WireGuard is an extremely simple, fast and modern open-source Virtual Private Network (VPN) implementation. It is a VPN protocol based on modern cryptographic technology.
WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF etc. which makes it secure choice based on modern cryptography standards.
WireGuard lives and runs inside operating system's kernel, which makes it blazing fast. When it comes to simplicity you can't get VPN implementation simpler then WireGuard, it is very simple to set up and running.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec - wireguard.com
What you can expect from this article?
In this article we are going to set up our own private VPN server on Azure cloud, using following steps:
- Private VPN severe running in Azure cloud on Ubuntu server.
- Setup mobile devices such as phone to use your VPN server.
- Configure your laptop or PC to be able to connect to use VPN server.
If you follow the script, I promise it won't take more than 10 minutes to set up and running your one VPN system.
1) Create Azure virtual machine
Login to Azure portal and create new Ubuntu virtual machine. Azure's web portal is very easy to follow & all sections are pretty much self-explanatory, but you can follow the settings in this snapshot.
Now we need to configure firewall ports. Go to settings network and open following ports.
- 51820/UDP for sending and receiving VPN traffic.
- 22/TCP for connecting to your server for configuration, once you are done with server setup this port disabled.
For security reasons port: 51820/UDP should be the only incoming port open on your server. You can close every other incoming port unless your server is serving other applications.
Once your machine is created we can download private key to your laptop or pc and connect using your favorite ssh client. The key file should be something like 'your-server-key.pem'.
2) WireGuard Server Setup
If the selected version of Ubuntu is lower than 20.04 you need to add following repository, otherwise you can skip the following script.
Now your repository is set up or you are on Ubuntu 20.04 or higher which includes the sources by default, run following script to install WireGuard.
Create folder wg/keys and generate server keys. This will generate server's private and public keys into wg/keys folder.
Now we have keys generated, next step is to create WireGuard network interface configuration file. WireGuard uses wg0 as default terminology for network interface. Following bash script will create server interface config inside etc.
As far as the WireGuard is concerned we are done with configuration. We need to do some housekeeping on operating system level in order for VPN server to properly send and receive internet traffic to/from clients.
2.1) IP Forwarding
IP forwarding lets your system acts like router which receives data packages from one network and delivers to other one. Since our VPN server is expected to get all internet traffics from our devices to internet and vice versa without exposing our location or IP address.
Enable IP forwarding otherwise your server won't be able to send or receive network traffic.
In order to make change permanent, update sysctl.conf file.
2.2) Firewall Rules
The iptables is useful utility to manage firewall rules on Linux. We need to configure some firewall rules to complete the setup. Following script configures some IP rules along with some NAT routing.
Since IP tables are in-memory and gets wiped-out on system reboot. We can save this IPTables configuration rules between server reboots. Execute following bash script to persist IPTables.
2.3) Spin up the Wireguard Interface
Now the final step is to start the WireGuard server by spinning up wg0.
If everything goes as planned this following command should have output like following:
Server is up and running now. We need to configure clients. The client configuration is two-step process:
First we need to tell server which client needs to be supported, by generating client configuration and attaching to server.
Second we need to tell the client device which VPN server to use.
2.4) Generate Clients
Now we are going to generate client configurations and attach them to server.
For mobile devices it is easier to scan QR Code rather than dealing with file downloads. Install qr encode with following script which we would use to generate QR images for clients configurations later on.
Although following configurations are for two clients iPhone & laptop/pc but you can repeat it for as many as needed.
Generate Configuration for iPhone
Following script will create public/private keys for iPhone client and attach to server:
Status command should have output something like following showing server with one client.
Next step is to create WireGuard config for client. We are going to generate client configuration using this script. Don't forget to add public IP of your VPN server to following script. The public IP can be found from first step when Ubuntu VM is created.
Now your configuration is generated for device. We have two options either download config file to your device, in this case iPhone. Or generated QR Image out of iphone8.conf, which can be easily scanned via camera.
To generate QR Code image, run the following script.
Generate Configuration for laptop or PC
The first thing we need to do is generate keys for device. In your server terminal run following:
Now add your client to VPN server's config.
Next step is to create configuration file for your client. Following bash script will create config file for your client and save it to wg/clients.
One important thing to be noted in above client configurations is Address field. For first client it is 10.200.200.2/32, second 10.200.200.4/32. Don't forget to increment/change last section of your client IP address range, otherwise you would be scratching your head for server not sending data to client & vice versa.
Until this point everything including keys, configurations & QR images are sitting on your VPN server. Now it is time to download to client device.
3) WireGuard Client Setup
Let start with configuring an iPhone to be connected to VPN server. Now open new ssh terminal on your laptop/pc (not the server) and download the image generated earlier to your local machine.
Setup iPhone to use VPN Server
Download WireGuard app from App Store. Open iphon8.png just downloaded & scan QR Code.
When we enable VPN tunnel inside WireGuard app, you should be able to see something like following by tapping on settings. If you tap on view log you should be able to see communication with your VPN server. The top of phone should have little vpn sign.
You can check your location using mylocation.org and that should be location of your VPN server. Open other apps such as youtube to see if your internet is still working.
Connect your laptop to VPN Server
This section we are going to configure Linux desktop machine. This example show Ubuntu/Debian based configuration but it is applicable to any Linux distro. Now open bash terminal on your laptop/pc (not server). Download configuration file generated above to '/etc/wireguard/wg0-client.conf' on your laptop/pc.
Install WireGuard on client machine using following script.
Spin up the VPN network interface.
You need to manually spin up vpn client interface every time you reboot your machine, which is not difficult but in order to avoid headache you can auto enable on reboot with following command.
Now your network traffic from local machine is going through VPN tunnel of your own VPN server. A quick way to check is the following command.
You can check your location using mylocation.org and that should be location of your VPN server. Wala! we have configured VPN server with iPhone & Laptop connected.
WireGuard is extremely fast VPN protocol and by far the most popular one. The reason it is so popular is blazing fast, secure and simple. Unlike OpenVPN and IPSec, WireGuard does one thing and do it with absolution perfection. Setting up VPN server wasn't easier with earlier VPN technologies, especially configuring your own home server or raspberry pi.
Although this article uses Ubuntu VM in the cloud to demonstrate WireGuard VPN but these steps are applicable to any device capable of running Linux operating system.
If you come that far hope you enjoyed the reading. Please give feedback & share if you like the article. Cheers!
Here are Some helpful links: