How To Build Your Own Wireguard VPN Server in The Cloud
Vložit
- čas přidán 7. 07. 2024
- Forum post with instructions
forums.lawrencesystems.com/t/...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 5% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Timestamps ⏱️
0:00 Wireguard Intro
1:24 What is Wireguard
1:42 Wireguard Formal Cryptography Verification
2:08 Known Limitations of The Wireguard VPN
4:09 Tailscale Commercial Wireguard VPN Solution
4:48 Wireguard Deep Packet Inspection and Obfuscation
6:00 Wireguard & Hardware Crypto
6:48 Creating the Digital Ocean Wireguard Droplet
8:30 Preparing the Ubuntu 20.10 Wiregaurd Server
8:54 Enable IP Forwarding
9:48 Installing Wireguard
10:10 Creating the Public & Private Keys
11:12 Creating the Wiregaurd interface wg0 on the Server
14:06 Configure Clients & Peer Settings
16:36 Wireguard full routing VS Split Tunnel settings
17:48 How to Configure Wireguard to start on Bootup
18:50 Persistent Wireguard Keep Alive Settings
20:50 How Wireguard Creates Interfaces
23:00 Testing wireguard and full tunneling
27:00 Configuring Windows Wireguard Clients
32:30 Wireguard Inter client Communication
34:07 My Final Thoughts on Wireguard - Věda a technologie
Forum post with instructions
forums.lawrencesystems.com/t/getting-started-building-your-own-wireguard-vpn-server/7425
⏱ Timestamps ⏱
0:00 Wireguard Intro
1:24 What is Wireguard
1:42 Wireguard Formal Cryptography Verification
2:08 Known Limitations of The Wireguard VPN
4:09 Tailscale Commercial Wireguard VPN Solution
4:48 Wireguard Deep Packet Inspection and Obfuscation
6:00 Wireguard & Hardware Crypto
6:48 Creating the Digital Ocean Wireguard Droplet
8:30 Preparing the Ubuntu 20.10 Wiregaurd Server
8:54 Enable IP Forwarding
9:48 Installing Wireguard
10:10 Creating the Public & Private Keys
11:12 Creating the Wiregaurd interface wg0 on the Server
14:06 Configure Clients & Peer Settings
16:36 Wireguard full routing VS Split Tunnel settings
17:48 How to Configure Wireguard to start on Bootup
18:50 Persistent Wireguard Keep Alive Settings
20:50 How Wireguard Creates Interfaces
23:00 Testing wireguard and full tunneling
27:00 Configuring Windows Wireguard Clients
32:30 Wireguard Inter client Communication
34:07 My Final Thoughts on Wireguard
I learned a lot from this single video. Finally I was able to setup my VPS to connect to my home network behind a 4G router. Thank you so much and keep up the good work!
The best wireguard tutorial I've seen, shows you everything you need to know, really great work
Thank you
Indeed!
Thanks so much for this. I've spent many hours trying to get wireguard working using several different tutorials and never really succeeded because none of the tutorials had a practical and useful example. Now my VPN is up and fully functional doing exactly what I wanted.
Glad it helped!
I have been playing with WireGuard for a while and like it a lot. Setting it up was a bit confusing, and I really wish I found this video first. You did an excellent job laying out how it works. Thank you!
Glad I could help!
Loving the Forums. Thanks for the Guides.
Mikrotik implemented WireGuard in ROS 7.1b2.
Finally I was able to set up a secure VPN at home without faffing with IPsec NAT-T issues or having a dedicated appliance running OVPN server.
old but gold!
first I have "hardened" server, set up ufw, fail2ban, suricata, and much more,
set up some services ane left server alone,
now 2nd day lost because I can not set up WG connection,
only this guide mentioned about need to enable ipv4 forwarding AND ufw.... -,-'
WORKS!!!
thanks man :)
Every time I'm starting to look into a new tech you seems to cover it strait away, I literally installed wireguard the day before that video came (yesterday at the time of writing) up and that's the second time this happens! We are in sync that's awesome haha - keep up the great work :)
This tutorial just saved me lot of time. Thank you so much
Good tutorial! If i could make some wishes i would like a tutorial on how it could be used with docker networking. And also how to build and manage some more complex network structures.
