Since February 2022, each user as part of his tariff gets the opportunity to use the Wireguard server and install one connection to it from the Internet.
The Wireguard connection is additional to your existing tunnels and the use of Wireguard is not considered a tunnel as part of the tariff plan.
In the base tariff frames, 2 tunnels with PPTP, L2TP/IPSEC, OpenVPN and an additional one compound on Wireguard Protocol are provided to the user. Thus, each user will be able to simultaneously install three compounds to VPNKI.
The wireguard connection is also different in that while it does not have the possibility of routing networks located “behind the router”, but we plan to add this opportunity a little later.
Since the Wireguard protocol uses another architecture, the logic of its settings on the VPNKI server differs from the traditional.
We want to get remote access to our network from the Internet using the Wireguard protocol. At the same time, our network is already connected to VPNKI on any of the protocols. PPTP, L2TP/IPSEC, OpenVPN.
As a client software, we will use the client for Wireguard for Windows. A computer with a client Wireguard will be located on the Internet.
At the time of connection, in your customer vireguard, a tunnel intese will be created and address 172 is used.16.0.3 VPNKI networks. Well, we want to “reach out” to the server with address 192.168.one.10 in the home network.
Always Downloads from Official Sources. You can find that here: https: // www.Wireguard.COM/Install/
Once You Install the Client, You Will Want to Click The Arrow Next to “Add Tunnel”, The Click Add Empty Tunnnel
What’s nice ABOUT THIS THE GUI CREATES A PUBLIC and Private Key for us Automatically.
We’re Far from Done, So Let’s Get it to connect to out server.
Expanding The Configuration
We need to update the configuration File to look like this:
Important: You Need to Replace Your_Server_public_key and You_Server_wan_ip
I Dive Into Detail What this All Means in Another Post, But Make Sure YouSo Setting Your Address to a Unified IP Address on Your Virtual Private Network Network.
This is What Mine Looks Like (Again, Never Share Your Private Key. This is just a demo):
Checking Block Untunneled Traffic Will Make Sure that All of Oour Traffic is Being Routed Through OUR VPN.
We set up WireGuard for the connection of two servers
First we generate keys. We run WG Genkey twice and get two private keys:
The WG Genkey utility does nothing magical, it’s just an analogue of something in this spirit:
Only probably more accidental: we simply generate 32 bytes of random values and present them in the form of Base64.
Create two configs. One on Internet:
Postup = IP Rule Add from Addr Show (IP Route | AWK ‘/ Default/ Print 5’) | Gras “Inet” | Gras.v “Inet6” | Head.N 1 | AWK ‘/ Inet/ Print 6500’ | AWK.F/ ‘Print 450’` Table Main
Postdown = Ip Rule del From `IP Addr Show (IP Route | AWK ‘/ Default/ Print 5’) | Gras “Inet” | Gras.v “Inet6” | Head.N 1 | AWK ‘/ Inet/ Print 6500’ | AWK.F/ ‘Print 450’` Table Main
Section [Interface]. these are the settings of a particular network integral Wireguard, which will be visible in IP A. The name of the integse is taken from the name of the current configuration file. One integration always has one key pair: the feasts of this integrate have the same public key.
But no one interferes, if you want, to make a separate config and a separate integer for each feast (though it will be inconvenient for hundreds of customers).
Inte Weens are controlled usually using the WG-Quick: WG-Quick Down WG-External and WG-Quick Up Wg-External
The WG-Quick utility is actually 400 lines on the bush that automate frequently used things, such as installing routes. The presence of a tunnel in itself gives nothing but a protected “pipe”, behind which there is another feast. In order for your request in the browser to get into the integration, the system must clearly say: “Please route packages with such an appointment with this network integration”.
This is what WG-Quick is doing. Well, also setting up the DNS addresses specified in the config, by installing MTU and a couple of things. But there is nothing complicated in this, it is enough to make cat/ usr/ bin/ wg-quick. to look at this logic, and, if necessary, repeat the same with your hands.
- Interface.address is an IP of the current feast. All addressing in WG static. On the one hand, this simplifies tuning and boots, on the other hand, complicates the work if you have a lot of customers.
- Listenport is an UDP port for connecting from the outside. If you do not specify, it will listen to 51820.
- Interface-Postup and Interface-Postdown-scripts that are performed after raising and after the integration stop. There is also Preup and Predown.
In addition to public and private keys, there is also an option PressharedKey, which provides additional encryption by a simmetric cipher. The key can be generated, for example, by the WG Genpsk command and added to the PressharedKey option in Peer sections on both feasts. If you do not use this option, the encryption and decryption load will not increase: when the key is not indicated, the zero value of the key is used.
