Self-Hosted VPN With Wireguard + Linode!
Vložit
- čas přidán 25. 08. 2020
- www.newegg.com/Product/ComboD...
www.newegg.com/Motherboard-Co...
www.linode.com/level1techs
forum.level1techs.com/t/self-...
**********************************
Thanks for watching our videos! If you want more, check us out online at the following places:
+ Website: level1techs.com/
+ Forums: forum.level1techs.com/
+ Store: store.level1techs.com/
+ Patreon: / level1
+ L1 Twitter: / level1techs
+ L1 Facebook: / level1techs
+ Wendell Twitter: / tekwendell
+ Ryan Twitter: / pgpryan
+ Krista Twitter: / kreestuh
+ Business Inquiries/Brand Integrations: Queries@level1techs.com
IMPORTANT Any email lacking “level1techs.com” should be ignored and immediately reported to Queries@level1techs.com.
-----------------------------------------------------------------------------------------------------------
Intro and Outro Music By: Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
creativecommons.org/licenses/b... - Věda a technologie
Please consider creating a "Self-Hosted DNS Server with (insert your recommended DNS server here) + Linode" video. We really need both this VPN video and a DNS video. Bonus points if you think there is value in DNS-SEC integration, or it's secure alternatives. DOUBLE bonus points if both the VPN and DNS server can work in a Linux distribution or *BSD OS with a small enough memory footprint to work within Linode's smallest $5 VM pricing tier. TRIPLE bonus points if you can integrate DNS / host level ad-blocking. Thank you! (and realize that if you do this, you will be a lower case "g" god among us mere mortals.
Setting up unbound takes less time than watching a video. DNSSEC is 1-2 extra lines in unbound config. Everything else is typically using forwarding dns servers, so even if you encrypt your DNS queries to Google DNS, Cloudflare DNS or any other of those providers, those providers will still log and use your requests.
I would not do host level ad-blocking, as it's too inflexible and blocking ads while browsing is better done in the browser that can do cosmetic filters.
Upper case GOD is more like it
piHole
This isn't complete without Wendell sitting beside him, and muttering "Oh, no" and then whimper-chuckling, after Ryan said everyone is tracking you.
RIP the poor Linode user that everyone attacked just in case it really was still Ryan.
It would be a great ssh honeypot ....just sayin
@@deathnotesqc true that
I’ve done this before with wireguard and a rpi4. As long as you keep the configuration simple it’s a superb solution.
Thanks again guys for the patient and thorough walkthroughs!
You just need to remember that using a VPN just moved your trust from ISP to the VPS’ provider’s ISP. It won’t make you anonymous as it can still be traced back to your node’s IP.
Correct but this would be great to tunnel out of untrusted networks
hell money has serial numbers on it, they can tell where ur getting money out of a bank and spending it too when they count it at the bank --- all this vpn non-sense is just a marketing gimmick i think, unless u use a self-hosted vpn on a locked down server, and that's only to obfuscate ur home-network. plausible deniability i guess
Or watching Netflix movies blocked by the current country you live in :)
What Bradley is trying to say is that if you are watching a tut on YT on setting up a VPN so you can hack... then there is a 99.99% chance you will get busted.
I actually did this recently. Really enjoying wireguard because I can get pretty close to my full gigabit speeds over it instead of like 200mb/s with openvpn.
Engagement challenge:
Here is a comment.
I challenge your challenge SIR OR MADAM!
*insert grunting reply here*
Just because you don't keep your own logs it doesn't mean that Linode doesn't keep theirs. IP addresses that you get from them point directly to you and you don't have any option of deniability. Moreover Linode not so great option for EU citizens due to EU-US Privacy Shield invalidation.
Your haircut looks great. First video I’ve watched in a while
First video like this I have watchd - what is the app Ryan is using for SSH acces to the Linode server?
I switched to ZeroTier because setting up individual peers was getting to be a nightmare. But my usecase was more to connect to my different machines from anywhere on the internet, rather than privacy (although it should also be possible to tunnel all traffic)
👏 LEVEL 👏 ONE 👏 LINUX 👏
great video! can you make a video about securing the ssh connection to the box?
I fear that many people who want to run this don't know how to change ports, set up ssh keys, etc. and will have their vpn box added to a botnet in no time.
Ryan, don't worry about it. Ubunthu as in pronounced in RSA(atleast in the north of Pretoria) is U-boon-too.
You don't need to reboot for the sysctl.conf thing: "echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward". You should also enable/configure unattended (security) upgrades.