Bless you, Tom! Thank you!
speaking of automation. PiVPN is a good solution that allows you to install and manage Wireguard config and users with simplicity. Thanks for the video 🙌
Very helpful and clear. Thanks
Very good video, advanced and precise information
THANK YOU SO MUCH FOR THIS VIDEO!!!
Thank you for this very well explained video.
Amazing...!!! Good.. Saludos desde Perú..!!!
Very good explanation
This is a great video. Thank you!
Second time watching still very cool - love it - Cheers ;O)
Kickass video! Thanks man!
Great video, many thanks - although I was watching it to figure out how to get my existing wireguard setup to work with IPv6 as my ISP has gone to the dreaded carrier grade nat.
First thanks for the good tutorial.
two questions:
- Is there an easy way to exclude individual IPs or IP ranges (e.g. 10.x.x.x/8) in order to have a full tunnel with the possibility of accessing something like a local NAS (in school or at the university), without calculating all the allowed IPs ranges?
-
What is with IPv6 and Wireguard?
Thanks for the review
high quality tutorial, great job!!
Nice as if there was an instruction on how to get to the LAN when I have a VPN wireguard client on the router placed on the VPS server .
Is that a Sangoma S705 on top of the open cabinet behind you?
Your video was so good.But I had found a little problem in the post that was "cd /etc/wiregaurd".The correct is"cd /etc/wireguard"
Thank you!
Very good tutorial. But I have an query,
After following your instructions I was successfully able to deploy the WireGuard VPN server. But I do not want to route all traffic over Wireguard. I just want to create a secure tunnel to connect to my VPS hosted on private subnet with AWS but my internal traffic should still be routed through my internal network.
I tried multiple blogs like adding entry "Table=off" or only allow access using "AllowedIP" but that didn't work. Can you please confirm is that possible with WireGuard or not ?
Thanks much for this in-depth tutorial! For some reason, I keep getting an "Object already exists" error. I found this in the log: 2021-05-22 08:00:41.351: [TUN] [Test] Unable to set interface addresses, routes, dns, and/or interface settings: The object already exists.
Do you have an idea what could be wrong? I triple-checked my addresses. Thanks!!
I have some basic questions as I'm learning. Can I reinstall my VPS with a control panel (lets say Plesk) and then install wireguard and other services like FreePBX on the same server the easy way ?
well done sir
Great video. Super usefull. What needs to be done in the client side so the youtubevpn activate automaticaly on boot?
Wireguard combined with Linux namespaces is just so pleasant to use.
yes it is. :)
@@LAWRENCESYSTEMS Also worth noting Jason (WG creator) wrote a new tun driver called Wintun for windows due to OpenVPNs tun driver being garbage. This benefited openvpn in the end though which is good as they now use WinTun too :)
i got lost at the windows public key... the wg client had a public key at the top but you just ignore it and paste a different public key of the vpn server in the settings below? then what's the public key at the top for? thx
Really great vid, thanks! Would you use UFW on your digital ocean droplet to separate different clients?
Would you use the firewall on a home router to separate the computers and devices connected to the same switch on the same subnet?
@@killer2600 Isn't that exactly how most guest Wi-Fi networks are set up? They're given addresses on the same subnet, but guests can only connect to the WAN, not each other?
It is great video, complete understanding of wireguard, but I have few queries
I wanted to configure Only Allowed IP can go through VPN rest of things like CZcams, Google, Facebook, Should work through my local internet connection
is it possible in this case? I tried but not able to do
can you please help me in that ?
Good teacher
What am I going put to "AllowedIPs" of the "[Peer]" section in the server if client has dynamic IP?
Wow - thanks a lot for this great tutorial. I really enjoy your content. Thanks a lot for sharing
You're very welcome!
Thank You Lawrence Systems for this nice video,,as well as the written form of this videol. Got this setup,pretty easily on a Debian Linux Bullseye, locally to a Debian Linux Bullseye running in Google Compute Engine. Reason for doing this is actually to try and get a new Helium Miner to a public ip address were it is not in relayed mode. Still haven't got that working,,,yet! I am now behind a cgnat setup via a cellular provider,,so this is whole new thing.
Question, I am experiencing seems very much latency, about 145 ms just from the client machine to the Google Cloud VM Debian instance. Is this to be expected. Am still actually getting very good download/upload speed same as before,,just very delayed,,,much like dns is not setting up correctly. Thanks again
Hi Lawrence, can you please make a tutorial of Wireguard VPN server in the cloud (VPS) and Pfsense firewall server connecting to it as a client and at the same time Wireguard sharing internet to PfSense firewall.
