Deploying a VPN
For beginners, installing and running a VPN (Virtual Private Network) on your own can be daunting. In this series of tutorials, we want to take away the fear of “doing it wrong” and show you how to set up a wireguard VPN in just a few minutes. We want to give you a brief insight into how a VPN works and how it can be deployed in different configurations using different software solutions, depending on your needs. But first, what is a VPN?
What is a VPN?
VPN definition
A virtual private network (VPN) is a mechanism for establishing a secure connection between a computing device and a computer network, or between two networks (or subnetworks). network, or between two networks (or subnetworks), using an insecure communication medium such as the public Internet. Internet. A VPN can extend a private network (one that prohibits or restricts public access) in such a way that it enables users of that network to send and receive data across public networks as if the public network devices were directly connected to the private network. to the private network. The benefits of a VPN include security, reduced costs for dedicated communications and greater flexibility for remote workers. VPNs are also used to circumvent Internet censorship. Encryption is is common, although not an inherent part of a VPN connection.A VPN is created by establishing a virtual point-to-point connection using tunneling protocols over existing networks. existing networks. A VPN available from the public Internet can provide some of the benefits of a Wide Area Network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.
VPN solutions
There are different VPN solutions availiable, which can be used to achieve the same results using different mechanisms. The main three of those VPN solutions are IPSec, Open-VPN and wireguard. We will lok at two of those (wireguard and open-vpn) in this tutorial series. We mainly use a self hosted version of wireguard for our Systems but have a OpenVPN backup at hand if all breaks down. If you just want to guard your data from being accessed by third parties or you want to protect yourself when you are using free wifi hot spots, you can use a commercial VPN provider like Mullvad.
The first programme: Wireguard
WireGuard® is a simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. (from wireguard website)
Wireguard installation
As mentioned above, Wirguard is an open source tool that is cross-platform. The Windows installation is straight straightforward. Download the .exe file from the official wirguard website and install it on your machine. The installation in Linux is also very easy. Use your package manager of choice to install it from the repository. We use Arch Linux, so we use the pacman package manager and the yay AUR helper, but you can also use apt (Ubuntu). If you are using Ubuntu, type the following into the command line:
sudo apt-get install wireguardIf you want to use wirguard on an Arch based system you can use the Arch User Repository (AUR) to download all the needed packages. To do that type the following line into your command line:
yay -S wireguard-tools
It is not shipped in the native Arch repository. After the installation is done the configuration of the wireguard connection ist the most important step. We will diskuss how to configure the connection in Linux first, but the basic setup in the configuration file is the same for Linux and Windows.
Configuration types
There are a few Configurations that can be created with a clever coupling of mashines. The most basic configuration is the Peer-to-Peer config, in which all participating mashines can directly communicate with each other. There is no centralized server that handles the connections between participants. This is the intended way for a wireguard connection to be used.
There are more Complex solutions, where the access of mashines can be resticted or allowed. This configuration Type with a centralized server that acts as a connection Hub, will be discussed in a later tutorial.
lSetting up Wireguard (basic)
We will discuss the configuration progress using the command line. It is easier like this and way faster. After the installation has taken place make a wireguard folder in the home directory of the main user (admin only). Because of security reasons, the configuration for the wireguard connection has to go into the /etc/wireguard/ directory and there it can’t be handled by normal users without the sudo rights. The main process can be done without the rights, but it is not recommended. Use the command mkdir wireguard in your home folder to create an new directory.
After the direcory creation use the cd command to change into the new directory. For wireguard to be able to connect to your client you first need to create a set of keys for authentification/authentication, those are private and public key. The private key you have to keep private, beecaus it is your main tool for authentication. You can create the private key with the installed wireguard tools programme:
wg genkey > <name-of-key>.key
In Windows, you can use the same command in your powershell. Note that it saves the key in the exact location where you are now. that you are in now. So if you want to create the key in a file on your desktop first type the following command into your powershell before using the wg command:
cd C:/Users/<your account name>/Desktop/<your folder name>
After typing the command and pressing Enter, use the wg genkey command as shown above to generate the key. When you run the wg genkey command, the shell reminds you that this is a plain text document that can be viewed by anyone, and that you should think of uname 0077 or uname 077. You can ignore this message because we are going to change the permissions in the next step anyway. The key will be created despite the warning message. Keep this key secret and do not give it to anyone. You can change the key’s permissions with root or sudo with these commands:
sudo chown root:root <name-of-key>.keysudo chmod 600 <name-of-key>.key
Use this key to generate the your public key:
wg pubkey < <name-of-key>.key > <name-of-public-key>.pub
How you name those keys is not relevant and is only for your differentiation in case you want to use multiple different wireguard connections, which is possible. The public key is as the name implies a public key und does not need to be specially protected. If you are setting up a server or multiple clients, recreate those commands for every member participating in the Network.
