VPN: Difference between revisions

From 太極
Jump to navigation Jump to search
 
(44 intermediate revisions by the same user not shown)
Line 11: Line 11:
* [https://www.howtogeek.com/842407/vpns-vs.-tor-which-should-you-use/ VPNs vs. Tor: Which Should You Use?]
* [https://www.howtogeek.com/842407/vpns-vs.-tor-which-should-you-use/ VPNs vs. Tor: Which Should You Use?]
* [https://www.howtogeek.com/844415/when-you-should-use-tor-instead-of-a-vpn/ Here’s When You Should Use Tor Instead of a VPN]
* [https://www.howtogeek.com/844415/when-you-should-use-tor-instead-of-a-vpn/ Here’s When You Should Use Tor Instead of a VPN]
== Misunderstanding ==
[https://www.howtogeek.com/894286/10-common-vpn-mistakes-people-make/ 10 Common VPN Mistakes People Make]
== VPN split vs full tunnel ==
[https://www.makeuseof.com/vpn-split-vs-full-tunneling/ VPN Split vs. Full Tunneling: Which One Should You Use?]
== How to Check if Your VPN Is Working ==
[https://www.makeuseof.com/how-to-check-if-your-vpn-is-working/ How to Check if Your VPN Is Working]


= How You Can Host Your Own VPN: VPS =
= How You Can Host Your Own VPN: VPS =
Line 16: Line 25:
* [https://www.makeuseof.com/create-use-your-own-cloud-based-vpn-server/ How to Create and Use Your Own Cloud-Based VPN Server]
* [https://www.makeuseof.com/create-use-your-own-cloud-based-vpn-server/ How to Create and Use Your Own Cloud-Based VPN Server]
* [https://www.laobuluo.com/4610.html RackNerd 多机房美国VPS速度和性能综合评测]
* [https://www.laobuluo.com/4610.html RackNerd 多机房美国VPS速度和性能综合评测]
= Client =
* https://protonvpn.com/support/linux-vpn-setup/, [https://protonvpn.com/blog/protonvpn-linux-app/ ProtonVPN now offers the most advanced free Linux VPN app]. To set up the connection, we need to log into our account and get the username/password.
* The free account from ProtonVPN does not allow to use torrent.
* [http://www.ubuntubuzz.com/2018/07/using-protonvpn-on-ubuntu.html Using ProtonVPN on Ubuntu 18.04]