I hope you can entertain this request.
Is this cheaper than something like pia or express VPN for accessing regional content if I pause the droplet when I am knot using it>
Digitalocean's droplets are still billed even when stopped. This is because the system resources are still reserved for you. If you want to not be billed when the vpn is not in use, you need to destroy the droplet entirely. You can keep a snapshot, but the IP address will change once you make a new one. It would be a bit of an involved process to keep doing that.
If you choose to pay upfront for years for PIA you'd come out cheaper, but if you want to pay per month, Digitalocean is cheaper. Another thing is the bandwidth limit digitalocean puts on you. The droplet he chose only has 1TB of outbound traffic per month (that's from the droplet to the internet) with 0.01 dollars per extra GB. This is fine for surfing, but don't download on this. If you want unlimited bandwidth, don't go with Digitalocean, but other VPS providers. Personally I use Scaleway dedibox and they're great!
Shouldn't you also enable some sort of firewall on the system? Since the machine is multihomed (public IP and wireguard) and you enable ip forwarding, I can now use your public interface to route traffic to that wireguard network if you don't filter it, or am I missing something?
I forgot to cover that in the video, but it is in the write up forums.lawrencesystems.com/t/getting-started-building-your-own-wireguard-vpn-server/7425
It’s amazing how CZcamsrs can take a 3 minute process of creating a Wireguard tunnel and turn it into a year-long video 😂
It's a special talent ;)
Id watch it even if it was an hour long and from lawrence systems lol
@@IntoTheNothing1 likewise 😂
Just stumbled across this video. Is there a way to instead of using a wireguard client, make pfSense the client instead? I have installed wireguard inside of pfSense, but now I am kind of stuck.
Hi man, did the same as you did, but my windows 10 seems to connect to the server. But have no internet. Please HELP
Is it possible to do Port Forwarding in WireGuard Server?
We need an updated video!
Why?
@@LAWRENCESYSTEMS I followed the video exactly and I didn't get an internet connection with the VPN on.
The video is accurate , not sure what step you missed
Hi, really great video. I have a question: Once I've set up wireguard how do I ensure that incoming traffic is only one way? Meaning when a network accesses my vpn they are not able to see or access another connected network. Is it one way by default or do I need to enforce this with some iptable command?
By default it behave as a NAT and does not allow traffic back.
@@LAWRENCESYSTEMS awesome, thanks!
Nice tutorial, I do have some questions, I want to achieve a tunneling for a game server, the game server is on my home connection and I want to buy a VPS with a public IP which I want to use so people can connect to it without knowing my home IP. I'm gonna connect the server running the gameserver with the VPS through wireguard, then on the server I'm gonna use DNAT to "redirect" the packets to my home connection (through the wireguard interface). However, for the game server to be able to respond to those packets or to send other packets to the gameclients, I think I'll also have to modify the SNAT, however that would hide the player's IP address from the gameserver which I don't want. If I do a full tunnel from the home connection through wireguard, and only do DNAT on the VPS, would that work?
Keep it simple - Just run the game server in the VPS.
@@psycl0ptic the VPS is not powerful enough. I can get a VPS for less than 5 EUR a month. The game server I run is very cpu intensive and single-threaded, most VPS on the market has oversold vCPUs, I need a dedicated core. A vps with a dedicated core sells for over 30-40$/month. Why not use my home server if I already have one and instead of paying 30$ more per month, pay just 5$? I'd rather not keep it simple if it means I have to spend 5-6 times more to keep it simple.
@@vicentiubucingeni sounds hard core: www.delimiter.com/dedicated-core-vps/
@@psycl0ptic Thanks for the link, but unfortunately they do not have any datacenter in my country, which I would need to make sure everyone here has a good ping (
Did you find a working solution???
what's the main website of your form website?
I'm able to connect to my Wireguard VPN, however, I'm not able to load hostnames (websites), but I can access my local devices via an IP address. Any idea what the issue is? TIA
Nice explanations as always... Dumb question how do you know 192.168.69.0 is the default route when looking at the routing table 25:07 ?
Because It was defined in the Wireguard server config.
