You may not have a fixed IP at home or at work, and you may want to filter access to your WordPress to a specific IP. And for this we have VPNs.
While it is true that commercial VPNs vary IP addresses for security, it is possible to set up your own professional VPN, with your own control, and quite cheaply. A VPN can cost you about 10 euros per month (100 euros per year) but a VPN server on a VPS can cost you about 3 euros/ month, plus it will be just for you.
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
PARTNERSHIP
For this example we are going to have a server with Ubuntu 20, and nothing else. In principle, this system would allow it to be installed on any server, even on one that is already being used for other services.
IMPORTANT: Some providers have a firewall, so if provider does, you’ll need to open port 51820 (UDP) for connecting to WireGuard.
Configuring the server
The first thing we will do is update the server with Ubuntu. First we will set the time and universal time zone.
timedatectl set-timezone UTC
timedatectl set-ntp onLater we will make an update of the entire system.
apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremoveWe will install some useful tools.
apt -y install software-properties-common curl vim zip unzip apt-transport-httpsAnd the installation of automatic security updates.
apt -y install unattended-upgrades
dpkg-reconfigure -plow unattended-upgradesAs we are going to use this server to forward traffic, we have to validate that this is allowed. In the file we will look for these lines (they come by default deactivated). If they are, we will remove the # in front.
vim /etc/sysctl.confLeaving the settings on.
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1And we will activate the configuration.
sysctl -pInstalling WireGuard
Luckily, this VPN comes standard with Ubuntu 20, so we’ll simply have to install it.
apt -y install wireguardAs it requires control of the system kernel, we will validate that it is available.
modprobe wireguard
lsmod | grep wireguardIf everything has gone well, we will see the following lines:
wireguard 212992 0
ip6_udp_tunnel 16384 1 wireguard
udp_tunnel 16384 1 wireguardConfiguring WireGuard
Before we start we need to know some data.
Now we will have to see what network interface our server has. As a general rule we will see the “lo” (which is the one that calls the machine itself) and some other broadcast type that is the one that connects publicly to the internet. In our case it is “eth0”.
ip link show1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether fa:16:3e:1f:91:a2 brd ff:ff:ff:ff:ff:ffNow that we know where to connect, we’ll set up WireGuard. The first thing will be to access the configuration folder and establish a minimum security for those files.
cd /etc/wireguard
umask 077And we will create the security keys for this server.
wg genkey | tee server_private.key | wg pubkey | tee server_public.keyThis will generate two files that we can see if we list them.
-rw------- 1 root root 45 Mar 20 11:04 server_private.key
-rw------- 1 root root 45 Mar 20 11:04 server_public.keyTo know the <Server_Private_Key>:
cat server_private.keyThat will return a code similar to this:
cBM+jwqXBH94Fyp5+qILQozfV7lEmnloZPWMdZY5KXQ=We will do the same to know the <Server_Public_Key>:
cat server_public.keyThat will return to us a code similar to this:
B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=Now that we have the public and private keys, we will mount the Wireguard configuration. To do this we must create the configuration file.
vim /etc/wireguard/wg0.confAnd we will include the following content:
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PrivateKey = cBM+jwqXBH94Fyp5+qILQozfV7lEmnloZPWMdZY5KXQ= # Aquí pondremos la <Server_Private_Key>The next thing we have to check is that the firewall of the machine allows traffic:
ufw route allow in on wg0
ufw allow 51820/udpAnd now we can lift the WireGuard and establish it as a service, so that even if the machine is restarted, it will start up again automatically.
wg-quick up wg0
systemctl enable wg-quick@wg0To know if everything has worked correctly, we can run a command and validate that WireGuard is active.
wg show wg0That will show us something like this:
interface: wg0
public key: B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=
private key: (hidden)
listening port: 51820Configuring the WireGuard client
Now that we have the VPN server up and running, we have to configure the clients.
In this case, I will use the Windows example. Once installed, we will create a new, blank connection. This connection will generate a public key and a private key.
We have as an example the generated keys, which are:
cliente_private.key: IP3QLKKG4R2u/KO0Ek1WvBsUAhe099muBj+e6QviYF8=
cliente_public.key: FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=With this data, and the server data, we can configure the account:
[Interface]
PrivateKey = IP3QLKKG4R2u/KO0Ek1WvBsUAhe099muBj+e6QviYF8=
Address = 10.0.0.2/32
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=
AllowedIPs = 0.0.0.0/0
Endpoint = 185.253.153.43:51820
PersistentKeepalive = 15In the Address we will configure the next IP of the list of the server (on the server they were 10.0.0.1/24) and here we will configure exclusively 1 IP, which will be the next, 10.0.0.2/32. If we created another user, we would apply the same formula, so it would be 10.0.0.3/32 and so on.
In the PublicKey we will configure the public key of the server, and in the Endpoint we will put the public IP of the server and the port. This IP address will be the one with which once we are connected we will navigate, and it will be our fixed IP.
We will save this configuration and return to the server to connect this new user.
Configuring the client on the server
We will go back to the server and, first, we will turn off the WireGuard.
wg-quick down wg0We will open the configuration file to add the new data at the end.
vim /etc/wireguard/wg0.confIn this case we will put the client’s public key and the same IP address.
[Peer]
PublicKey = FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 15Once saved, we can turn on the WireGuard again.
wg-quick up wg0To validate that everything is working properly, we will show the VPN settings.
wg show wg0Now it will not only show us the data of the server, but also of the first user.
interface: wg0
public key: B+EXkrZs2xEQLrKskg+wlyWnN60kOnYTnwJTjZKlGjs=
private key: (hidden)
listening port: 51820
peer: FaEbJJcA0V/6E8Z9uPNsVVT4QanvOREXXLkVkQ2ncgI=
allowed ips: 10.0.0.2/32
persistent keepalive: every 15 secondsActivate and validate
We’ll go back to the customer and connect them.
If everything has the green light, we can connect to DuckDuckGo and validate our new IP.
Your IP address is 185.253.153.43 in Europe, Spain, SpainFrom this moment you can use this configuration for any device, and navigate with this fixed IP that will only be yours.
You can configure on your server the connection filters only by IP and in this way that no one else can connect.
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.