And in order to truly ensure post.scvante safety (inability to decipher data with quantum computers), developers recommend an additional external quantum and resistant mechanism of the hand.shaped, for example SIDH, which Microsoft is in such a context. The common key he created can be used as PressharedKey.
Spells in Postup are quite simple. Here is a team for substituting a name integration, where routing is performed by default:
As a rule, this is an integrated interpreter or router.
Thus, a terrible team turns into the following:
Here, NAT is included in the masquerade mode: the server will send the packages that came to the external network, replacing the sender’s address for its own so that the answers to these packages also come to him, and not the original sender.
The second team is already a little more complicated, but it sets the IP address of the default route.
`IP Addr Show (IP Route | AWK ‘/ Default/ Print 5’) | Gras “Inet” | Gras.v “Inet6” | Head.N 1 | AWK ‘/ Inet/ Print 6500’ | AWK.F / ‘Print 450’ `
First, we get, as above, the default route integration:
Then data on the state of this integer:
And then we pull out the address from there, in this case 192.168.88.70.The team becomes like this:
This is necessary for the Internet server, because otherwise when activating route 0. 0. 0. 0/0 He begins to send answers to the packages that come to the external addresses through the wg tunnel. The server at the other end, of course, sends them for their intended purpose, but the sender of the package is no longer ready: he sends something to the external address of the Internet server, and the answer comes with External.
Naturally, when RP_Filter is turned on, the package is discarded. In this case, the server ceases to be affordable, for example, through SSH outside. It will have to be connected to him only on the internal IP wireguard. Disconnect RP_Filter is to shoot from a gun at sparrows, but the additional rule corrects the situation.
I deliberately do not bring ready configures, because I want to show the mechanism for creating configs in manual mode. At one time, I generated configures with UASY-WG-Quick type utility or web services that ask you about the name of the client and beautifully show the QR code. This does not contribute to understanding how WG actually works, and can cause problems.
Now in both configs you need to add a peer section to tie servers with each other.
We generate public from a private key (here in Wg Pubkey, cryptomagic is just happening):
This is the public key of the Internet, we put it in the Peer section on External:
Ibid., In Endpoint we indicate the address of the Internet server and the port that we set in Listenport.
Setting Up Wireguard Servers Take a bit of time to.inst in learning How System Works. But that shousn’t stop you from setting up a wireguard vpn server on your windows machine as a Benefits of Using Wireguard Are Plenty.
CHETHER YOU ARE AING Linux or Windows, Wireguard Can Be a Great Addition to a Smart Home Setup Or Homelab.
IF YOUR Willing to Dive A Little Deeper Into the Topic, You Can Automate Much of the Repetive Clicking Tasks Involved When Doing Through The Gui.
Fortunatly, Setting up a Windows Machine as a Client is Even Easier and Doesn’t Come with The Set of Quirks Related to Internal Networking. The Good News IS, The Client for Windows Being Actively Developed and Appears to Improve Significantly with Each Release. I wouldn`t be surprised if a number of these workarounds get IrONed Out in the Next Few Releases.
Setting up user parts
To do this, you need to make new users.
To do this, enter the PIVPN Add command and click Enter.
Further in the terminal you need to enter the user name and once again Enter.
For this name, a configuration file is created. It contains all the information necessary for connecting to your VPN.
For desktops, this configuration file needs to be downloaded to download it to the Wireguard client on a computer.
For phones, you can generate QR code.
Connection of Windows computers to your VPN
Consider the case when you want to connect a computer to Windows.
To do this, first you need to download and install a client from the official Wireguard website.
And in the program you will see that you need a configuration file that now lies on your rental server.
Accordingly, you need this file download from the server.
In fact, since your server is your server, you can use it both as a storage, and install something on it for convenient file exchange. Raising the ftp server is no more difficult than configuring wireguard. But if you do not need this, then you can download the configuration file through the terminal.
The configuration file was created in the Home/VPN/Configs directory
If you forgot how you called the user or are not sure that you created everything correctly, then you can check the presence of configuration files created on the server:
The path can be copied from the past message to the produced PIVPN Add.
To do this, select the desired text and press the right mouse key.
You will have an introduced path in a new stock, which indicates that you should say further the terminal what you want from it in this folder.
Enter LS there so that you seem to be a list of files.
Convince that the configuration file of the right user was created.
I’ll show you how to do it on Windows 10 or newer.
Как создать VPN (WireGuard) с веб-интеейсом
On Windows 7, you need to download from where they took Putty another PSCP program and write it in C/Windows/System32. Further, for Windows 7, everything is as well as in Windows 10 except that in the further command in Windows 10 there will be SCP, and in Windows 7 PSCP, since in the seven you need to contact a downloaded eczoshnik, and in the top ten. to the standard SCP application.