= VPN Protocols Compared =
= VPN Protocols Compared =
Line 43: Line 47:
* [https://youtu.be/NFRUN5FwhY0 Setup Wireguard VPN for Mobile Clients] (video)
* [https://youtu.be/NFRUN5FwhY0 Setup Wireguard VPN for Mobile Clients] (video)
* [https://youtu.be/myn6yE1wgK4 Setting Up WireGuard Client On Android] (video)
* [https://youtu.be/myn6yE1wgK4 Setting Up WireGuard Client On Android] (video)
== Use in Ubuntu client ==
* Note that the operations on the server's side is very similar to the client's side. See the table below for a comparison of the configuration file.
* Install wireguard
:<syntaxhighlight lang='bash'>
sudo apt update
sudo apt install wireguard
</syntaxhighlight>
* Generate Public and Private Keys '''on the server''':
:<syntaxhighlight lang='bash'>
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
</syntaxhighlight>This will create two files privatekey (I think this is for server) and publickey (for client/peer?) in the current directory. '''We need to repeat this step of generating keys on each client you want to connect to the server.'''
* Create a '''configuration file''' (based on the keys obtained from the server):
** <server IP> with the IP address of the WireGuard server. ou can find the public IP address of your server by running the command '''curl ifconfig.me''' in the terminal of the server.
** <server port> with the port number of the server. By default, WireGuard uses UDP port 51820 for communication. However, it is possible that the WireGuard server is configured to use a different port.
** The roles of Interface & Peer are flipped to the client's machine from server's machine
::<syntaxhighlight lang='bash'>
[Interface]
PrivateKey = <private key>
Address = 10.0.0.2/32
[Peer]
PublicKey = <public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server IP>:<server port>
PersistentKeepalive = 21
</syntaxhighlight>
* Start the WireGuard interface
:<syntaxhighlight lang='bash'>
sudo wg-quick up /path/to/configuration/file
</syntaxhighlight>
* Check the status of the interface:
:<syntaxhighlight lang='bash'>
sudo wg show
</syntaxhighlight>
* For a new client, the server side should do
:<syntaxhighlight lang='bash'>
echo "[Peer]" >> /etc/wireguard/wg0.conf
echo "PublicKey = <client_public_key>" >> /etc/wireguard/wg0.conf
echo "AllowedIPs = <client_ip_address>/32" >> /etc/wireguard/wg0.conf
</syntaxhighlight>
* About the '''keys'''. To generate keys in WireGuard server for a client, you can use the wg genkey command to generate a private key for the client and then use the wg pubkey command to generate a public key from that private key. You can then add the public key to the WireGuard server configuration file on the server side and use the private key on the client side.
:<syntaxhighlight lang='bash'>
(umask 077 && wg genkey > wg-private-client.key)
wg pubkey < wg-private-client.key > wg-public-client.key
</syntaxhighlight>
* Do I need to pass the server's public '''key''' to clients in wireguard?
** Yes, '''you need to exchange public keys between the server and each client for secure communication both ways'''.
** '''Each party needs to have their own private and public keys''' as each pair only enables one-way messaging.
** For the use in WireGuard, the server and each client must generate their own key pair and then exchange public keys.
* What does /24 and /32 mean in ip address?
** In IP addresses, the number after the slash (/) represents the number of bits used for the network portion of the address.
**  For example, in 10.0.0.1/24, /24 means that 24 bits are used for the network portion of the address and 8 bits are used for the host portion of the address.
** [https://serverfault.com/a/1028530 How can we explain '''CIDR''' notation with /24 and /32 to a manager?]
* Here is a summary of the structure of the configuration file
:{| class="wikitable"
|-
! Server side
! Client side
|-
| <pre>[Interface]
PrivateKey = <server-privatekey>
Address = 10.0.0.1/24
ListenPort = 51820
...
[Peer]
PublicKey = <client-publickey>
AllowedIPs = 10.0.0.2/32
</pre>
| <pre>[Interface]
Address = 10.0.0.2/32
PrivateKey = <client-privatekey>
DNS = 1.1.1.1
[Peer]
PublicKey = <server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0</pre>
|}
== Usage with commercial VPNs ==
To use WireGuard with Windscribe VPN, you need to follow these steps:
* Sign up for Windscribe VPN
* Enable the WireGuard protocol: Open the Windscribe app and go to the "Preferences" section. Under the "Connection" tab, select "WireGuard" as the protocol.
* Generate a WireGuard configuration file: Go to the Windscribe website and sign in to your account. Under the "My Account" section, click on "Generate OpenVPN/WireGuard Config". Select "WireGuard" as the protocol and choose the server '''location''' you want to connect to. Click on "Generate" to download the '''configuration file'''.
* Install WireGuard on Ubuntu
* Import the Windscribe configuration file: Move the downloaded Windscribe configuration file to a directory of your choice on your Ubuntu machine. Open the terminal and run the following command to import the configuration file:
:<syntaxhighlight lang='bash'>
sudo wg-quick up /path/to/windscribe-config-file
</syntaxhighlight>
* Verify the connection:
:<syntaxhighlight lang='bash'>
sudo wg show
</syntaxhighlight>


