You may not have a fixed IP at home or at work, and you may want to filter access to your WordPress to a specific IP. And for this we have VPNs.
While it is true that commercial VPNs vary IP addresses for security, it is possible to set up your own professional VPN, with your own control, and quite cheaply. A VPN can cost you about 10 euros per month (100 euros per year) but a VPN server on a VPS can cost you about 3 euros/ month, plus it will be just for you.
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
For this example we are going to have a server with Ubuntu 20, and nothing else. In principle, this system would allow it to be installed on any server, even on one that is already being used for other services.
IMPORTANT: Some providers have a firewall, so if provider does, you’ll need to open port 51820 (UDP) for connecting to WireGuard.
Configuring the server
The first thing we will do is update the server with Ubuntu. First we will set the time and universal time zone.
timedatectl set-timezone UTC timedatectl set-ntp on
Later we will make an update of the entire system.
apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove
We will install some useful tools.
apt -y install software-properties-common curl vim zip unzip apt-transport-https
And the installation of automatic security updates.
apt -y install unattended-upgrades dpkg-reconfigure -plow unattended-upgrades
As we are going to use this server to forward traffic, we have to validate that this is allowed. In the file we will look for these lines (they come by default deactivated). If they are, we will remove the # in front.
Leaving the settings on.
And we will activate the configuration.
Luckily, this VPN comes standard with Ubuntu 20, so we’ll simply have to install it.
apt -y install wireguard
As it requires control of the system kernel, we will validate that it is available.
modprobe wireguard lsmod | grep wireguard
If everything has gone well, we will see the following lines:
wireguard 212992 0 ip6_udp_tunnel 16384 1 wireguard udp_tunnel 16384 1 wireguard
Before we start we need to know some data.
Now we will have to see what network interface our server has. As a general rule we will see the “lo” (which is the one that calls the machine itself) and some other broadcast type that is the one that connects publicly to the internet. In our case it is “eth0”.
ip link show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether fa:16:3e:1f:91:a2 brd ff:ff:ff:ff:ff:ff
Now that we know where to connect, we’ll set up WireGuard. The first thing will be to access the configuration folder and establish a minimum security for those files.
cd /etc/wireguard umask 077
And we will create the security keys for this server.
wg genkey | tee server_private.key | wg pubkey | tee server_public.key
This will generate two files that we can see if we list them.
-rw------- 1 root root 45 Mar 20 11:04 server_private.key -rw------- 1 root root 45 Mar 20 11:04 server_public.key
To know the
That will return a code similar to this:
We will do the same to know the
That will return to us a code similar to this:
Now that we have the public and private keys, we will mount the Wireguard configuration. To do this we must create the configuration file.
And we will include the following content:
[Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PrivateKey = cBM+jwqXBH94Fyp5+qILQozfV7lEmnloZPWMdZY5KXQ= # Aquí pondremos la <Server_Private_Key>
The next thing we have to check is that the firewall of the machine allows traffic:
ufw route allow in on wg0 ufw allow 51820/udp
And now we can lift the WireGuard and establish it as a service, so that even if the machine is restarted, it will start up again automatically.
wg-quick up wg0 systemctl enable wg-quick@wg0
To know if everything has worked correctly, we can run a command and validate that WireGuard is active.
wg show wg0
That will show us something like this:
interface: wg0 public key: B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs= private key: (hidden) listening port: 51820
Configuring the WireGuard client
Now that we have the VPN server up and running, we have to configure the clients.
In this case, I will use the Windows example. Once installed, we will create a new, blank connection. This connection will generate a public key and a private key.
We have as an example the generated keys, which are:
cliente_private.key: IP3QLKKG4R2u/KO0Ek1WvBsUAhe099muBj+e6QviYF8= cliente_public.key: FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=
With this data, and the server data, we can configure the account:
[Interface] PrivateKey = IP3QLKKG4R2u/KO0Ek1WvBsUAhe099muBj+e6QviYF8= Address = 10.0.0.2/32 DNS = 22.214.171.124, 126.96.36.199 [Peer] PublicKey = B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs= AllowedIPs = 0.0.0.0/0 Endpoint = 188.8.131.52:51820 PersistentKeepalive = 15
In the Address we will configure the next IP of the list of the server (on the server they were 10.0.0.1/24) and here we will configure exclusively 1 IP, which will be the next, 10.0.0.2/32. If we created another user, we would apply the same formula, so it would be 10.0.0.3/32 and so on.
In the PublicKey we will configure the public key of the server, and in the Endpoint we will put the public IP of the server and the port. This IP address will be the one with which once we are connected we will navigate, and it will be our fixed IP.
We will save this configuration and return to the server to connect this new user.
Configuring the client on the server
We will go back to the server and, first, we will turn off the WireGuard.
wg-quick down wg0
We will open the configuration file to add the new data at the end.
In this case we will put the client’s public key and the same IP address.
[Peer] PublicKey = FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI= AllowedIPs = 10.0.0.2/32 PersistentKeepalive = 15
Once saved, we can turn on the WireGuard again.
wg-quick up wg0
To validate that everything is working properly, we will show the VPN settings.
wg show wg0
Now it will not only show us the data of the server, but also of the first user.
interface: wg0 public key: B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs= private key: (hidden) listening port: 51820 peer: FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI= allowed ips: 10.0.0.2/32 persistent keepalive: every 15 seconds
Activate and validate
We’ll go back to the customer and connect them.
If everything has the green light, we can connect to DuckDuckGo and validate our new IP.
Your IP address is 184.108.40.206 in Europe, Spain, Spain
From this moment you can use this configuration for any device, and navigate with this fixed IP that will only be yours.
You can configure on your server the connection filters only by IP and in this way that no one else can connect.
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.