Latest revision as of 09:19, 5 December 2025

Note that the operations on the server's side is very similar to the client's side. See the table below for a comparison of the configuration file.
Install wireguard

sudo apt update
sudo apt install wireguard

Generate Public and Private Keys on the server:

cd /etc/wireguard 
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

This will create two files privatekey (I think this is for server) and publickey (for client/peer?) in the current directory. We need to repeat this step of generating keys on each client you want to connect to the server.

Create a configuration file (based on the keys obtained from the server):
- <server IP> with the IP address of the WireGuard server. ou can find the public IP address of your server by running the command curl ifconfig.me in the terminal of the server.
- <server port> with the port number of the server. By default, WireGuard uses UDP port 51820 for communication. However, it is possible that the WireGuard server is configured to use a different port.
- The roles of Interface & Peer are flipped to the client's machine from server's machine

[Interface]
PrivateKey = <private key>
Address = 10.0.0.2/32

[Peer]
PublicKey = <public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server IP>:<server port>
PersistentKeepalive = 21

Start the WireGuard interface

sudo wg-quick up /path/to/configuration/file

Check the status of the interface:

sudo wg show

For a new client, the server side should do

echo "[Peer]" >> /etc/wireguard/wg0.conf
echo "PublicKey = <client_public_key>" >> /etc/wireguard/wg0.conf
echo "AllowedIPs = <client_ip_address>/32" >> /etc/wireguard/wg0.conf

About the keys. To generate keys in WireGuard server for a client, you can use the wg genkey command to generate a private key for the client and then use the wg pubkey command to generate a public key from that private key. You can then add the public key to the WireGuard server configuration file on the server side and use the private key on the client side.

(umask 077 && wg genkey > wg-private-client.key)
wg pubkey < wg-private-client.key > wg-public-client.key

Do I need to pass the server's public key to clients in wireguard?
- Yes, you need to exchange public keys between the server and each client for secure communication both ways.
- Each party needs to have their own private and public keys as each pair only enables one-way messaging.
- For the use in WireGuard, the server and each client must generate their own key pair and then exchange public keys.
What does /24 and /32 mean in ip address?
- In IP addresses, the number after the slash (/) represents the number of bits used for the network portion of the address.
- For example, in 10.0.0.1/24, /24 means that 24 bits are used for the network portion of the address and 8 bits are used for the host portion of the address.
- How can we explain CIDR notation with /24 and /32 to a manager?
Here is a summary of the structure of the configuration file

Server side

Client side

[Interface]
PrivateKey = <server-privatekey>
Address = 10.0.0.1/24
ListenPort = 51820
...

[Peer]
PublicKey = <client-publickey>
AllowedIPs = 10.0.0.2/32

[Interface]
Address = 10.0.0.2/32
PrivateKey = <client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Usage with commercial VPNs

To use WireGuard with Windscribe VPN, you need to follow these steps:

Sign up for Windscribe VPN
Enable the WireGuard protocol: Open the Windscribe app and go to the "Preferences" section. Under the "Connection" tab, select "WireGuard" as the protocol.
Generate a WireGuard configuration file: Go to the Windscribe website and sign in to your account. Under the "My Account" section, click on "Generate OpenVPN/WireGuard Config". Select "WireGuard" as the protocol and choose the server location you want to connect to. Click on "Generate" to download the configuration file.
Install WireGuard on Ubuntu
Import the Windscribe configuration file: Move the downloaded Windscribe configuration file to a directory of your choice on your Ubuntu machine. Open the terminal and run the following command to import the configuration file:

sudo wg-quick up /path/to/windscribe-config-file

Verify the connection:

sudo wg show

PiVPN

PiVPN + Pi-hole

Installing Pi-hole with PiVPN. It is now possible to connect, from an OpenVPN client, to a computer or a phone, to benefit from the filtering of Pi-hole.
Build your OWN VPN! Here's how (and why you NEED to).
- Choose whether clients use a static IP or DNS name to connect to VPN server
- PiVPN offers to set up automated updates on your computer.
- Running Ansible security playbook to secure servers. Ansible 101 - Episode 9 - First 5 min server security with Ansible.
- Router needs to forward the port 51820 with the protocol UDP.
- Use pivpn add to generate a configuration file - naming the client by some rules. Copy the configuration file to your client or use pivpn -qr to generate a QR code from a configuration file in a list on screen.
- If you are stuck in CG-NAT , you can't run PiVPN.

