In this episode we will set up our own VPN
Service. I live in Germany but I rented a server in
the USA, installed VPN Software on it and can connect to it with a Windows or Mac or
Linux client or I can quickly scan a QR Code to connect with my iPhone. In one of the next episodes we will run a
browser on a remote machine to get from this…. To this…. How do we do this ? Stay tuned, watch this
episode and make sure you subscribe to my channel and tick the notification box so you
don’t miss out on new episodes ;-) (Intro) My Family was urging me to have Netflix. I did some research and found out that their
offering in Germany is much smaller than in the US. In Canada, pricing was much lower due to the
conversion rate and on top of this you get the French versions in Canada – we are a
bilingual German French family and the kids liked to watch the original English versions. So I thought – hey, why not just subscribe
to Netflix in Canada ? You may already have guessed what happened – apparently I was
not the first person on earth having had that idea. Netflix just kept redirecting me to the German
page. If only I would have thought of using a VPN
at that time. I could have changed my Geo-location just
by connecting to a Canadian VPN and hence Netflix would have thought that I shop from
Canada. Of course in Hindsight, thinking it over,
I would have had to give a wrong address which probably would not have been OK. Furthermore, I found the various VPN services
that you can buy on the internet to be a bit on the pricey side – they all had free 30
day trials or so of course but then they quickly went up to 7 or 12 Dollars per month. And I have heard that the VPN services are
often blocked from streaming services. Anyhow, these days I thought, hey, why not
run my very own VPN service ? All I need is a cheap virtual server or vserver or VPS – the
terminology varies between the providers - and a VPN software running on it. So I searched the internet and I found that
there are quite cheap offerings these days. For a VPN Server we do not really need a powerful
machine. One CPU, 512 Megabytes of Ram and 5 to 10
Gigabytes of Disk are plenty. The one I found here (ionos) has a couple
of interesting attributes – I need to specify at this point that I am neither affiliated
with them in any way nor do they pay me in any way – so my dear friends from Ionos,
I am doing free publicity for you here. You might consider adding me to your christmas
card list. Guys, again, you may freely chose any provider. There are just a couple of things that made
this offering attractive for me: First, they are using KVM as virtualization
technology. That means I can have a KVM web console if
ever I locked myself out, and – most importantly for me – I could run Docker on it. Second, they are German and I can book the
offering from Germany without having to spoof an identity or anything dodgy like that. So I expect this whole thing to run reliably
and smoothly like a German Diesel engine :-) Third, as far as I can tell, there are no
hidden setup costs such as activation etc. if I engage for 12 months. At 1 Euro per month this is a manageable risk. Even if I barked up the wrong tree here it
would not throw me into poverty. Fourth, I can upload my own images (even though
not for free) and can select from a variety of preconfigured linuxes. We will use Ubuntu 18 for this exercise. On the downside, they do not seem to have
more recent images such as Ubuntu 20 which would come in handy for our VPN installation
as Wireguard can be more easily installed on the newer Ubuntu versions. With Version 18 we will have to add the installation
sources from Wireguard. Alternatively we could just upgrade Ubuntu
once we have access to the server. It also seems that once you have selected
a distribution then you can not easily switch to another one, like CentOS. You need to make your choice and stick to
it. Another not so good experience with them was
the time they needed to send me the login details. It took them roughly 3 days. But I can’t compare to others here. Another limitation is that I will have to
pay for extras such as backup. But I am not planning to store any data on
this machine and the setup can be done again very easily at any time. And I fully understand that I do probably
not get the first class all inclusive exec club for a dollar. Generally speaking, there are some selection
criteria which you might consider before choosing a provider. The virtualization technology is most certainly
an important factor, especially if you want to run Docker. Look at the pricing – is it a flat fixed
price or is it time or load based charges. Volume or bandwidth limitations would be a
downer as well. But enough talking, let’s get this thing
installed. Like always I have prepared a couple of things
for you which you may download from my github repository. The link is like always in the description
of this video. There is an installation script called wireguard.sh