Enter the SCP Root@%IP_Ad%command:/home/vpn/configs/%conf_name%.Conf gap.
Click Enter. At the first connection, a message may arise for which you will need to enter Yes and Enter.
Next, you will need to enter a password from your server after which the file downloads.
It downloads into the user folder. Well, that is, go to the computer, disk C, users, there is your user and there will be a file.
Further in the client of Wireguard we give the way to this file and click connect.
Everything. The client part of the VPN also works.
You can turn it on and off quickly and without bangs, you will never have to configure anything else. Each time you will have access to your server.
I have a native Internet 100 Mbps, so I can’t say how fast a rented server, but it is faster for download than my home Internet.
Connecting smartphones to your VPN
You can via Google Play, you can do a file file.
Now let’s go back to Putty to the rented server.
The Pivpn Add command Create a new user.
After it was created, we call the PIVPN command.QR. Click Enter.
After that, a numbered list of created users falls out.
In it, select the one that is designed for a mobile phone by entering its number from the list. Click Enter.
Scan him. Then enter the name for connection. I entered the same as on the server so as not to get confused.
And that’s it. The program has only buttons vkl/off.
In the included state next to the clock, the key value will appear. The program is light, it starts quickly from the background, so it does not cause any special problems.
That’s all. The phone is connected to your VPN
If someone is confused, I briefly list everything by points:
- Rent the server
- Download Putty (or any other terminal with SSH support)
- Go to your server and change the Root Password User
- Enter two commands for installing and setting up PIVPN
- Further, further, further, ok, ok.
- Create the required number of new users by the PIVPN Add team
- Install WireGuard clients on computers and phones
- For phones, generate QR codes for connecting to your VPN command PIVPN.QR, for computers through the command line, download configuration files. These files can be transferred to relatives or friends to whom you want to give access to your VPN.
Setting for Android
Download the Wireguard application from Google Play or F-Droid.
To add the wireguard tunnel, click on the plus button in the lower corner of the screen and select the option. Here you can download the configuration from the downloaded configuration file, scan a QR code or enter data manually. Access details and configuration file were sent to you by email.
Click on the switch next to the name that appeared. The Android system will ask you to issue wireguard permits for working as VPN. Give permission. After that, the connection will be established, a sign in the form of a key will be displayed in the status bar.
Settings for MacOS
Download the Wireguard application from the official site or from the AppStore.
Download the configuration file (access and configuration file details were sent to you by email).
Open the Wireguard application and select “Manage Wireguard Tunnels”.
Ready. To connect to VPN, click the “Connect” button.
We rent a VPS server
We miss this step if you already have a server that you plan to configure
- Choosing a hosting provider with whom we rent a server. Convenient on Poiskvps.ru
- We are determined with the desired placement country. 1CPU, 512MB RAM, KVM, 100-1000 MBIT/SEC
- Server OS select Ubuntu 20.04/18.04
- We register, pay
- Who did not encounter this, there is nothing unusual there. Normal registration like on any site. In your personal account, we add an interest in the server configuration to the basket, pay for any available ways. SSH server details usually come to e.mail after payment
I don’t specifically recommend a specific provider hosting, t.to. himself still in search of reliable, high.quality and inexpensive.
You have in hand:
- IP server address, for example 188.8.131.52
- The name of the server user is usually Root. but depends on the hosting of the provider
- User password
- If you have Windows, you need to download the Putty utility. Everything is simple with her: download, install, launch, enter the IP address of the server in the “Host Name” field. Or through WSL, if you know what it is.
Then you need to enter the password, and we get to our server.
Run the installation script
Especially for a quick installation, I prepared and posted in Open Source Bash a script that automates the installation process, which I described in detail in the previous article about Wireguard VPN.
If necessary, enter the password, and wait for the installation to end.
Setting up client devices
After the installation is completed, you can configure the devices from which we will connect.
Disadvantages of commercial VPN services
Commercial VPN services, paid or free, fulfill the task of tunneling traffic. Some are better, some are worse. But their main problem is that in addition to the VPN services, it is beneficial for them to collect and then trade your data. All of your traffic is available to companies, what do you transmit and get what services and sites open. Your real IP addresses are available. Some companies were originally created with a sight on a business model for theft and resale of client data (especially free). And although the services certify the opposite, there is no way to verify their assurances, their goal is to get maximum profit.