wg-easy

wg-easy. Running WireGuard with Docker Compose.
How to Set Up WireGuard VPN Server with Docker
WG Easy - open source, self hosted Wireguard server setup tool with a simple, intuitive web UI! (YT)
Self Hosted EASY Wireguard Server

sudo ufw allow 51820/udp

Steps
1. Add wg.taichimd.us to cloudflare.
2. Update ddclient.conf (recall I use my domain name instead of IP in the WG_HOST)
3. Open 51820/UDP port on router
4. sudo ufw allow 51820/udp; docker-compose up -d
5. Go to http://IP:51821 and type in the password defined in docker-compose.yml & add a new client. I use my android device to name the new client.
6. scan QR code on Android wireguard app. Give a name for the new tunnel.
7. Disable wifi and connect http://neverssl.com to test the connection
Extra steps:
1. In cloudflare, disable DNS Proxy
2. Include WG_ALLOWED_IPS=0.0.0.0/0 (not sure if this is necessary)
3. sudo rm wg0.* (for some reason, the conf file was not changed after I modify docker-compose.yml file)
4. docker-compose up -d
5. Re-log in and re-create a new client tunnel, etc.
6. In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
Any benefit to changing default WireGuard port?
How to build your own network storage and remote access server from scratch

Netmaker

https://github.com/gravitl/netmaker

Tailscale

https://tailscale.com/ Zero config VPN.
- How Tailscale works
- How-to Guides
- Step 1: Download curl -fsSL https://tailscale.com/install.sh | sh
- Quickly switch between Tailscale accounts
https://hub.docker.com/r/tailscale/tailscale
How to Set Up Remote Access to Your Local Network Using Tailscale VPN

Step 2: Tailscale in LXC containers. Running tailscale inside of a proxmox container. Tip: change the LXC ID 102 below.

echo 'lxc.cgroup.devices.allow: c 10:200 rwm' >> /etc/pve/lxc/102.conf
echo 'lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file' >> /etc/pve/lxc/102.conf

Manual install. How to install Tailscale on LibreELEC for kodi?

cd ~/Downloads/tailscale_1.50.1_arm64
sudo ./tailscaled --state=tailscaled.state  > /dev/null 2>&1  &
sudo ./tailscale up  # cp & open browser, the authentication was kept after reboot
./tailscale status
# ssh to the other machines using ip4 from tailscale

Step 3: Exit node (route all traffic).
- Think of an exit node as a kind of gateway in the Tailscale network. Normally, when you use Tailscale, it’s like having a private network where only your devices can talk to each other. But what if you want to use this private network to access the internet?
- That’s where an exit node comes in. You can choose one device in your Tailscale network and set it up as an exit node. This device will act like a door from your private network to the public internet.
- So, if you’re in a coffee shop and you don’t trust the Wi-Fi, you can use Tailscale and your exit node to safely browse the internet. All your internet traffic will go through your private network and out through the exit node, just like going through a secure door.
- On Linux, see https://headscale.net/exit-node/
```
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

sudo tailscale set --advertise-exit-node
```
- On Android client, click 3 dots on top-right corner. In the list of Use exit node... (cf: "Run exit node"), choose the one you like to use. Now Android client will the 'exit node' to route all traffic. Use ipchicken to test.
- The exit node is still different wireguard where we can use any local IPs to access home machines.
Step 4: Subnet routers and traffic relay nodes
- Subnet Routers | Tailscale Explained (video)
- It is useful if you want to connect to devices you can’t install Tailscale on; e.g. MotioneyeOS on RPi.
- If you want to grant your remote users access to your whole office network or want to connect two networks, you can configure subnet routing.
- There is no need to run tailscale down before running tailscale up again with new flags like "--advertise-routes=192.168.1.0/24 --advertise-exit-node". The tailscale up command is designed to be idempotent: you can rerun it with new flags at any time to update your Tailscale configuration.
- After we run "sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node", we may receive the following message: Some peers are advertising routes but --accept-routes is false. We still need to go to the admin page https://login.tailscale.com/admin/machines to approve Edit route settings to finalize the Subnet routes & Exit node options.
- "tailscale up ..." statement will automatically start when the machine reboot.
- To reach devices on local network, you must enable the "Allow LAN access" option when selecting the exit node on your phone.
```
# Connect to Tailscale as a subnet router
sudo tailscale up --advertise-exit-node --advertise-routes=192.168.1.0/24 

# Enable subnet routes from the admin console (web)
# Click "..." -> Edit route setting. Check the subset routes '192.168.1.0/24'.
# Also check the 'Exit node' -> "Use as exit node" option.

# On the client machine (eg Android), click "Use exit node..." and select
#   the machine serving as an exit node.
```
Free plan. 3 users in a single Tailscale network. A tailnet can only have users in the same domain. To have multiple users in a tailnet, you need to have a custom domain that is not shared with other unaffiliated users, unlike Gmail (which has the @gmail.com domain that is used by unaffiliated users).
Headscale - Open Source, Self Hosted Wireguard Control Server for your Tailscale Network!
Contain your excitement: A deep dive into using Tailscale with Docker
Enabling HTTPS - How-to Guide.
How to Make Netflix Think You’re Watching From Home
Turn an Old Android Phone into a File Vault Using Tailscale

tailscale up --ssh

Example

sudo tailscale up --ssh=true  # enable ssh
sudo tailscale up --ssh=false # disable ssh
tailscale ssh username@host # no need to enter password/key