that does all the necessary things for you in order to install wireguard on the virtual
server. A second script called addpeer.sh can be used
to add an additional client or peer, such as a laptop running windows or an iPhone. I have designed the scripts in a way that
you can either transfer them over to the server as a file and call them from the command line
or – alternatively – you can copy and paste the content directly into the terminal
window. I could either connect to the server using
the KVM Web console, but I personally find working with it a bit awkward, I prefer using
secure shell, ssh. If you are a Windows user, you may use a software
called Putty to do this. Let me quickly download this from the web
and install it. In order to transfer the files on the server
I use WinSCP. Alternatively, you could use Filezilla – for
example if you are on a Mac. Same procedure, searching for it on the web
quickly and installing it. I have already put in the parameters for my
server into WinSCP and can now connect to it with one click. I also have the scripts available here, so
all I need to do is drag and drop them over to my server. That’s all. The files are now on the Server in the USA. I just need to go to the properties of the
scripts and check the “Executable” flag so that I can run them on the linux server. Next, I connect to the server using Putty. Under Windows 10, there is now built-in ssh
functionality. So you could just run ssh from the command
line as well. I have put the scripts directly in the home
directory of the root user, so I can execute them from here. First the installation script. It takes roughly 30 seconds to run. The script will install all necessary software
packages, it will set up the interface and the necessary firewall rules for me. Now that the Wireguard software is installed,
I want to add a client to it. From the wireguard web site I can download
the software for Windows. Installing it is pretty straightforward. The client for the iPhone can be found in
the app store. Now let me log into my server with Putty and
run the addpeer script which will add a new peer and show the configuration data. You might need to tweak the font and window
size settings for putty a little bit so that the QR code shows up correctly. I have noticed that it works best with 120
columns, 40 rows and with the consolas 16 point font even an old man wearing glasses
like myself can read everything. Here we go, I launch the script, now I can
copy and paste the generated config data into my windows client. I just create a new empty config and overwrite
it with the data that I have copied from the installation script. Now I can connect to the VPN by clicking on
the “Activate” button and it does not even take a second to connect. Let me check my IP address to see where my
Server is located. It looks like I am in the US and more precisely
in Kansas – that’s probably where one of their data centers is located. Cool. Let me check in to Amazon and see if Amazon
gives me prices in Dollars or Euros. Quickly searching for a product, let’s say
a Wemos D1. All Prices in Dollars. We are in the US. Beautiful. One last test. What if I would want to sign in to Netflix. Just give it any mailinator address – all
I want to see is if it gives me Dollar or Euro prices or tells me to go away. All Plans in Dollars. Good. Now let’s set this up for the iPhone. Clicking on the plus sign in the Wireguard
app let’s me set up a new tunnel either from scratch or much fancier, from a QR code. That is actually a very nice way to transfer
data from a terminal window to an iphone. Scanning the code creates a new tunnel. Let’s call it USA. Quickly connecting to it and doing the same
check – open Amazon and see if prices are in Dollars. Yep, all good – everything works as expected. Guys, before we have a closer look at the
scripts and what they do in detail I have a call to action for you. Rather than me just guessing what you might
be interested in it would be so much easier if you just told me. So I have two questions – you did’nt think
you get this for free, did you ? Just kidding. Please let me know in the comments of this
video if you are using a VPN or not or if you are planning to do so. Furthermore I would love to understand what
your main concern is why you would consider using a VPN. Do you need to connect to your home or work
environment or is it safety and security or privacy for browsing ? In other words, which
problem are you trying to solve? Please do write me in the comments. Alternatively you find me on facebook, twitter
or reddit. My username is always onemarcfifty. So I’m not really trying to hide here ;-) I
do take and answer questions as well :-) Thanks a lot guys. The installation script needs to be run as
root. First thing it does is that it deletes any
wireguard configuration that might reside on the machine. Second, it installs the necessary repositories
and software packages for wireguard. During the development of this script I have
