Your own VPN with WireGuard

You may not have a fixed IP at home or at work, and you may want to filter access to your WordPress to a specific IP. And for this we have VPNs.

While it is true that commercial VPNs vary IP addresses for security, it is possible to set up your own professional VPN, with your own control, and quite cheaply. A VPN can cost you about 10 euros per month (100 euros per year) but a VPN server on a VPS can cost you about 3 euros/ month, plus it will be just for you.

This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.

In addition, you have the possibility to create your VPS with the WordPress image in one click.

PARTNERSHIP

For this example we are going to have a server with Ubuntu 20, and nothing else. In principle, this system would allow it to be installed on any server, even on one that is already being used for other services.

IMPORTANT: Some providers have a firewall, so if provider does, you’ll need to open port 51820 (UDP) for connecting to WireGuard.

Configuring the server

The first thing we will do is update the server with Ubuntu. First we will set the time and universal time zone.

timedatectl set-timezone UTC
timedatectl set-ntp on

Later we will make an update of the entire system.

apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove

We will install some useful tools.

apt -y install software-properties-common curl vim zip unzip apt-transport-https

And the installation of automatic security updates.

apt -y install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

As we are going to use this server to forward traffic, we have to validate that this is allowed. In the file we will look for these lines (they come by default deactivated). If they are, we will remove the # in front.

vim /etc/sysctl.conf

Leaving the settings on.

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

And we will activate the configuration.

sysctl -p

Installing WireGuard

Luckily, this VPN comes standard with Ubuntu 20, so we’ll simply have to install it.

apt -y install wireguard

As it requires control of the system kernel, we will validate that it is available.

modprobe wireguard
lsmod | grep wireguard

If everything has gone well, we will see the following lines:

wireguard             212992  0
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             16384  1 wireguard

Configuring WireGuard

Before we start we need to know some data.

Now we will have to see what network interface our server has. As a general rule we will see the “lo” (which is the one that calls the machine itself) and some other broadcast type that is the one that connects publicly to the internet. In our case it is “eth0”.

ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:  mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
  link/ether fa:16:3e:1f:91:a2 brd ff:ff:ff:ff:ff:ff

Now that we know where to connect, we’ll set up WireGuard. The first thing will be to access the configuration folder and establish a minimum security for those files.

cd /etc/wireguard
umask 077

And we will create the security keys for this server.

wg genkey | tee server_private.key | wg pubkey | tee server_public.key

This will generate two files that we can see if we list them.

-rw-------   1 root root   45 Mar 20 11:04 server_private.key
-rw-------   1 root root   45 Mar 20 11:04 server_public.key

To know the <Server_Private_Key>:

cat server_private.key

That will return a code similar to this:

cBM+jwqXBH94Fyp5+qILQozfV7lEmnloZPWMdZY5KXQ=

We will do the same to know the <Server_Public_Key>:

cat server_public.key

That will return to us a code similar to this:

B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=

Now that we have the public and private keys, we will mount the Wireguard configuration. To do this we must create the configuration file.

vim /etc/wireguard/wg0.conf

And we will include the following content:

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PrivateKey = cBM+jwqXBH94Fyp5+qILQozfV7lEmnloZPWMdZY5KXQ= # Aquí pondremos la <Server_Private_Key>

The next thing we have to check is that the firewall of the machine allows traffic:

ufw route allow in on wg0
ufw allow 51820/udp

And now we can lift the WireGuard and establish it as a service, so that even if the machine is restarted, it will start up again automatically.

wg-quick up wg0
systemctl enable wg-quick@wg0

To know if everything has worked correctly, we can run a command and validate that WireGuard is active.

wg show wg0

That will show us something like this:

interface: wg0
  public key: B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=
  private key: (hidden)
  listening port: 51820

Configuring the WireGuard client

Now that we have the VPN server up and running, we have to configure the clients.

In this case, I will use the Windows example. Once installed, we will create a new, blank connection. This connection will generate a public key and a private key.

Cliente de WireGuard con una nueva conexión.

We have as an example the generated keys, which are:

cliente_private.key: IP3QLKKG4R2u/KO0Ek1WvBsUAhe099muBj+e6QviYF8=
cliente_public.key: FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=

With this data, and the server data, we can configure the account:

Cliente de WireGuard con la conexión configurada.
[Interface]
PrivateKey = IP3QLKKG4R2u/KO0Ek1WvBsUAhe099muBj+e6QviYF8=
Address = 10.0.0.2/32
DNS = 8.8.8.8, 1.1.1.1

[Peer]
PublicKey = B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=
AllowedIPs = 0.0.0.0/0
Endpoint = 185.253.153.43:51820
PersistentKeepalive = 15

In the Address we will configure the next IP of the list of the server (on the server they were 10.0.0.1/24) and here we will configure exclusively 1 IP, which will be the next, 10.0.0.2/32. If we created another user, we would apply the same formula, so it would be 10.0.0.3/32 and so on.

In the PublicKey we will configure the public key of the server, and in the Endpoint we will put the public IP of the server and the port. This IP address will be the one with which once we are connected we will navigate, and it will be our fixed IP.

We will save this configuration and return to the server to connect this new user.

Configuring the client on the server

We will go back to the server and, first, we will turn off the WireGuard.

wg-quick down wg0

We will open the configuration file to add the new data at the end.

vim /etc/wireguard/wg0.conf

In this case we will put the client’s public key and the same IP address.

[Peer]
PublicKey = FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 15

Once saved, we can turn on the WireGuard again.

wg-quick up wg0

To validate that everything is working properly, we will show the VPN settings.

wg show wg0

Now it will not only show us the data of the server, but also of the first user.

interface: wg0
  public key: B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=
  private key: (hidden)
  listening port: 51820
peer: FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=
  allowed ips: 10.0.0.2/32
  persistent keepalive: every 15 seconds

Activate and validate

We’ll go back to the customer and connect them.

Cliente de WireGuard conectado.

If everything has the green light, we can connect to DuckDuckGo and validate our new IP.

Your IP address is 185.253.153.43 in Europe, Spain, Spain

From this moment you can use this configuration for any device, and navigate with this fixed IP that will only be yours.

You can configure on your server the connection filters only by IP and in this way that no one else can connect.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.