Client for such services, as a rule, proprietary, t.e. with a closed source code. Only developers know what data collects them from your device. Spy hidden functions can be laid in them. In addition, customer software of some services adversely affects the performance of the system, which is very noticeable on a weak gland. Your computer can slow down, or the battery on the smartphone is spent faster in order to ensure that unscrupulous business owners are enriched by collecting your personal data.
The speed of work, especially on free services, can sneak strongly, t.to. server resources will be distributed between hundreds of other customers.
The authorities of the countries, in the framework of the fight against the means of overcoming blocking of objectionable sites and services, are primarily aiming forces to block the addresses of commercial VPN services. After paying a paid commercial VPN, it is not a fact that you can use it painlessly. In addition, there are precedents when the services are dealing with the authorities, introducing their own blocking. For example, blocking all Bittorrent traffic for its users in the framework of the fight against pirate content.
The use of commercial VPN services should be avoided, and you can resort to them only in case of emergency, for temporary urgent needs.
Why Wireguard and Docker
Wireguard modern, cross.platform, safe, high.performance and easy to set up a network tunnel, which was adopted in the main branch of Linux from version 5.6. At the moment, this is the fastest and most attractive free VPN. I used to use OpenVPN. and in general there are no complaints about him. But he loses in speed. Maybe it is of course more flexible and supports more encryption options. Both tools are good and suitable for their problem layer. In my case, for home VPN, the connection speed is a decisive factor. A pleasant bonus is also the instant connection speed, unlike OpenVPN. where the connection usually takes at least a few seconds.
Docker of course it is not necessary to use. But in our case, this simplifies the installation process, t.to. We will use the ready-made Linuxerver/Docker-Wireguard image, the deployment of which is even simpler and faster than manual setting.
On clients, I am everything. I prefer to use native solutions, although this image can also be used as a client, including.
If you do not know what doCker is. how it works and why it is not a virtual machine, I advise you to familiarize yourself with the topic on your own. This article does not illuminate the basic theory of Docker. But with the step.by.step execution of instructions, these knowledge will not be required.
VPS server selection criteria
To begin with, we will need to purchase or get a virtual server for a year for free, through which traffic will go.
- Placement outside
- 1 CPU
- at least 512 MB RAM
- The width of the channel is 100. 1000 Mbit/SEC
- Virtualization KVM
- Linux distribution on board
I decided that I would purchase a separate server only under the VPN, so that a separate car is engaged in one task without spraying, and did it well. Therefore, one nucleus and a small supply of RAM at 512 MB will be enough. Accommodation in Germany suits me, t.to. I am in the European part (the farther the country the more ping), as well as freedom on the Internet there are acceptable. The width of the channel must be selected based on the speed that your Internet provider provides (100/1000 Mbit/Sec). Virtualization is better to take KVM. which guarantees the isolation of the environment and the guarantee of resources.
OpenVZ should not be taken for the reason that the general nucleus of the host machine is used there for all instances. In addition, the core is often not very fresh, because of which there may be problems with the Docker installation.
The hosting of the provider (a company with which we rent a server) is convenient to choose on resources of VPS colleagues, such as Poiskvps.ru. There are all the necessary filters with sorting in price and other parameters. Very comfortably.
UPD: not always cheaper options are reliable. Earlier I referred to Robovps, which 08.03.2022. He fell safely. I remove all the recommendations of this service.
Wireguard customer setting on Ubuntu
To begin with, on our customer machine, it is also necessary to install wireguard if it is not:
After installation, we need to create a configuration file in the/etc/wireguard/wg0 folder.Conf with the following contents:
After creating a configuration file, we can run our VPN using the WG-Quick utility:
Here WG0 is the name of our configuration file.
In the event of an error/usr/bin/WG-Quick: Resolvconf: Command Not Found, you will probably need to make a symbolic link LN.S/Usr/Bin/Resolvectl/Usr/Local/Bin/Resolvconf
If all the settings are specified correctly, then our client should be successfully connected to our VPN server through which all traffic will pass. And also our public IP address will have to change, to the IP address of our server.
Wireguard client setting on Windows
To configure Wireguard on Windows, you will first need to download the installation file from the official Wareguard website.COM and install.
Then we need to create a configuration file by analogy with the file that we set up for Ubuntu. Its name does not matter, so we can simply create a file, for example WGVPN.Conf with the following contents:
After that, we can import our file in Wireguard (rice.one)
Next, we just have to press the connecting button and if we correctly indicated all the settings, then the VPN should start working (rice.2).
To check that our traffic goes through the VPN, we can check our public IP address through which we go to the Internet, it must comply with the IP address of our server.
Как просто и быстро создать свой VPN (WireGuard) с веб-интеейсом