== PiVPN ==
== PiVPN ==
* https://pivpn.io/, https://docs.pivpn.io/
* https://pivpn.io/,  
** https://docs.pivpn.io/
** [https://linuxiac.com/pivpn-releases-final-version-and-announces-project-shutdown/ PiVPN Releases Final Version and Announces Project Shutdown] 2024/4/8
* [https://www.makeuseof.com/wireguard-raspberry-pi/ Build Your Own VPN With Raspberry Pi and WireGuard]
* [https://www.makeuseof.com/wireguard-raspberry-pi/ Build Your Own VPN With Raspberry Pi and WireGuard]
* [https://youtu.be/WA7QTM9hovQ OpenVPN Server raspberry pi /w PiVPN] (video)
* Videos
** [https://youtu.be/WA7QTM9hovQ OpenVPN Server raspberry pi /w PiVPN]  
** [https://youtu.be/5NJ6V8i1Xd8?t=184 Build your OWN VPN! Here's how (and why you NEED to)]
* [https://linustechtips.com/topic/1095878-the-beginners-guide-to-pivpn/ The Beginner's Guide to PiVPN]
* [https://linustechtips.com/topic/1095878-the-beginners-guide-to-pivpn/ The Beginner's Guide to PiVPN]
* [https://blog.eldernode.com/install-pivpn-on-ubuntu/ How To Install PiVPN On Ubuntu 20.04 LTS]
* [https://blog.eldernode.com/install-pivpn-on-ubuntu/ How To Install PiVPN On Ubuntu 20.04 LTS]
'''PiVPN + Pi-hole'''
* [https://sylvaindurand.org/installing-pi-hole-with-pivpn/ Installing Pi-hole with PiVPN]. It is now possible to connect, from an OpenVPN client, to a computer or a phone, to benefit from the filtering of Pi-hole.
* [https://youtu.be/5NJ6V8i1Xd8?t=254 Build your OWN VPN! Here's how (and why you NEED to)].
** Choose whether clients use a [https://youtu.be/5NJ6V8i1Xd8?t=291 static IP or DNS name] to connect to VPN server
** PiVPN offers to set up automated updates on your computer.
** [https://youtu.be/5NJ6V8i1Xd8?t=367 Running Ansible security playbook] to secure servers. [https://www.youtube.com/watch?v=gV_16dU7XjM Ansible 101 - Episode 9 - First 5 min server security with Ansible].
** Router needs to [https://youtu.be/5NJ6V8i1Xd8?t=329 forward the port 51820 with the protocol UDP].
** Use '''pivpn add''' to [https://youtu.be/5NJ6V8i1Xd8?t=410 generate a configuration file] - naming the client by some rules. Copy the configuration file to your client or use '''pivpn -qr''' to generate a QR code from a configuration file in a list on screen.
** If you are stuck in [https://youtu.be/5NJ6V8i1Xd8?t=667 CG-NAT] , you can't run PiVPN.