FAQs

Some peers are advertising routes but --accept-routes is false
- I got this message when I ran sudo tailscale up --reset --advertise-routes=192.168.1.0/24
- It tells you “Other devices in your tailnet are advertising subnet routes, but this node isn’t currently configured to accept them.”
- It’s not an error, just a warning. Your advertised route (192.168.1.0/24) is still being offered to the network — but your device itself won’t use other devices’ advertised routes unless you tell it to.
- If we run "sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes=true", it means I’m also willing to use routes that other subnet routers advertise. If both devices have a local network using the same subnet (192.168.1.0/24), then enabling --accept-routes will cause a conflict, because Tailscale would try to add a route for 192.168.1.0/24 that already exists locally.
Some peers are advertising routes but --accept-routes is false
- Suppose I have installed tailscale on computers O and N and also a mobile device A.
- I have installed MotionEye on a computer in the same network as the device O. Device O ran sudo tailscale up --reset --advertise-routes=192.168.1.0/24
- I can access MotionEye on the mobile device A.
- I got this above strange message when I run sudo tailscale down && sudo tailscale up on device N.
- To fix the problem, I need to run sudo tailscale up --accept-routes on device N. Now I can access MotionEye located in the same network as the device O.

CLI

7 Essential Tailscale CLI Commands Every Admin Should Know

Reset

When I enabled "--accept-routes" option on one machine, that machine could not be accessed by other machines in the home network (ping, ssh, jellyfin, etc). If you had --accept-routes enabled, and another device on your Tailscale network was advertising your home subnet (e.g., 192.168.1.0/24), your Debian machine started trying to send "replies" to your local computer all the way through the internet (via Tailscale) instead of just across the room. The connection breaks because the path is confused (Asymmetric Routing).
```
sudo tailscale up --reset
```
If you do not want an exit node, but need to reset and only specify the necessary flags for subnet routing, you can do:
```
sudo tailscale up --reset
sudo tailscale up --advertise-routes=192.168.1.0/24
```

Advertise routes vs Use exit node

Tailscale: Advertise Routes vs Use Exit Node
Feature	Command / Option	What it Does	Typical Use
Advertise Routes (server)	--advertise-routes=192.168.1.0/24	Shares your LAN subnet so other Tailscale devices can reach local devices through this node.	Access devices on your remote LAN (printers, NAS, PCs) securely from anywhere.
Accept routes (client)	--accept-routes	Tells the node: “Yes, I want to use the advertised LAN routes.”	A client wants to gain access to internal networks exposed by other Tailscale nodes.
Use Exit Node (server)	--advertise-exit-node, then "Use exit node" (on client)	Sends all internet traffic from the client device through this Tailscale node, similar to a VPN.	Securely browse the internet via the Tailscale node, bypass geo-blocks, or use home IP for internet traffic.

GNOME icon

Tailscale QS. Works on my Genome 43 (version 18 of Tailscale QS).

SMB

Use tailscale IP.

Option A — Use Nautilus (GNOME Files). In the GNOME file manager, enter an address like "smb://100.101.102.103/ShareName". Replace ShareName with the actual SMB share name you created on TrueNAS. Enter your TrueNAS username and password when prompted. Nautilus will now mount the share, just like a local SMB device.

Option B — Mount manually using cifs-utils (CLI)

sudo apt update
sudo apt install cifs-utils

sudo mkdir -p /mnt/truenas

sudo mount -t cifs //100.101.102.103/ShareName /mnt/truenas \
  -o username=truenas_user,password=truenas_pass,vers=3.0

Optional: add it to /etc/fstab for persistent mounts:

//100.101.102.103/ShareName /mnt/truenas cifs username=truenas_user,password=truenas_pass,vers=3.0 0 0

Use an exit node on clients

Exit node is a device on your tailnet that agrees to forward all of my internet traffic for me.
Normally, Tailscale only handles tailnet traffice: device-to-device connections inside your private mesh network
With an exit node, you can also send regular internet traffic (web browsing, software updates, etc.) through one of your Tailscale devices.
Exit node is different from Subnet router
- Subnet router - exposes only the needed LANs inside Tailscale (cleaner, safer, less bandwidth overhead).
- Exit node - tunnels all your internet traffic through that node, which also happens to let you reach Device A's LAN if Device A has not installed Tailscale but it can be accessed by the exit node.

tailscale status # see which exit nodes are available

sudo tailscale up --exit-node=XXX.XXX.XXX.XXX

sudo tailscale up --exit-node=    # stop using an exit node

Zerotier

https://www.zerotier.com/
The biggest plus for ZT is its multi-network ability, for example home and school network.

