VPN: Difference between revisions

From 太極
Jump to navigation Jump to search
Line 192: Line 192:
*# In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
*# In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
* [https://www.reddit.com/r/selfhosted/comments/giood0/comment/fqgdry0 Any benefit to changing default WireGuard port?]
* [https://www.reddit.com/r/selfhosted/comments/giood0/comment/fqgdry0 Any benefit to changing default WireGuard port?]
* How to build your own network storage and remote access server from scratch
** [https://youtu.be/_Nu5Ibv1ZQA?si=Qc9RoFTlhjWn-bWN&t=70 TrueNAS Scale]
** [https://youtu.be/_Nu5Ibv1ZQA?si=2A5xDqiK8MbC6BhX&t=569 wg-easy]
** [https://youtu.be/_Nu5Ibv1ZQA?si=nsCbbTCuVqS8nDbP&t=894 DuckDNS]
** [https://youtu.be/_Nu5Ibv1ZQA?si=KkFN1kygwg--4r6Q&t=924 DDNS Updater was used]


== Netmaker ==
== Netmaker ==

Revision as of 13:44, 2 November 2024

Resource

Blocked, ports

My self hosted VPN does not work in school, what is an alternative? WireGuard defaults to listening on port 51820.

VPN vs Tor

Misunderstanding

10 Common VPN Mistakes People Make

VPN split vs full tunnel

VPN Split vs. Full Tunneling: Which One Should You Use?

How to Check if Your VPN Is Working

How You Can Host Your Own VPN: VPS

VPN Protocols Compared

6 VPN Protocols Compared: Which Is Best?

Diskless VPN

Why You Should Choose a VPN With Diskless Servers

Wireguard

WireGuard is a fairly new VPN protocol which is much more secure and faster than OpenVPN or IPsec.

Android part:

Use in Ubuntu client

  • Note that the operations on the server's side is very similar to the client's side. See the table below for a comparison of the configuration file.
  • Install wireguard
sudo apt update
sudo apt install wireguard
  • Generate Public and Private Keys on the server:
cd /etc/wireguard 
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
This will create two files privatekey (I think this is for server) and publickey (for client/peer?) in the current directory. We need to repeat this step of generating keys on each client you want to connect to the server.
  • Create a configuration file (based on the keys obtained from the server):
    • <server IP> with the IP address of the WireGuard server. ou can find the public IP address of your server by running the command curl ifconfig.me in the terminal of the server.
    • <server port> with the port number of the server. By default, WireGuard uses UDP port 51820 for communication. However, it is possible that the WireGuard server is configured to use a different port.
    • The roles of Interface & Peer are flipped to the client's machine from server's machine
[Interface]
PrivateKey = <private key>
Address = 10.0.0.2/32

[Peer]
PublicKey = <public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server IP>:<server port>
PersistentKeepalive = 21
  • Start the WireGuard interface
sudo wg-quick up /path/to/configuration/file
  • Check the status of the interface:
sudo wg show
  • For a new client, the server side should do
echo "[Peer]" >> /etc/wireguard/wg0.conf
echo "PublicKey = <client_public_key>" >> /etc/wireguard/wg0.conf
echo "AllowedIPs = <client_ip_address>/32" >> /etc/wireguard/wg0.conf
  • About the keys. To generate keys in WireGuard server for a client, you can use the wg genkey command to generate a private key for the client and then use the wg pubkey command to generate a public key from that private key. You can then add the public key to the WireGuard server configuration file on the server side and use the private key on the client side.
(umask 077 && wg genkey > wg-private-client.key)
wg pubkey < wg-private-client.key > wg-public-client.key
  • Do I need to pass the server's public key to clients in wireguard?
    • Yes, you need to exchange public keys between the server and each client for secure communication both ways.
    • Each party needs to have their own private and public keys as each pair only enables one-way messaging.
    • For the use in WireGuard, the server and each client must generate their own key pair and then exchange public keys.
  • What does /24 and /32 mean in ip address?
    • In IP addresses, the number after the slash (/) represents the number of bits used for the network portion of the address.
    • For example, in 10.0.0.1/24, /24 means that 24 bits are used for the network portion of the address and 8 bits are used for the host portion of the address.
    • How can we explain CIDR notation with /24 and /32 to a manager?
  • Here is a summary of the structure of the configuration file
Server side Client side
[Interface]
PrivateKey = <server-privatekey>
Address = 10.0.0.1/24
ListenPort = 51820
...

[Peer]
PublicKey = <client-publickey>
AllowedIPs = 10.0.0.2/32 
[Interface]
Address = 10.0.0.2/32
PrivateKey = <client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Usage with commercial VPNs

To use WireGuard with Windscribe VPN, you need to follow these steps:

  • Sign up for Windscribe VPN
  • Enable the WireGuard protocol: Open the Windscribe app and go to the "Preferences" section. Under the "Connection" tab, select "WireGuard" as the protocol.
  • Generate a WireGuard configuration file: Go to the Windscribe website and sign in to your account. Under the "My Account" section, click on "Generate OpenVPN/WireGuard Config". Select "WireGuard" as the protocol and choose the server location you want to connect to. Click on "Generate" to download the configuration file.
  • Install WireGuard on Ubuntu
  • Import the Windscribe configuration file: Move the downloaded Windscribe configuration file to a directory of your choice on your Ubuntu machine. Open the terminal and run the following command to import the configuration file:
sudo wg-quick up /path/to/windscribe-config-file
  • Verify the connection:
sudo wg show