Just finished every video in backlog now I’m ready.
I'd love to see a WG on PFSense with all traffic routed video! Please please please!
Can you also do a video on connecting via the NetworkManager GUI?
Great tutorial! Thanks very much!
Protip: If you have meticulously followed this guide and still have issues connecting to the internet, then try re-running the:
wg set wg0 peer ... allowed-ips x.x.x.x
Command again.
I spent far to long trying to figure this one out. I'm not a wiregaurd expert but I think it fucked me when I rebooted the server. Protip2 as others have pointed out, sysctl -p negates the need for a server reboot.
I don't even have anything to hide from anyone! But I pause before I do a Google search and ask myself do I really want to see advertisements about this search for the next two weeks.
You can also restrict all of the traffic to your client PC except for IP address of Linode. (on your local router) So no traffic escapes bypassing VPN.(things like Window Kernel)
iptables -I FORWARD 1 -m mac --mac-source 00:xx:xx:xx:xx:xx -d 123.123.123.123 -j ACCEPT
iptables -I FORWARD 2 -m mac --mac-source 00:xx:xx:xx:xx:xx -j DROP
This is what I used to have on my router. 123.123.123.123 is your VPN IP and 00:xx:xx:xx:x is the mac address of your vpn client machine.
Nice work!... Now a Q (or two?) Can I set up WG and Linode such that my EdgeRouter4 (which supports WG internally now) is connected to Linode... AND THEN use my laptop to connect to that connection point (@ Linode) such that I can be connected into my router (a VPN there, BTW)? The context here is that MY ISP BLOCKS ALL INBOUND TRAFFIC to my router. So, If I establish a connection from my laptop on-the-road to some external point (ie . Linode) and then connect there, I can get into my home network. And the second question is. If I leave my Edgerouter running with WG connected to Linode, if there is no traffic (other than whatever connection-keep-alive's are needed), is there [significant?] USAGE CHARGES other than the monthly?
Had to do following to get wireguard installed: (1) apt-add-repository universe (2) apt-get update (3) apt-get install wireguard
Nice tutorial. Pritunel with wireguard makes life easier as well . Wireguard flies compared to open vpn.
Need more vids from this channel 🤠
I've been running wireguard for the last 3 weeks on some raspberry pis and my PCs, but Ubuntu is making me pull my hair off and I don't want Manjaro or anything Arch based on the Pi 4s, because I won't update them frequently (probably once a month or so), so I don't want my systems to come crashing down when I don't have physical access to them (wireguard went down on one of them when I was adding keys remotely, and now I need to go restore it). I can barely wait for a Void image for the Pi 4, because I'm too dumb and lazy to install it any other way.
Edit: wireguard itself is great though. Easier to maintain and faster than openvpn.
First thing todo it sudo apt update && sudo apt upgrade. Also do it after adding a repo
I will try this during the weekend :D
Is there a specific reason for doing direct over using a self-hosted solution like Algo
I also think like John Kaye and also add my share of engagement goodness.
awesome video !
Still lobbying for tipsy Ryan doing Level099 where he explains things to us stupids :)
WeVPN has built in wireguard as an option, can be paid with crypto, has no logging and is very affordable. I switched to them after PIA sale and am very satisfied.
The kill-switch is nice to block other programs because Windows itself will not respect that, it will still communicate outside of the VPN, just be aware of that.
I want to create a literal virtual network consisting of several linux, macOS and Windows boxes that are all in different locations. For now, it's fine if they use their existing connection but I would love to be able to use services like the iPhone's Remote app to listen to iTunes content on my old Mac Mini server or even have NGINX rev-proxy to a website it is hosting. There are a couple of ideas I have but so far, no idea how to make them happen. Can I use Wireguard for this scenario? Thanks!
Yes you can! I kind of do the same. I have 4 different VLANs, one is my DMZ with all my servers, Kube cluster, VMs, the other one is filled with my devices, another ons full of untrusted devices (IOT, Sonos, Solar and Chromecasts) and the last one is my VPN-network. I'm running an opnsense (for of Pfsense) with WireGuard and a BIND9 DNS server that does all the DNS trickery to link my domain to a local IP which makes me able to access my TVHeadend and other things I don't want to publish to the web. It also has the added bonus of really fast uploads to my Nextcloud as It's routing with WiFi-speed. It's pretty awesome. :) I could therefore also just start my TV from afar and scare my neighbors away with some heavy metal :O.