== wg-easy ==
== wg-easy ==
* [https://hub.docker.com/r/weejewel/wg-easy wg-easy]
* [https://hub.docker.com/r/weejewel/wg-easy wg-easy]
* [https://www.youtube.com/watch?v=BRLB4wRL4cM WG Easy - open source, self hosted Wireguard server setup tool with a simple, intuitive web UI!]
* [https://youtu.be/hCb-gntWt00?t=418 Self Hosted EASY Wireguard Server]
* [https://youtu.be/hCb-gntWt00?t=418 Self Hosted EASY Wireguard Server]
<pre>
:<syntaxhighlight lang='bash'>
sudo ufw allow 51820/udp
sudo ufw allow 51820/udp
</pre>
</syntaxhighlight>
* Steps
* Steps
*# Add wg.taichimd.us to cloudflare.  
*# Add wg.taichimd.us to cloudflare.  
*# Update ddclient.conf   
*# Update ddclient.conf  (recall I use my domain name instead of IP in the '''WG_HOST''')
*# Open 51820/UDP port on router  
*# Open 51820/UDP port on router  
*# sudo ufw allow 51820/udp; docker-compose up -d  
*# sudo ufw allow 51820/udp; docker-compose up -d  
Line 73: Line 190:
*# In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
*# In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
* [https://www.reddit.com/r/selfhosted/comments/giood0/comment/fqgdry0 Any benefit to changing default WireGuard port?]
* [https://www.reddit.com/r/selfhosted/comments/giood0/comment/fqgdry0 Any benefit to changing default WireGuard port?]
== Netmaker ==
https://github.com/gravitl/netmaker
== Tailscale ==
<ul>
<li>https://tailscale.com/ Zero config VPN.
* [https://tailscale.com/blog/how-tailscale-works/ How Tailscale works]
* [https://tailscale.com/kb/guides/ How-to Guides]
* [https://tailscale.com/download/ Download]
* [https://tailscale.com/blog/fast-user-switching/ Quickly switch between Tailscale accounts]
<li>https://hub.docker.com/r/tailscale/tailscale
<li>[https://www.howtogeek.com/how-to-remote-access-your-network-using-tailscale-vpn/ How to Set Up Remote Access to Your Local Network Using Tailscale VPN]
<li>[https://tailscale.com/kb/1130/lxc-unprivileged/ Tailscale in LXC containers]. [https://dustri.org/b/running-tailscale-inside-of-a-proxmox-container.html Running tailscale inside of a proxmox container]. Tip: change the LXC ID 102 below.
{{Pre}}
root@proxmox:~# echo 'lxc.cgroup.devices.allow: c 10:200 rwm' >> /etc/pve/lxc/102.conf
root@proxmox:~# echo 'lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file' >> /etc/pve/lxc/102.conf
root@proxmox:~# reboot
root@proxmox:~# tailscale up
</pre>
<li>[https://tailscale.com/download/linux/static Manual install]. [https://www.reddit.com/r/Tailscale/comments/rcfpu1/how_to_install_tailscale_on_libreelec_for_kodi/ How to install Tailscale on LibreELEC for kodi?]
<syntaxhighlight lang='sh'>
cd ~/Downloads/tailscale_1.50.1_arm64
sudo ./tailscaled --state=tailscaled.state  > /dev/null 2>&1  &
sudo ./tailscale up  # cp & open browser, the authentication was kept after reboot
./tailscale status
# ssh to the other machines using ip4 from tailscale
</syntaxhighlight>
<li>[https://tailscale.com/kb/1028/key-expiry/ Key Expiry]
<li>[https://tailscale.com/kb/1103/exit-nodes/ Exit node].
* Think of an exit node as a kind of gateway in the Tailscale network. Normally, when you use Tailscale, it’s like having a private network where only your devices can talk to each other. But what if you want to use this private network to access the internet?
* That’s where an exit node comes in. You can choose one device in your Tailscale network and set it up as an exit node. This device will act like a door from your private network to the public internet.
* So, if you’re in a coffee shop and you don’t trust the Wi-Fi, you can use Tailscale and your exit node to safely browse the internet. All your internet traffic will go through your private network and out through the exit node, just like going through a secure door.
* On Linux, see https://headscale.net/exit-node/
<pre>
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
sudo tailscale up --advertise-exit-node
</pre>
* On Android client, click 3 dots on top-right corner. In the list of '''Use exit node...''' (cf: "Run exit node"), choose the one you like to use. Now Android client will the 'exit node' to route all traffic. Use ipchicken to test.
* The exit node is still different wireguard where we can use any local IPs to access home machines.
<li>[https://tailscale.com/kb/1019/subnets?tab=linux#enable-ip-forwarding Subnet routers and traffic relay nodes]
* It is useful if you want to connect to devices you can’t install Tailscale on.
* If you want to grant your remote users access to your whole office network or want to connect two networks, you can configure subnet routing.
* ''' "tailscale up ..." statement will automatically start when the machine reboot.'''
<syntaxhighlight lang='sh'>
# Connect to Tailscale as a subnet router
sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node
# Enable subnet routes from the admin console (web)
# Click "..." -> Edit route setting. Check the subset routes '192.168.1.0/24'.
# Also check the 'Exit node' -> "Use as exit node" option.
# On the client machine (eg Android), click "Use exit node..." and select
#  the machine serving as an exit node.
</syntaxhighlight>
<li>[https://tailscale.com/kb/1154/free-plans-discounts/ Free plan].  3 users in a single Tailscale network. A tailnet can only have users in the same domain. To have multiple users in a tailnet, you need to have a custom domain that is not shared with other unaffiliated users, unlike Gmail (which has the @gmail.com domain that is used by unaffiliated users).
<li>[https://youtu.be/OKwrfmMoAk0?si=Eog6nS5Z15VoeOtu Headscale - Open Source, Self Hosted Wireguard Control Server for your Tailscale Network!]
<li>[https://tailscale.com/blog/docker-tailscale-guide Contain your excitement: A deep dive into using Tailscale with Docker]
<li>[https://tailscale.com/kb/1153/enabling-https/ Enabling HTTPS] - How-to Guide.
<li>[https://www.howtogeek.com/how-to-make-netflix-think-youre-watching-from-home/ How to Make Netflix Think You’re Watching From Home]
</ul>
== Zerotier ==
* https://www.zerotier.com/
* The biggest plus for ZT is its multi-network ability, for example home and school network.