Proton

Proton VPN Now Supports WireGuard on Linux

OpenVPN

https://hub.docker.com/r/kylemanna/openvpn/ OpenVPN server in a Docker container complete with an EasyRSA PKI CA
- Set Up a VPN Server With Docker In 5 Minutes
Tutorial from nordvpn (free 3-day trial)
How To Set Up an OpenVPN Server on Ubuntu 20.04
Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS Ubuntu 18.04 LTS.
How to Build An OpenVPN Access Point by Hak5 in Youtube.
Secure you server administration with multiplatform VPN connection by howtoforge.
Ubuntu 18.04 Set up OpenVPN server in 5 minutes
Set up OpenVPN server on Ubuntu 18.04
Basic Ubuntu 22.04 OpenVPN Client/Server connection setup, Ubuntu 22.04 LTS Set Up OpenVPN Server In 5 Minutes

Proton

https://protonvpn.com/support/linux-vpn-setup/, ProtonVPN now offers the most advanced free Linux VPN app. To set up the connection, we need to log into our account and get the username/password.
The free account from ProtonVPN does not allow to use torrent.
Using ProtonVPN on Ubuntu 18.04

Fedora

How to Setup OpenVPN on Fedora 24+

List of free and fast VPNs

7 Best VPN Services For 2019
The 7 Best VPNs for Linux Oct 2018
5 Great Free VPN Services Compared: Which Is Fastest?
How to Choose the Best (and Fastest) Alternative DNS Server
Windscribe, mentioned by Sick of NBC's vapid Olympics coverage? Use a VPN and you can watch the BBC's coverage instead
Can I Watch Hulu Outside the US? The Best VPNs for Streaming Hulu. Free: Hide.me, Windscribe.
The 7 Best Free VPNs for Your Chromebook 2021
What Is the Best Free VPN for Your PC? 2022.
- Windscribe VPN (allow torrenting but with 2G/per month cap)
- ProtonVPN
- Betternet VPN
- ZenMate
The Best Free VPNs of 2023, The best free VPN of 2023
- Proton
- PrivadoVPN Free
- Windscribe Free
- Atlas VPN Free
- Hide.me Free VPN
- Hotspot Shield Basic VPN
- TunnelBear Free
Urban VPN 免費 VPN 服務提供 80+ 國家節點，支援各種平台無流量限制
What Is the Best Free VPN for Your iPhone and iPad?
022年最佳免费VPN推荐！安全加密，速度快，秒开4K、8K！
Everything You Need to Know About the Encryption on Zoog's Free VPN
4 VPNs That Don't Require You to Sign Up or Register
The best free VPNs: 5 no-cost top picks 2025

Browser extensions

ProtonVPN (Chrome, Edge, Firefox)
Astar VPN
ZenMate
VeePN
Free vpn. Include China ip.

Windscribe

It can be integrated into a browser (Chrome, Firefox, MS Edge, Opera). How To Windscribe: Beginner's Edition. Getting Started with Windscribe on Firefox.
5 Free Privacy Tools You Can Use on Any Device. Windscribe has 10GB/month for free

ProtonVPN

Proton VPN's Free Tier Is the Best You'll Find. There are two big limitations though. The free account is limited to one device (although you can create another account to use with another device to get around that). And second, the free tier lets you connect to only three regions. In the U.S., it randomly connects you to a different state; in Europe, you connect to the Netherlands, and in Asia, you’re connecting to servers in Japan.
To use the Proton VPN browser extension, you must have a paid Proton VPN plan. Introducing the Proton VPN browser extension.

PrivadoVPN

10GB per month.

Torrent

How to Set Up a VPN on Your Router

https://www.makeuseof.com/tag/setup-vpn-router/

dVPN

How Does a Decentralized VPN (dVPN) Work?

Latest revision as of 09:19, 5 December 2025

Resource

Blocked, ports

VPN vs Tor

Misunderstanding

Internet speed

VPN split vs full tunnel

How to Check if Your VPN Is Working

DNS setting

How You Can Host Your Own VPN: VPS

VPN Protocols Compared

Diskless VPN

Zero trust network access

Wireguard

Use in Ubuntu client

Usage with commercial VPNs

PiVPN

wg-easy

Netmaker

Tailscale

FAQs

CLI

Reset

Advertise routes vs Use exit node

GNOME icon

SMB

Rustdesk

Chromebooks

Key Expiry

Tailscale status page

Use an exit node on clients

Zerotier

Proton

OpenVPN

Proton

Fedora

List of free and fast VPNs

Browser extensions

Windscribe

ProtonVPN

PrivadoVPN

Torrent

How to Set Up a VPN on Your Router

dVPN