The thing about Chromecasts, DLNA and other Casting-tech is that they use broadcasts to communicate their IP and stuff and the problem with that is that broadcasts don't traverse subnets. So I have to "copy"/relay that traffic to the required subnets. It works pretty well but not over a VPN I believe.
Take a look at zero tier for that!
wonderful video
I expected this to be a video on Algo ( github.com/trailofbits/algo ) since they just merged support for Linode. That's another option if anyone wants an automated process for setting up WireGuard on a VPS.
Wasn't aware pia was bought out, YIKES. I may be trying this out then
They still hold the same policy... Actively ask to be audited as well. I'm sticking with them since Ive been on it for over 5years, and was offered a 3yr deal last year.
Windscribe is the only VPN provider I trust at this point. Yegor Sak owns it and they're super transparent unlike the big VPN providers.
WeVPN is just as cheap, has better speeds and has built in wireguard as an option.
I've been using Pritunl. It's pretty easy and straight forward to set up other family (since Ive appointed "the computer guy"). Do you see any advantages of using wireguard over openvpn? Thanks, Ryan 😊
For me it's because wireguard has much better performance. I get close to my gigabit connection speeds over wireguard vs about 200 mb/s with openvpn
@@jacobpfeifer6198 I'm in Soviet Ohio where we're under the tyranny of Spectrum, lol. However, I just saw that Pritunl now supports wireguard soooo I'm gonna give it a try. Any boost in performance I can squeeze out, I'm up for it. Thanks 👍
With OpenVPN you need to tweak the config (such as picking the right MTU) to get best performance. With Wireguard it pretty much works out of the box and still has better performance.
Now if you got a 100Mbps connection then it doesn't matter. If you got a Gigabit connection then it certainly will.
Tried this with like 4 different distos on linode, most dont even have a repository for it the ones that do it never worked even after following all the steps, it connects but the server won't send anything back to the client.
Ryan #1 Tenshi Muyo fan confirmed
stupid question: Under allowed ip adresses. Enter a subnet ip. How do i know what my subnet ip is.
Every single time
I love Linode and Digital Ocean.
engagement challenge, embarrassing things you do on the internet with your new wireguard vpn
Im imagining a solution where you'd use a chain of vpn proxies where each hop is to a different cloud provider. Something like AWS 1 => Azure 1 => GCP 1 => AWS 2 => Azure 2 => GCP 2 => Target. You could automate that with Pulumi/Ansible and tear it down when you're not using it. Keeping the cost down. Or just use TOR I guess ;)
Speed becomes an issue though and all of the services you mentioned still KYC / AML the payment so it is probably straightforward to trace it back to the original source, you. Like if you’re protecting against a state actor, it won’t matter if you chain 5 VPS together or 1 since they can all be subpoenaed.
With TOR this becomes a tricky problem because so many exit nodes seem to be ran by bad actors since no one wants to run an exit node and potentially get their doors kicked down from someone watching CP through your IP
This is a very tricky problem to solve and I don’t think anyone has a good handle on it yet
Do you want your traffic tracked?
Because that's how you get your traffic tracked.
@@BandanazX It's nice to get some attention, isn't it? ;)
I highly recommend not torrenting if you decide to go with linode as your private VPN. Trust me on that.
Is a unlimited traffic hosting provider necessary?
Cool Stuff
If you made your own server, how can you get an external IP address for it ?
“Because the first time didn’t record” oh god lol.
Does this really solve anything it's still a 1to1 thing just would protect from isp snooping
Guess mobile access into home network /public WiFi but you probably done use that if your rolling your own VPN
Why would you use /24 and not /32 for the interface?
I'm old fashioned, and use /30 for point to point links
Imagine being sad enough to try and attack temporary details in a tutorial video lmao, surely these people are merely urban legends? Like the chupacabra, or the ankle slasher? Made up to scare misbehaving sysadmins, right? _RIGHT?_
wait what the el chupacabra is not real?
People are unnecessarily nasty sometimes
what happens when your client ip changes? do you have to tell the wireguard server about the new external ip your client has?
Yes or have a website do it for you. Mine doesn't really change that often.
Now do this for openVPN... Because all other tutorials I try I fail.
PiVPN works pretty well. Doesn't just run on Raspberry Pi's.
@@pieterrossouw8596 I know about that one, but I am not going to trust such complex setup script. And reviewing it is out of my league since I don't understand openvpn well enough.
Hello! Apparently it is working for me. I can ssh from both peers (using that virtual ip) but my client has no internet- which is a Ubuntu server- can't update nor ping. What do I do?
