hmbrg.xyz

Secure Internet While Using Public Wifi

Table Of Contents:
Every now and then my multiple sclerosis goes nuts and I have to go to hospital to get cortisone infusions. During this time, mostly three days, I sometimes need to use The Internet - you know this tiny blackish metal box - and as this is a public WiFi I needed a solution to encrypt me connection.

It should be something lightweight and none of the many VPN providers.

The logical conclusion: WireGuard❗

General information about WireGuard:

WireGuard is a free and open source software, which is fast and secure at the same time and uses the most modern encryption methods. Performance wise is way better than IPsec/OpenVPN and WireGuard is supported on all major desktop and mobile operating systems.

VPN connection is established by exchanging public keys, just like SSH. The configuration effort is comparatively low.

Installation/Configuration - Server (Debian 10):

1
2
3
4
sudo echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
sudo printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install wireguard -y

Edit /etc/sysctl.conf, uncomment the following line and reload sysctl.conf:

1
2
3
4
5
6
sudo vim /etc/sysctl.conf
#net.ipv4.ip_forward=1			# uncomment!
sudo sysctl -p				# reload sysctl.conf
cd /etc/wireguard
sudo umask 077
sudo wg genkey | tee server_private.key | wg pubkey > server_public.key

Create configuration file for WireGuard interface wg0:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
sudo vim /etc/wireguard/wg0.conf
Insert the following rows:
[Interface]
Address = 192.168.123.1		# IP address of wg0 interface (VPS)
ListenPort = 51820

PrivateKey =
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client1
[Peer]
PublicKey =
AllowedIPs = 192.168.123.2/32		# IP address of wg0 interface (client)

Change and accordingly and, if needed, swap eth0 by the name of the servers physically interface name.

The IP subnet (192.168.123.0) can also be changed to your liking!

Activate the created WireGuard interface wg0:

wg-quick up wg0

Installation/Configuration - Client (Artix Linux runit):

Install the wireguard software package:

sudo pacman -S wireguard-tools

Create directory and /etc/runit/sv/wireguard/finish:

1
2
sudo mkdir /etc/runit/sv/wireguard
sudo vim /etc/runit/sv/wireguard/finish

Insert the following rows: #!/bin/sh

1
2
3
4
5
6
set -e

for conf in /etc/wireguard/*.conf; do
	[ -e "$conf" ] || continue;
	wg-quick down "$conf"
done

Create /etc/runit/sv/wireguard/run:

sudo vim /etc/runit/sv/wireguard/run

Insert the following rows:

1
2
3
4
5
6
7
8
9
#!/bin/sh
set -e

for conf in /etc/wireguard/*.conf; do
	[ -e "$conf" ] || continue;
	wg-quick up "$conf"
done

exec chpst -b wireguard pause

Generate neeeded key pair:

wg genkey | tee client1_private.key | wg pubkey > client1_public.key

Create client configuration:

sudo vim /etc/wireguard/wg0.conf

Insert the following rows:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[Interface]
PrivateKey =
Address = 192.168.123.2		# IP address of wg0 interface (client)
DNS = 1.1.1.1

[Peer]
PublicKey =
Endpoint = Server-IP:51820
AllowedIPs = 192.168.123.1/32		# IP address of wg0 interface (VPS)
PersistentKeepalive = 25

Change and accordingly!

The IP subnet (192.168.123.0) can also be changed to your liking!

Establish VPN connection:

On both systems, VPS and workstation, run the following:

1
2
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

This will automatically establish a VPN connection on both systems after reboot

To drop the clients VPN connection in this way you have to execute: sudo systemctl stop wg-quick@wg0

If you won’t your client to automatically connect to your WireGuard VPN perform the above commands only on your VPS! On your workstation you can manually establish the VPN connection by executing: sudo wg-quick up wg0

To drop your workstations VPN connection simply perform the following: sudo wg-quick down wg0

Test VPN connection:

To test if the connection was established successfully, simply run:

VPS: ping 192.168.123.2

Client: ping 192.168.123.1


Tags: VPN, WireGuard

This page was last updated on: 27. September 2021