@Lawrence Systems What ssh client is that you're using in your demos?
github.com/lawrencesystems/dotfiles
@@LAWRENCESYSTEMS Thank you!
Can you setup a wireguard server on a cloud, and set a single peer on pfsense to route everything down stream of the router over wireguard?
Yes
Thanks Tom, a very informative video. can you make a small video for IOS CONFIGURATION setup please. I held at the point where you configure iOS application in Xcode. I have already add teamID of developer account as well as NetworkExtension also but not configure successfully. please help me .
I don't use IOS
@@LAWRENCESYSTEMS :(
Thank you for your video :) I tried with Debian buster but failed in Google cloud :( I am going to try with Ubuntu, and if that doesn't work, I will try with another VM service
Any luck?
@@jacobmiller38 yes. It worked with the latest Debian in digital ocean. Google cloud has that NAT-as-default feature that made everything difficult
How would you pass netflix through it?
Trying to run keepalived over Wireguard interface and failing miserably. Has anyone tried this? If you're successful please share your experience.
i try wireguard but, is not working well, the issue is that i can ping devices on my network but i can't access it, i have a trueNAS chared folder and i can ping it but i can't access it, even the network sectionisn't working, it's like that the pc don't recognise the wireguard network adptor, how do i fix this?
if i i leave my house and, i don't have constant keep alive can i still conect
By way of me learning something new everyday, at 22:30, wouldn't that create an IP address conflict?
Yes and it would not work.
Could you check out and review Tailscale? It’s basically ZeroTier but is much more user friendly, more configurable and also uses WireGuard!
I know you say you get lots of requests to test and review something but since it’s a combination of ZeroTier and WireGuard I thought you might even like to try it for yourself
It's a paid commercial product that I am sure works fine. I don't see any reason for you not to use it but I don't really have an interest in reviewing it. They have a marketing team that keeps it popular.
why do the MTU's keep getting smaller as you add interfaces? is it just auto shrinking the MUT as more are added?
Wireguard has a smaller MTU
@@LAWRENCESYSTEMS yes, I expect it would be, but what is not clear, does it get smaller with each new interface added? Note @ 22:25: "tom" has a MTU of 1420, then "youtubevpn" is added with an MTU of 1340... So if you add a third interface, does it drop the MTU on that client session/interface by 80 to 1260, and on a 4th to 1180; and on a 5th to 1100, etc...
@@psycl0ptic You want the MTU to be as big as possible but not exceeding the the smallest MTU of your Client/Server
For example, my home internet connection has an MTU of 1500 and my 4G mobile has an MTU of 1480. Now I could have an MTU as big as I want (Over 9000 if I wanted) but this would hurt performance and also going the other way would also hurt performance. Wireguards MTU of 1420 is below the lowest MTU device I have (1480) but not so slow to cause performance issues.
MTU is for the server config, not a per client config
@@Ziogref re-watch the video - each new connection to the server shows a lower MTU - which is again why I asked the connection. Usually you set/see a static MTU for a connection type. But if you watch as he adds additional client, the 2nd one gets a 1320 MTU (using the same config) while the first is 1420 MTU: seen here - TomVPN at 1420 MTU and youtubeVPN at 1320 MTU: czcams.com/video/7yC-gJtl9mQ/video.html
@@Ziogref It's probably per interface in this case, with each new peer ("client") getting it's own interface. But does it drop the MTU per interface by 80 each time a new interface is added?
Would like to hear your opinion on OpenConnect VPN server.
Never used it nor do I have a compelling reason to.
@@LAWRENCESYSTEMS The compelling reason I see is the ability to use Cisco AnyConnect clients on Mobile. You essentially get a high validated and tested client and a free server.
Very interesting, how does wireguard work with freepbx ? Like will it be easy to setup wireguard on freepbx server (using cent os) and enable clients connect to it ?
I never tested, but should work
@@LAWRENCESYSTEMS Ive tested it and WireGuard doesnt install easilyq on FreePBX due to Python dependencies so you need to run 2 droplet 1 for freepbx and another for a WireGuard concentrator and install static routes to let them back chatter over a digital ocean VPC
@@LAWRENCESYSTEMS I'm facing problems installing wireguard in FreePBX Centos, can you please try it and make a tutorial post on it if possible ? would be much appreciated.
