I have setup a very basic VPN setup while traveling to prevent tracking & annoying ads on unsecured public WiFi networks. It all runs on a tiny t2.nano costing less than $5/month.

The box

All this runs on a single t2.nano AWS instance running in the nearest region running Ubuntu 19.04.

Pi-hole (DNS + AdBlocker)

A simply trusty old cURL to bash πŸ™‡β€β™‚οΈ

curl -sSL https://install.pi-hole.net | bash

WireGuard

Setting this up is quite easy after you get the hang of the key generation commands.

add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

I then muck around inside vim to create /etc/wireguard/wg0.conf which contains something like:

[Interface]
Address = 192.168.13.1
PrivateKey = [aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ==] change me
ListenPort = 51820
PostUp = sysctl net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.13.0/24 -o ens5 -j MASQUERADE; /usr/local/bin/pihole restartdns
PostDown = iptables -t nat -D POSTROUTING -s 192.168.13.0/24 -o ens5 -j MASQUERADE

[Peer]
PublicKey = [aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ==] sup
AllowedIPs = 192.168.13.2/32
...
etc etc

The post-up/stop commands Β ensure traffic is forwarded out of the machine's IP address. You might need to replace ens5 to your default route's interface. Pihole is restarted to make sure it's listening on the wg0 interface for clients to use it as the DNS server.

Sample client config file

[Interface]
PrivateKey = aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ==
Address = 192.168.13.2/32
DNS = 192.168.13.1

[Peer]
# the server
PublicKey = aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1vYXZNdFVXREJUTQ==
AllowedIPs = 0.0.0.0/0
# The server IP/udp port wg listens on
Endpoint = 17.178.96.1:51820
PersistentKeepalive = 25

Done.