= OpenVPN =
= OpenVPN =
Line 85: Line 277:
* [https://www.webservertalk.com/setup-openvpn-ubuntu-18-04/ Set up OpenVPN server on Ubuntu 18.04]
* [https://www.webservertalk.com/setup-openvpn-ubuntu-18-04/ Set up OpenVPN server on Ubuntu 18.04]
* [https://linuxconfig.org/basic-ubuntu-22-04-openvpn-client-server-connection-setup Basic Ubuntu 22.04 OpenVPN Client/Server connection setup], [https://www.cyberciti.biz/faq/ubuntu-22-04-lts-set-up-openvpn-server-in-5-minutes/ Ubuntu 22.04 LTS Set Up OpenVPN Server In 5 Minutes]
* [https://linuxconfig.org/basic-ubuntu-22-04-openvpn-client-server-connection-setup Basic Ubuntu 22.04 OpenVPN Client/Server connection setup], [https://www.cyberciti.biz/faq/ubuntu-22-04-lts-set-up-openvpn-server-in-5-minutes/ Ubuntu 22.04 LTS Set Up OpenVPN Server In 5 Minutes]
== Proton ==
* https://protonvpn.com/support/linux-vpn-setup/, [https://protonvpn.com/blog/protonvpn-linux-app/ ProtonVPN now offers the most advanced free Linux VPN app]. To set up the connection, we need to log into our account and get the username/password.
* The free account from ProtonVPN does not allow to use torrent.
* [http://www.ubuntubuzz.com/2018/07/using-protonvpn-on-ubuntu.html Using ProtonVPN on Ubuntu 18.04]
== Fedora ==
[https://hide.me/en/vpnsetup/fedora/openvpn/ How to Setup OpenVPN on Fedora 24+]


= List of free and fast VPNs =
= List of free and fast VPNs =
Line 99: Line 299:
** Betternet VPN
** Betternet VPN
** ZenMate
** ZenMate
* [https://www.howtogeek.com/875072/best-free-vpns/ The Best Free VPNs of 2023], [https://www.techradar.com/vpn/best-free-vpn The best free VPN of 2023]
** Proton
** PrivadoVPN Free
** Windscribe Free
** Atlas VPN Free
** Hide.me Free VPN
** Hotspot Shield Basic VPN
** TunnelBear Free
* [https://free.com.tw/urban-vpn/ Urban VPN 免費 VPN 服務提供 80+ 國家節點,支援各種平台無流量限制]
* [https://free.com.tw/urban-vpn/ Urban VPN 免費 VPN 服務提供 80+ 國家節點,支援各種平台無流量限制]
* [https://www.makeuseof.com/best-free-vpn-iphone-ipad/ What Is the Best Free VPN for Your iPhone and iPad?]
* [https://www.makeuseof.com/best-free-vpn-iphone-ipad/ What Is the Best Free VPN for Your iPhone and iPad?]
* [https://youtu.be/V1v8AO8bNME 022年最佳免费VPN推荐!安全加密,速度快,秒开4K、8K!]
* [https://www.makeuseof.com/encryption-zoogs-free-vpn/ Everything You Need to Know About the Encryption on Zoog's Free VPN]