Writing the Configuration File
To configure the connection, you must create a configuration file. Use the touch command to create a configuration file. The name of this file is the name of the Wireguard interface you want to create. So if you want to name your interface interface, you must name the config file accordingly. In this example, we will name it w0 because this is the default Wireguard interface name. is the default Wireguard interface name. Note that you cannot use the names of interfaces that are already taken (e.g. eth0 and l0) cannot be used due to naming conflicts.
touch wg0.conf Then use a word processor of your choice to edit the content. You can use nano, which comes pre-installed on almost every Linux flavour:
nano wg0.conf Windows users will also need to create a file in the same way, using Notepad for example.
Peer Configuration
As Wireguard is normally a peer-to-peer connection between users, the peers can be configured identically for a simple point-to-point connection. And even with more complex configurations, the configuration for a client does not change dramatically. The client can be configured as follows:
2 │
3 │ # local settings for Endpoint A (client)
4 │ [Interface]
5 │ PrivateKey = <private key of client A>
6 │ Address = 10.0.0.1/32
7 │ ListenPort = 51821
#..
9 │
10 │
11 │ # remote settings for Client B (Or the Server Host)
12 │ [Peer]
13 │ PublicKey = <public key of client B>
14 │ Endpoint = <IP you want to connect with>:<port at which the other part listens on>
15 │ AllowedIPs = <allowed IP of the other part>- [Interface]
This is your part of the connection
- PrivateKey
This is your private key you generated beforehand
- Address
This is the Address you want to have in the connection subnet, NOT the IP you have right now.
- ListenPort
The port your connection listens on. If you do not specify a port here astandard port should be given for your connection. To eradicate errors beforehand you should choose a port nontheless.
- [Peer]
This is the distant part of your connection. If you have a second or third peer you want to connect point to point to, just list another [peer] if you have listed all the data to the first one.
- PublicKey
This is the public key of the peer you want to connect to
- Endpoint
This is the public (not the inernal) IP of the peer you want to connect to
- AllowedIP
This entry specifies which type of IP type is allowed to connect and which type of connection this IP does get (like full and spit tunneling).
After editing the file, save its contents by typing ctrl + x, followed by accepting to save the file by typing y, then pressing Enter and returning to the command prompt. Once you have successfully saved the file, you will need to move it to /etc/wireguard/ by typing the command:
sudo mv wg0.conf /etc/wireguard/NOTE: This will move the wg0.conf file from the folder to the location you specified above. As you can see, you need root privileges (sudo) to do this, as the /etc/ folder belongs to the root user. The file can now only be file using the sudo command.
If you are using Windows, simply leave the file in a safe place. Repeat the key creation and configuration file creation on the second machine you want to connect to. Make sure that you swap Client A’s information with Client B’s credentials.
Activating the secure connection
After moving the file to its location you can activate the vpn connection by typing the following command into the command line:
sudo wg-quick up wg0If you have named your configuration file something other than wg0, you will need to specify that name in the command. To do this, simply replace wg0 with with the name of the file you have created. You can leave out the .conf extension, or leave it in if you want to be extra meticulous. If you choose to save your file somewhere other than /etc/wireguard/, you will need to specify the path to the file:
sudo wg-quick up <absolutePathToTheFile>/wg0.confThis time you must add the .conf extension, otherwise your file may not be found. By pressing Enter, Wireguard will try to make the connection. For your connection to work, both machines you want to connect to need a running Wireguard interface running, so you will need to repeat the activation steps on the other machine.
On Windows, in order to establish a VPN connection, the previously created configuration file must be selected after launching the Wireguard application by clicking on the ‘Add tunnel’ button in the bottom left-hand corner. Once the file has been imported, press the ‘Activate’ button in the middle to connect the machine to the VPN.