tried out a couple of things – I have not removed them from the script but rather commented
them out because I though it might help understand the script better. Next, it generates a keypair and stores the
private and public key in the two files which you can see here. The umask 077 sets the file permissions so
that the file can only be accessed by root. You should always set the tightest possible
access rights on key files in general so that nobody else could access them. Next we need to enable forwarding, that means
we need to tell linux that it should act as a router. This is done by setting the ip_forward parameter
to 1 using sysctl. The script is made for IP4, that means if
you only get an IP6 address from your Provider you would need to adapt this here. I have arbitrarily chosen a private class
c address for the wireguard interface. You may change this to any private address
if you wanted to. Next we configure the wg0 link – that is
just another randomly chosen interface name for the wireguard network interface. Feel free to set this to something else if
you want. The port we are listening on is set to 51820,
again you might change this to something else if you want. In any case, you need to open that port on
the firewall of the virtual server. Depending on your Provider this may be done
in different ways. But anyhow you need to open that port so that
Wireguard can answer on it. The wg showconf command shows the configuration. Up to this point the configuration would not
be persistent, that is it would be lost after a reboot. This is probably not what we want. We want the VPN to be available immediately
after reboot. So I am writing the config data into the file
wg0.conf. I also need to store the ip address of the
interface here explicitely as the showconf does not print it out. Might be worth improving this dear Wireguard
team, if you are watching. Specifying the SaveConfig parameter makes
sure that peers which I create are automatically stored in the config file. Add this point I needed to do a couple of
twists in order to find out the name of the public interface, that is the network card
of my vserver which is connected to the internet. I need this because I need to add some firewall
rules to the config files. For the moment, the linux server acts as a
router. It would hence route me over to the internet. But it would not yet hide my IP address or
rather mask it. It would just route my own private address
out to the internet. But a private address can not be routed publicly. So I need NAT or Masquerading. This is done with Iptables by adding a masquerading
target to the postrouting chain of the nat table. Nearly finished, we have the config, we have
maquerading, we have it stored in persistent files. All we need to make sure is that it comes
up automatically after a reboot . For this, we can use systemd. We just enable the wg-quick command with the
parameter wg0 as a systemd unit and this way linux will automatically launch the config
after each boot. Perfect, so much for the Server installation
script. Now let’s look at the addpeer script. I designed it so that it can take two parameters
– the first one is a client name, that is actually not really used anywhere for the
time being and the second parameter is the IP address that the client should get. Chose a different IP address for each client
you want to connect. I default to the .2 address if you don’t
specify it. For the new peer we need to generate a keypair
very much like for the server itself. I am reading out the public key and the public
IP address of the server. If you wanted to connect to the server over
a dynamic DNS address you would need to adapt this later in your client. Next I just write the whole config into the
newpeer.conf file and tell wireguard that it has a new peer using the wg set command. I have noticed that the config file does not
update immediately but that the interface needs to be taken down and up again in order
to have the config written into the wg0.conf file. Last but not least I clean out the variables
so that they are not stored on the machine and print out the config file as a QR code
using qrencode and below as a text file. Perfect. Guys, this concludes today’s episode. Thank you very much for watching. In one of the next episodes we will use this
virtual server to launch a bowser remotely, that means we will surf the internet with
a browser that is not running on our local PC but rather in the cloud. The goal is to increase privacy for browsing
and also security in the sense that we generate some airspace between the browser and our
client. Also, there are still a couple of settings
that we need to change on this server, such as changing username and password authentication
with ssh to public and private key. I am sure this is going to be quite interesting
to say at least so please make sure that you subscribe because otherwise you will miss
that episode. No pressure. Thanks for watching, stay safe, stay healthy. Bye for now.