Same issue
@@bahramabdusalamovich3696 I just keep retrying the tutorial as to not miss anything. Got it working tho 🤣
At least get hosting from somewhere that is not under US laws. That's such a basic information security mistake.
I have used OpenVPN to do this before, is Wireguard better? If so, how?
@Francesco La Camera It may or may not be faster than OpenVPN. Wireguard uses ChaCha20, which needs AVX-512 to be done natively in hardware. Most mobile devices (and AMD CPUs) don't support AVX-512.
web.archive.org/web/20200817140502/blog.ipfire.org/post/why-not-wireguard
Why use Google's DNS instead of OpenDNS or Cloudflare?
Good point! But: Run an encrypted dns resolver + cache on your instance along with the VPN! ONLY way to know you have no logs of your DNS, and no 3rd party can poison your DNS cache when you run it yourself
"Just go to *etcetera* slash wireguard"
(Distant reeing)
Huh? How do you say it lol. I've never heard any other way of pronouncing it
5:35
Haha, I don't think I'll be using Linode.
ENGAGEMENT
Engagement challenge: _comments 'n stuf_
I dont know much about VPN, but i do know that one+ face hair is distracting 0.0
Using chrome/chromium on Windows 10 while creating a privacy focused video... ?
Edit: Lol... I am also using google chrome right now, but this is not my personal computer.
Excellent tutorial, but there are some mistakes. 1. You need not have to open ssh. As you can also connect to Lish using a web browser. This is far more secured one. 2. You need not have to reboot your Linux instance so often. Example, when you edit sysctl.cfg file just a command "sysctl -p" [ without inverted comma] the job is done. 3. If you have your own domain, consider adding A record pointing out to your Linode giving something like myvpn.yourhost.com instead of ip. With Let's encrypt, things can be made more secured.
Ubuntu PPas better than Debian Backports? ROTFL!
15:37
Jesus Christ... shame on you if you missed putting [Interface] at the top of the config file like I did. Holy shit.
Not everyone need a gaming motherboard. Some people do lot more than play game.
Will this be blocked by HBO/Netflix etc
Any streaming service with live sports like ESPN will block your ability to use a VPN. CBS All Access will not work properly. Hulu with live tv will not work. Philo tv works with vpns. I've also been able to use HBO and Netflix.
One word of warning - if you've shopped online using a vpn there is a very good chance your credit card company will block the transaction and then the fraud department will contact you. It happened to me several times before I realized my vpn was causing the issue. So much for privacy. I don't really care that much if people find out what snacks I purchase from Amazon, but the advertising I get from various shady companies based on my purchase history is creepy.
@@RichardGarrison you should get a new bank
@@cosmicrider5898 I tested shopping with Bank of America, capital one, Citibank and my credit union. All of them flagged at least some purchases when using a vpn.
@@RichardGarrison Hehe jokes on you. Credit card companies are the ones collecting that information and selling it.
Why else would they offer "free fraud protection" on debit cards they make zero interest on?
@@jb34304 All major banks offer opt-out sharing options to ensure your contact information is kept private. Equifax, Transunion, and Experian (credit bureaus) sell your information, but they aren't banks. You can also write to each of them and tell them to stop selling your information to other companies.
The free fraud protection is offered because banks are the ones that are liable when fraudulent purchases are made, not the consumer (that fraud protection is required by law in the USA). Debit cards don't charge interest, that's only applicable to credit cards. All credit cards and debit cards charge a flat per transaction fee + a percentage of each sale. Consumers don't usually pay these transaction fees - the retailer pays them. This is how banks that offer zero % interest can still make money.
just use algo bro
DOOD!
Not quite simple enough to be a normy solution, but good for the rest of us :)
Help the normies.
Sux...not a how to.
This is basically useless for most things, your VPNs IP is static and your VPN host will rat you out in the blink of an eye. No other users means that none of the fuzzing benefits of having multiple users on one IP can be used. This will only be useful if you want an encrypted tunnel to a different region, for example if you're a journalist who wants to safely extract data through a government controlled network to a safe country.
I agree 100%. There are VPN services out there that don't spy on you and offer their services at a much more reasonable rate than this solution. Even in the case of a journalist as you stated, this is useless. We've seen the big boys like Apple and Google do whatever a country like China demands. Don't expect your VPN host to protect your identity or location in this case.
@@badpants What are the VPN services that are not spying on us for a reasonable price?