== Windscribe ==
== Windscribe ==
[https://www.makeuseof.com/free-privacy-tools/ 5 Free Privacy Tools You Can Use on Any Device]. Windscribe has 10GB/month for free  
* It can be integrated into a browser (Chrome, Firefox, MS Edge, Opera). [https://blog.windscribe.com/how-to-windscribe/ How To Windscribe: Beginner's Edition]. [https://windscribe.com/knowledge-base/articles/getting-started-with-windscribe-on-firefox Getting Started with Windscribe on Firefox].
* [https://www.makeuseof.com/free-privacy-tools/ 5 Free Privacy Tools You Can Use on Any Device]. Windscribe has 10GB/month for free
 
== ProtonVPN ==
* [https://lifehacker.com/tech/review-of-proton-vpn-free-tier Proton VPN's Free Tier Is the Best You'll Find]. There are two big limitations though. The free account is limited to one device (although you can create another account to use with another device to get around that). And second, the free tier lets you connect to only three regions. In the U.S., it randomly connects you to a different state; in Europe, you connect to the Netherlands, and in Asia, you’re connecting to servers in Japan.
* To use the Proton VPN browser extension, you must have a paid Proton VPN plan. [https://protonvpn.com/blog/browser-extension/ Introducing the Proton VPN browser extension].
 
== PrivadoVPN ==
10GB per month.


== Torrent ==
== Torrent ==
[https://www.vpnmentor.com/blog/5-best-free-vpns-torrents/ 5 Best Free VPNs for Torrenting and P2P — Updated in 2022], [https://www.vpnranks.com/free-vpn/torrent/ The Best Free VPN for Torrenting (April 2022 Updated)]
* [https://www.vpnmentor.com/blog/5-best-free-vpns-torrents/ 5 Best Free VPNs for Torrenting and P2P — Updated in 2022],  
* [https://www.vpnranks.com/free-vpn/torrent/ The Best Free VPN for Torrenting (April 2022 Updated)]
* [https://www.technadu.com/best-torrent-sites-for-ebooks/288048/ 9 Best eBook Torrent Sites in 2023]


= How to Set Up a VPN on Your Router =
= How to Set Up a VPN on Your Router =

Latest revision as of 16:57, 8 April 2024

Resource

Blocked, ports

My self hosted VPN does not work in school, what is an alternative? WireGuard defaults to listening on port 51820.

VPN vs Tor

Misunderstanding

10 Common VPN Mistakes People Make

VPN split vs full tunnel

VPN Split vs. Full Tunneling: Which One Should You Use?

How to Check if Your VPN Is Working

How to Check if Your VPN Is Working

How You Can Host Your Own VPN: VPS

VPN Protocols Compared

6 VPN Protocols Compared: Which Is Best?

Diskless VPN

Why You Should Choose a VPN With Diskless Servers

Wireguard

WireGuard is a fairly new VPN protocol which is much more secure and faster than OpenVPN or IPsec.

Android part:

Use in Ubuntu client

  • Note that the operations on the server's side is very similar to the client's side. See the table below for a comparison of the configuration file.
  • Install wireguard
sudo apt update
sudo apt install wireguard
  • Generate Public and Private Keys on the server:
cd /etc/wireguard 
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
This will create two files privatekey (I think this is for server) and publickey (for client/peer?) in the current directory. We need to repeat this step of generating keys on each client you want to connect to the server.
  • Create a configuration file (based on the keys obtained from the server):
    • <server IP> with the IP address of the WireGuard server. ou can find the public IP address of your server by running the command curl ifconfig.me in the terminal of the server.
    • <server port> with the port number of the server. By default, WireGuard uses UDP port 51820 for communication. However, it is possible that the WireGuard server is configured to use a different port.
    • The roles of Interface & Peer are flipped to the client's machine from server's machine
[Interface]
PrivateKey = <private key>
Address = 10.0.0.2/32