PiVPN

PiVPN + Pi-hole

wg-easy

sudo ufw allow 51820/udp
  • Steps
    1. Add wg.taichimd.us to cloudflare.
    2. Update ddclient.conf (recall I use my domain name instead of IP in the WG_HOST)
    3. Open 51820/UDP port on router
    4. sudo ufw allow 51820/udp; docker-compose up -d
    5. Go to http://IP:51821 and type in the password defined in docker-compose.yml & add a new client. I use my android device to name the new client.
    6. scan QR code on Android wireguard app. Give a name for the new tunnel.
    7. Disable wifi and connect http://neverssl.com to test the connection
  • Extra steps:
    1. In cloudflare, disable DNS Proxy
    2. Include WG_ALLOWED_IPS=0.0.0.0/0 (not sure if this is necessary)
    3. sudo rm wg0.* (for some reason, the conf file was not changed after I modify docker-compose.yml file)
    4. docker-compose up -d
    5. Re-log in and re-create a new client tunnel, etc.
    6. In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
  • Any benefit to changing default WireGuard port?
  • How to build your own network storage and remote access server from scratch

Netmaker

https://github.com/gravitl/netmaker

Tailscale

  • https://tailscale.com/ Zero config VPN.
  • https://hub.docker.com/r/tailscale/tailscale
  • How to Set Up Remote Access to Your Local Network Using Tailscale VPN
  • Tailscale in LXC containers. Running tailscale inside of a proxmox container. Tip: change the LXC ID 102 below.
    root@proxmox:~# echo 'lxc.cgroup.devices.allow: c 10:200 rwm' >> /etc/pve/lxc/102.conf
    root@proxmox:~# echo 'lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file' >> /etc/pve/lxc/102.conf
    root@proxmox:~# reboot
    root@proxmox:~# tailscale up
    
    $ tailscale status
    
  • Manual install. How to install Tailscale on LibreELEC for kodi?
    cd ~/Downloads/tailscale_1.50.1_arm64
    sudo ./tailscaled --state=tailscaled.state  > /dev/null 2>&1  &
    sudo ./tailscale up  # cp & open browser, the authentication was kept after reboot
    ./tailscale status
    # ssh to the other machines using ip4 from tailscale
  • Key Expiry
  • Exit node.
    • Think of an exit node as a kind of gateway in the Tailscale network. Normally, when you use Tailscale, it’s like having a private network where only your devices can talk to each other. But what if you want to use this private network to access the internet?
    • That’s where an exit node comes in. You can choose one device in your Tailscale network and set it up as an exit node. This device will act like a door from your private network to the public internet.
    • So, if you’re in a coffee shop and you don’t trust the Wi-Fi, you can use Tailscale and your exit node to safely browse the internet. All your internet traffic will go through your private network and out through the exit node, just like going through a secure door.
    • On Linux, see https://headscale.net/exit-node/
    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
    echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
    sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
    
    sudo tailscale up --advertise-exit-node
    
    • On Android client, click 3 dots on top-right corner. In the list of Use exit node... (cf: "Run exit node"), choose the one you like to use. Now Android client will the 'exit node' to route all traffic. Use ipchicken to test.
    • The exit node is still different wireguard where we can use any local IPs to access home machines.
  • Subnet routers and traffic relay nodes
    • It is useful if you want to connect to devices you can’t install Tailscale on.
    • If you want to grant your remote users access to your whole office network or want to connect two networks, you can configure subnet routing.
    • "tailscale up ..." statement will automatically start when the machine reboot.
    # Connect to Tailscale as a subnet router
    sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node
    
    # Enable subnet routes from the admin console (web)
    # Click "..." -> Edit route setting. Check the subset routes '192.168.1.0/24'.
    # Also check the 'Exit node' -> "Use as exit node" option.
    
    # On the client machine (eg Android), click "Use exit node..." and select
    #   the machine serving as an exit node.
  • Free plan. 3 users in a single Tailscale network. A tailnet can only have users in the same domain. To have multiple users in a tailnet, you need to have a custom domain that is not shared with other unaffiliated users, unlike Gmail (which has the @gmail.com domain that is used by unaffiliated users).
  • Headscale - Open Source, Self Hosted Wireguard Control Server for your Tailscale Network!
  • Contain your excitement: A deep dive into using Tailscale with Docker
  • Enabling HTTPS - How-to Guide.
  • How to Make Netflix Think You’re Watching From Home
  • Turn an Old Android Phone into a File Vault Using Tailscale

Zerotier

Proton

Proton VPN Now Supports WireGuard on Linux

OpenVPN

Proton

Fedora

How to Setup OpenVPN on Fedora 24+

List of free and fast VPNs

Browser extensions

Windscribe

ProtonVPN

  • Proton VPN's Free Tier Is the Best You'll Find. There are two big limitations though. The free account is limited to one device (although you can create another account to use with another device to get around that). And second, the free tier lets you connect to only three regions. In the U.S., it randomly connects you to a different state; in Europe, you connect to the Netherlands, and in Asia, you’re connecting to servers in Japan.
  • To use the Proton VPN browser extension, you must have a paid Proton VPN plan. Introducing the Proton VPN browser extension.

PrivadoVPN

10GB per month.

Torrent

How to Set Up a VPN on Your Router

https://www.makeuseof.com/tag/setup-vpn-router/

dVPN

How Does a Decentralized VPN (dVPN) Work?