@@Nikki-os2df ExpressVPN $6.67/month for 15 months is one of the more expensive, but still less than the $10.00/month for this server, and I didn't hear what BW limits were for this??? NordVPN is good as well. Yes, they were hacked, but no complaints from users about being spied on by the service. Plus these services offer anonymity, something you don't get with this scheme. Besides, you have no guarantee that your VPN host isn't monitoring everything you're doing on that server, including capturing any and all of that decrypted traffic that comes out the other end.
@@badpants I know all of these services and as far as I know they all keep log of the users.
@@Nikki-os2df Says a guy on the internet. If you have facts, please post them. While almost every service logs some type of data on users, most of the VPN providers are very specific about not maintaining any logs that include the user IP addresses and connection times. That is the biggest concern. That is also the biggest con of setting up your own VPN as shown in this video. As I said, if you have solid evidence proving that ExpressVPN or others are lying about their logging to their customers, I'm sure I'm not the only one who'd be interested in seeing such actual evidence.
Linode + Wireguard + TOR
Any reason it would not work?
No, since Wireguard works on the network layer and TOR on the application layer (it just uses some TCP ports to exchange encrypted data, it doesn't care about the underlying network).
@@xnoreq - Thanks, I see. Maybe. I was thinking of having the TOR browser installed on your Linode instance, which you connect to via Wireguard.
@@mmlvx Tor browser on your VM would mean that you have to install a desktop environment and you would have to use remote desktop or VNC. This would be slow and require a lot of resources on your VM for no good reason.
Just run Tor browser locally. Don't even need a VPN for that, as the whole point of Tor is to anonymize your IP.
(So it doesn't matter if it is your home IP or your server IP you connect from.)
@@xnoreq - I see. Thanks.
I almost sounds like it's better to use Linode + Wireguard for your banking (so your bank can recognize your IP address), and use TOR for, say, reading Snowden's book (or whatever it is that you don't want everyone to know about).
@@mmlvx Well, VPN was not made, intended or designed for your privacy or anonymity.
VPN simply connects networks, such as your home LAN with your workplace's as if it was one big network, tunneling and encrypting your traffic transparently so others can't read what is sent between those networks.
Some VPN providers claim "anonymity", but this is only valid for your IP (which is hidden behind the VPN server's IP to the rest of the Internet and a good provider will not keep records of your IP and when you connected to their servers).
But even with the best "anonymous" VPN service you could simply be traced e.g. through browser fingerprinting.
That's why there's Tor and the Tor browser.
Even then, certain circumstances might reveal your identity. There was a student that sent a bomb threat from the university network using Tor... the admins saw that the threat was coming from a Tor exit node, and in their university network logs they only found one connection to another Tor node at the time...
Video quality is pretty bad, can't read his screen. Looking elsewhere ...
I have a big problem with the whole concept of self hosted VPNs / Search services (like Searx). The whole concept of VPNs as I understand it is that you connect to a website through another IP (the IP of the VPN). The website sees the VPNs IP and not yours. That's fine does it matter if you're the only one using that VPN. They might not get your location. Who cares. For me the power of VPN is that you connect through an IP that is used by 1000s of other people and basically the info the websites collect for this IP is useless. The same with search engines like Searx. If I'm the only one using the Searx instance it's basically the same as using google directly. The only way self hosted VPN or search engine being useful is if you share that instance with rest of the world so other people start using it along with you.
This ignores that most website don't even rely anymore on IP for tracking and use browser fingerprinting instead.
The only use i see for a VPN is location spoofing for websites like Netflix that have Location locked content. And for preventing ISP tracking to some degree.
Your point is valid. Hopefully people here will understand what this technology can and cannot do.
Wireguard works great, but openvpn is better integrated with networkmanager
OpenVPN is just too slow to set up to me now, but it's probably best for maximum security
@@randykitchleburger2780 there are scripts and docker containers that simplify that
@@randykitchleburger2780 isnt security the whole point of wireguard? since ovpn is such a big and complex codebase its much more likely that there's an unknown, unpatched vulnerability hiding inside.
I triggered Ryan :) lolz
Welcomed content. Tried this and worked.
Ryan, not to piggyback your content or information, but using this script is much more faster, easier and simpler.
github.com/angristan/wireguard-install
Sign in in your favourite cloud provider (Linode, Vultr Digital Ocean) , enable a VPS with Ubuntu 20.04 LTS , SSH into it, run the script and Bob is your uncle.
Managed to get Wireguard VPN working both phone and laptop in 10 minutes top.
hhhhhhhhhhhhh
great picture
I expected better as well.
You can't trust anyone!
*Proceeds to trust Wireguard and Linode*
ProtonVPN is great
F linode for SJ
Not #AMD