[Peer]
PublicKey = <public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server IP>:<server port>
PersistentKeepalive = 21
  • Start the WireGuard interface
sudo wg-quick up /path/to/configuration/file
  • Check the status of the interface:
sudo wg show
  • For a new client, the server side should do
echo "[Peer]" >> /etc/wireguard/wg0.conf
echo "PublicKey = <client_public_key>" >> /etc/wireguard/wg0.conf
echo "AllowedIPs = <client_ip_address>/32" >> /etc/wireguard/wg0.conf
  • About the keys. To generate keys in WireGuard server for a client, you can use the wg genkey command to generate a private key for the client and then use the wg pubkey command to generate a public key from that private key. You can then add the public key to the WireGuard server configuration file on the server side and use the private key on the client side.
(umask 077 && wg genkey > wg-private-client.key)
wg pubkey < wg-private-client.key > wg-public-client.key
  • Do I need to pass the server's public key to clients in wireguard?
    • Yes, you need to exchange public keys between the server and each client for secure communication both ways.
    • Each party needs to have their own private and public keys as each pair only enables one-way messaging.
    • For the use in WireGuard, the server and each client must generate their own key pair and then exchange public keys.
  • What does /24 and /32 mean in ip address?
    • In IP addresses, the number after the slash (/) represents the number of bits used for the network portion of the address.
    • For example, in 10.0.0.1/24, /24 means that 24 bits are used for the network portion of the address and 8 bits are used for the host portion of the address.
    • How can we explain CIDR notation with /24 and /32 to a manager?
  • Here is a summary of the structure of the configuration file
Server side Client side 
[Interface]
PrivateKey = <server-privatekey>
Address = 10.0.0.1/24
ListenPort = 51820
...

[Peer]
PublicKey = <client-publickey>
AllowedIPs = 10.0.0.2/32 

[Interface]
Address = 10.0.0.2/32
PrivateKey = <client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Usage with commercial VPNs

To use WireGuard with Windscribe VPN, you need to follow these steps:

  • Sign up for Windscribe VPN
  • Enable the WireGuard protocol: Open the Windscribe app and go to the "Preferences" section. Under the "Connection" tab, select "WireGuard" as the protocol.
  • Generate a WireGuard configuration file: Go to the Windscribe website and sign in to your account. Under the "My Account" section, click on "Generate OpenVPN/WireGuard Config". Select "WireGuard" as the protocol and choose the server location you want to connect to. Click on "Generate" to download the configuration file.
  • Install WireGuard on Ubuntu
  • Import the Windscribe configuration file: Move the downloaded Windscribe configuration file to a directory of your choice on your Ubuntu machine. Open the terminal and run the following command to import the configuration file:
sudo wg-quick up /path/to/windscribe-config-file
  • Verify the connection:
sudo wg show

PiVPN

PiVPN + Pi-hole

wg-easy

sudo ufw allow 51820/udp
  • Steps
    1. Add wg.taichimd.us to cloudflare.
    2. Update ddclient.conf (recall I use my domain name instead of IP in the WG_HOST)
    3. Open 51820/UDP port on router
    4. sudo ufw allow 51820/udp; docker-compose up -d
    5. Go to http://IP:51821 & add a new client
    6. scan QR on Android wireguard app
    7. Disable wifi and connect http://neverssl.com to test the connection
  • Extra steps:
    1. In cloudflare, disable DNS Proxy
    2. Include WG_ALLOWED_IPS=0.0.0.0/0 (not sure if this is necessary)
    3. sudo rm wg0.* (for some reason, the conf file was not changed after I modify docker-compose.yml file)
    4. docker-compose up -d
    5. Re-log in and re-create a new client tunnel, etc.
    6. In the http://IP:51821 client page, you should see a red dot showing a client is connected and some network activity (up/down).
  • Any benefit to changing default WireGuard port?

