12 @@
- default
# If this is set, 'root' will not be able to ssh in and they.
# will get a message to login instead as the above $user (debian)
-disable_root: true
+disable_root: 0
# This will cause the set+update hostname module to not operate (if true)
-preserve_hostname: false
+preserve_hostname: vps123456.ovh.net
+manage_etc_hosts: true
# Example datasource config
# datasource:.
@@ -84,6 +87,8 @@
# Default user name + that default users groups (if added/used)
default_user:
name: debian
+ sudo: ["ALL=(ALL) NOPASSWD:ALL"]
+ shell: /bin/bash
lock_passwd: True
gecos: Debian
groups: [adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video]
Once upgraded, Debian Stretch allows you to use ed25519 SSH keys so it's the good time to move from the hardcoded OVH password to a public key authentication (ssh-copy-id etc). Remember the VPS comes completely naked and exposed to the Net, up to you to make it more secure and suited to your needs.
Now restart your instance from the OVH management console, to make sure everything is ok.
Installing Wireguard
On the server:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools
sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sysctl -p
umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF
[Interface]
Address = 192.168.3.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PrivateKey = $(wg genkey)
SaveConfig = true
_EOF
Adapt the configuration above to your output interface if needed, should be eth0
on an OVH VPS.
wg-quick up wg0
wg show
It will display the server public key, take note of it.
wg-quick down wg0
On the client:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 200\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard-dkms wireguard-tools
umask u=rwx,go= && cat > /etc/wireguard/wg0.conf << _EOF
[Interface]
Address = 192.168.3.2
PostUp = echo nameserver 8.8.8.8 | resolvconf -a tun.%i -m 0 -x
PostDown = resolvconf -d tun.%i
PrivateKey = $(wg genkey)
[Peer]
PublicKey = COPY_SERVER_PUBLIC_KEY_HERE
AllowedIPs = 0.0.0.0/0
Endpoint = COPY_SERVER_PUBLIC_IP_HERE:51820
_EOF
Adapt the nameserver IP to your taste.
wg-quick up wg0
wg show
It will display the client public key, take note of it.
wg-quick down wg0
On the server, complete the configuration with the client public key:
cat >> /etc/wireguard/wg0.conf << _EOF
[Peer]
PublicKey = COPY_CLIENT_PUBLIC_KEY_HERE
AllowedIPs = 192.168.3.2/32
_EOF
wg-quick up wg0
On the client, you can now activate and deactivate the VPN with:
wg-quick up wg0
wg-quick down wg0