I have setup a very basic VPN setup while traveling to prevent tracking & annoying ads on unsecured public WiFi networks. It all runs on a tiny t2.nano costing less than $5/month.
All this runs on a single
t2.nano AWS instance running in the nearest region running Ubuntu 19.04.
Pi-hole (DNS + AdBlocker)
A simply trusty old cURL to bash 🙇♂️
curl -sSL https://install.pi-hole.net | bash
Setting this up is quite easy after you get the hang of the key generation commands.
add-apt-repository ppa:wireguard/wireguard apt-get update apt-get install wireguard cd /etc/wireguard wg genkey | tee privatekey | wg pubkey > publickey
I then muck around inside vim to create
/etc/wireguard/wg0.conf which contains something like:
Note check what your outgoing interface is. It's probably not
ens5 like mine depending on your distro.
[Interface] Address = 192.168.13.1 PrivateKey = [aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ==] change me ListenPort = 51820 PostUp = sysctl net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.13.0/24 -o ens5 -j MASQUERADE; /usr/local/bin/pihole restartdns PostDown = iptables -t nat -D POSTROUTING -s 192.168.13.0/24 -o ens5 -j MASQUERADE [Peer] PublicKey = [aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ==] change me AllowedIPs = 192.168.13.2/32 ... etc etc
The post-up/stop commands ensure traffic is forwarded out of the machine's IP address. You might need to replace
ens5 to your default route's interface. Pihole is restarted to make sure it's listening on the wg0 interface for clients to use it as the DNS server.
Sample client config file
[Interface] PrivateKey = aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ== Address = 192.168.13.2/32 DNS = 192.168.13.1 [Peer] # the server PublicKey = aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ== change me AllowedIPs = 0.0.0.0/0 # The server IP/udp port wg listens on Endpoint = 22.214.171.124:51820 PersistentKeepalive = 25
systemctl enable [email protected] systemctl start [email protected] systemctl status [email protected] [email protected] - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled) Active: active (exited) since Fri 2019-10-18 14:00:55 UTC; 21s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 Process: 18126 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) Main PID: 18126 (code=exited, status=0/SUCCESS) Oct 18 14:00:55 ip-172-31-5-144 systemd: Starting WireGuard via wg-quick(8) for wg0... Oct 18 14:00:55 ip-172-31-5-144 wg-quick: [#] ip link add wg0 type wireguard Oct 18 14:00:55 ip-172-31-5-144 wg-quick: [#] wg setconf wg0 /dev/fd/63 Oct 18 14:00:55 ip-172-31-5-144 wg-quick: [#] ip -4 address add 192.168.13.1 dev wg0 Oct 18 14:00:55 ip-172-31-5-144 wg-quick: [#] ip link set mtu 8921 up dev wg0 Oct 18 14:00:55 ip-172-31-5-144 wg-quick: [#] ip -4 route add 192.168.13.2/32 dev wg0 Oct 18 14:00:55 ip-172-31-5-144 wg-quick: [#] sysctl net.ipv4.ip_forward=1; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.13.0/24 -o ens5 -j MASQUERADE; /usr/local/bin/pihole restartdns Oct 18 14:00:55 ip-172-31-5-144 wg-quick: net.ipv4.ip_forward = 1 Oct 18 14:00:55 ip-172-31-5-144 systemd: Started WireGuard via wg-quick(8) for wg0.
Everything should be running now but Pihole needs a change to allow it to listen for DNS requests on the
wg0 interface. I don't know how to do this automatically yet.
First we must set a password for pihole:
pihole -a -p
- Connect to the VPN
- visit http://192.168.13.1/admin/settings.php?tab=dns over the VPN
- change Interface Listening Behaviour to : Listen on all interfaces, permit all origins
- restart pihole
- Note Make sure not to allow public traffic on port 53 to prevent open dns resolver abuse. AWS security groups solve this for me.