@@rhc287 yes, I tried and having the same problems.
I stopped right after reading the known limitation! No passwords! No obfuscation! How can they call it a VPN!
one question: when i initialize wg0 (server) and youtube(client), for example. wg0 command line freezes, what can i do?
Are you using the wg-quick up wg0 command? That command will just bring up your wg0 interface on the server. It shouldnt freeze the command line.
What shell are you using, please?
zsh + oh-my-zsh
@@neowong2015 Thank you :)
I don't get it, do you need 2 vps, or can you use one interface and the other windows
The server is in Digital Ocean on a public IP, the end point can be Windows, Linux, or really any device running Wireguard.
in the server when adding peer, how do I get public key for windows
@@LAWRENCESYSTEMS Also thanks for reply
Can you add captions?
CZcams should do this automatically
Tom, I love you man, but... WTF does Obstication mean? I've heard of obfuscation ... I feel stupid.
when i install wirequard on all country worked but in turkmenistan not, and i need it in turkmenistan, how can i fix this problem ?
I don't understand what you are asking.
i just locked myself out of my own vm by ufw enabling lol
anyways is there anyway around cgnat for this method, cant ping 69.1, feel like its a portforwarding issue. win10 and oracle free cloud vm btw
edit: running ubuntu
Is it possible to set up a Wireguard server in windows, or must it be some sort of *nix?
Yes www.wireguard.com/install/
@@LAWRENCESYSTEMS
Thanks for replying... Do you think it would be possible to create a Wireguard link over TOR (given the issues with UDP) ?
@@lobotomizedamericans ¯\_(ツ)_/¯Never tried
server wireguard error mes: client_loop: send disconnect: Connection reset by peer
How about pritunl or mistborn wireguard?
dunno ¯\_(ツ)_/¯ I have not tried them.
@@LAWRENCESYSTEMS i like their approach to webgui vpn server tho
Thanks, very simple how-to video, very nice :)
1. Can you add a remote client without downing the wire guard interface ?
2. Can you add a client using a /32 subnet ip? eg: @11:41 & @14:31
- on server [Peer] # test debian client | AllowedIPs=192.168.69.2/32
- on client [Interface] Address=192.168.69.2/32
3. On the client side, using "AllowedIPs", do you have to put the wire guard ip, if just allowing your local network only? eg:
- on client [Peer] # ubuntu D.O.S | AllowedIPs=192.168.69.2/32, 10.10.1.1/24, 192.168.0.1/24
0. The AllowedIPs= is for network the clients wants to connect to? or connecting from ???????
Has WIreGuard been security vetted yet?
The protocol and cryptography has, but the real question will be how will vendors integrate it?
where are the whitepages pls
www.wireguard.com/
obfuscation, not obsucation
¯\_(ツ)_/¯ words are hard.
the reality is. i smell something fishy about WG, to good to be true, and free,
i always wonder, who gives up time into working and makeing perfect software for free? not only wg.
many ng firewalls come with open ports for secure tunels, and there are alot of tunnels used everyday in all os's that we have no idea about.
some of are publicaly known, like wg, vpn, ipsec, bla bla bla,
i mean you can create an ICMP tunnel and bypass any firewall, or dns tunnel,
using open source software means nothing, who knows to audit it, also knows the business behind it, and proffit.
ummm...
Lol no.. if it was closed source then i would probably agree with you. But its not
@@IntoTheNothing1 i know.. is short code and not big deal to audit. but still to good to be true.
Who made such a mess of IT.
You talk to server (and Linux) "initiated" persons... and not to the common (Windows) user, even advanced like me meaning... your pedagogy is very bad ! And you talk too fast on top of that so... quite user unfriendly tuto : (
Hi ,
please correct the line "Go to to the Wireguard config cd /etc/wiregaurd " # cd /etc/wireguard
Fixed in the write up
ob-fuh-SKAY-shun. Say it with me. ;) great video - helped answer tons of questions I have
words are hard and thanks
There is a typo @ your forums.lawrencesystem getting-started-building-your-own-wireguard-vpn-server/7425 at WG client section : cd /etc/wiregaurd it . Nicely explainned and consised
also at Run wg-quick up youtubevpn In my opinion should be a space so command : Run wg-quick up youtubevpn . For copy and paste people like me is important 😅
how to get public key for the Peer?