Netmaker

https://github.com/gravitl/netmaker

Tailscale

  • https://tailscale.com/ Zero config VPN.
  • https://hub.docker.com/r/tailscale/tailscale
  • How to Set Up Remote Access to Your Local Network Using Tailscale VPN
  • Tailscale in LXC containers. Running tailscale inside of a proxmox container. Tip: change the LXC ID 102 below. 
    root@proxmox:~# echo 'lxc.cgroup.devices.allow: c 10:200 rwm' >> /etc/pve/lxc/102.conf
root@proxmox:~# echo 'lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file' >> /etc/pve/lxc/102.conf
root@proxmox:~# reboot
root@proxmox:~# tailscale up
  • Manual install. How to install Tailscale on LibreELEC for kodi? 
    cd ~/Downloads/tailscale_1.50.1_arm64
sudo ./tailscaled --state=tailscaled.state  > /dev/null 2>&1  &
sudo ./tailscale up  # cp & open browser, the authentication was kept after reboot
./tailscale status
# ssh to the other machines using ip4 from tailscale
  • Key Expiry
  • Exit node.
    • Think of an exit node as a kind of gateway in the Tailscale network. Normally, when you use Tailscale, it’s like having a private network where only your devices can talk to each other. But what if you want to use this private network to access the internet?
    • That’s where an exit node comes in. You can choose one device in your Tailscale network and set it up as an exit node. This device will act like a door from your private network to the public internet.
    • So, if you’re in a coffee shop and you don’t trust the Wi-Fi, you can use Tailscale and your exit node to safely browse the internet. All your internet traffic will go through your private network and out through the exit node, just like going through a secure door.
    • On Linux, see https://headscale.net/exit-node/
    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

sudo tailscale up --advertise-exit-node
    • On Android client, click 3 dots on top-right corner. In the list of Use exit node... (cf: "Run exit node"), choose the one you like to use. Now Android client will the 'exit node' to route all traffic. Use ipchicken to test.
    • The exit node is still different wireguard where we can use any local IPs to access home machines.
  • Subnet routers and traffic relay nodes
    • It is useful if you want to connect to devices you can’t install Tailscale on.
    • If you want to grant your remote users access to your whole office network or want to connect two networks, you can configure subnet routing.
    • "tailscale up ..." statement will automatically start when the machine reboot.
    # Connect to Tailscale as a subnet router
sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node

# Enable subnet routes from the admin console (web)
# Click "..." -> Edit route setting. Check the subset routes '192.168.1.0/24'.
# Also check the 'Exit node' -> "Use as exit node" option.

# On the client machine (eg Android), click "Use exit node..." and select
#   the machine serving as an exit node.
  • Free plan. 3 users in a single Tailscale network. A tailnet can only have users in the same domain. To have multiple users in a tailnet, you need to have a custom domain that is not shared with other unaffiliated users, unlike Gmail (which has the @gmail.com domain that is used by unaffiliated users).
  • Headscale - Open Source, Self Hosted Wireguard Control Server for your Tailscale Network!
  • Contain your excitement: A deep dive into using Tailscale with Docker
  • Enabling HTTPS - How-to Guide.
  • How to Make Netflix Think You’re Watching From Home

Zerotier

OpenVPN

Proton

Fedora

How to Setup OpenVPN on Fedora 24+

List of free and fast VPNs

Windscribe

ProtonVPN

  • Proton VPN's Free Tier Is the Best You'll Find. There are two big limitations though. The free account is limited to one device (although you can create another account to use with another device to get around that). And second, the free tier lets you connect to only three regions. In the U.S., it randomly connects you to a different state; in Europe, you connect to the Netherlands, and in Asia, you’re connecting to servers in Japan.
  • To use the Proton VPN browser extension, you must have a paid Proton VPN plan. Introducing the Proton VPN browser extension.

PrivadoVPN

10GB per month.

Torrent

How to Set Up a VPN on Your Router

https://www.makeuseof.com/tag/setup-vpn-router/

dVPN

How Does a Decentralized VPN (dVPN) Work?

Retrieved from "https://wiki.taichimd.us/index.php?title=VPN&oldid=39074"