Self-Hosted VPN With Wireguard + Linode!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Finally I thought they never gonna make this after all those promises in the news program

๐Ÿ‘๏ธŽ︎ 3 ๐Ÿ‘ค๏ธŽ︎ u/mjarkk ๐Ÿ“…๏ธŽ︎ Aug 26 2020 ๐Ÿ—ซ︎ replies

Just wanted to say Iโ€™m really glad they put up an easy to follow guide on installing a vpn. While I donโ€™t necessarily use it for privacy directly, although I do use pihole and cloudflared DoH, itโ€™s mainly a way for me to be connected to my home network at all times with my phone, allowing pihole on cellular.

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/VisionsOfTheMind ๐Ÿ“…๏ธŽ︎ Aug 31 2020 ๐Ÿ—ซ︎ replies
Captions
this video is brought to you by the asrock steel legend z490 if you've settled on z490 you want the 10600k and on up the fastest gaming processor you can get right now you know this motherboard would be a good fit for that we got dr moth's vrm it's going to support the six core or even the 10 core the 10 850 k or the 10 900k 1080 50k i think is the best deal if you want 10 cores or the 10600k if you just want the raw fastest gaming performance in the asrock z490 steel legend motherboard good news there's a special at newegg right now as rock and newegg have teamed up you can get a discount on your motherboard be sure to click the link in the description and check out the awesome combo that's being offered by asrock and newegg for this particular motherboard we've got nahimic audio we've got an x16 reinforced pcie expansion slot we've got another x16 physical expansion slot this is a great motherboard to pair with something like the i510 600k for an affordable because this is a sub 200 z490 motherboard gaming build that is the fastest gaming build that you can build right now thanks asrock [Music] hey gang we're here to talk about vpns now if you're questioning do i need a vpn have you ever seen another video on this channel if not please pause this video and go and watch every video in the backlog and then come back here and if you don't have a sense of existential dread or that someone is actively watching you right now watch them again until you do because that is the case you're being spied upon every day by your government and evil corporations and who knows who else you do need a vpn the question the only question then becomes who do i use as a vpn now in the past we've had some really good recommendations about that kind of thing unfortunately vpns lately have been uh following some negative trends so you've got the really bad things like uh navo the facebook vpn now of course you know better than to use that but some people don't the facebook vpn yeah it would hide your identity from some external websites that you visited but facebook would then harvest everything so that's not good but what about uh no logging vpns right vpns like private internet access in the past have had these no logging policies and they've had court cases and it's like yeah they've proven in court they don't keep logs that's really great right but then you find out that somebody bought private internet access and are they still doing that can we be sure so you have these acquisitions and the vpns that get acquired are often the most popular ones the ones that people really trust they throw money at them they buy them and then can we trust them after that that's the problem so we are left with oh and we have to mention the no log vpns in china turned out they had a bunch of logs and they had a data breach actually they didn't put a password on one of their databases so who can you trust the answer is nobody you can trust no one in this world except for yourself not always yourself but mostly yourself and if not yourself then who so what we're going to talk about today is your own vpn cloud hosting and wireguard to establish your very own vpn that you control you can turn off the logs you can do whatever you want now we're going to use lenode because we love lenode and we're going to use wireguard there are some other options wireguard is one of the more basic ones and it's kind of in their mission statement that they're not trying to do a lot with it what they want to do is they want to give you encrypted udp tunnel between you and your cloud hosting to create a vpn that you control and that's what we're gonna do now it's important to know what a vpn will do and what a vpn won't do in terms of protecting you now lenode if they get a warrant brought to them they have to give up your information so yeah if you're gonna try to do illegal things through your own vpn don't think that that's gonna work a subpoena a warrant they're gonna be able to attach your ip your billing details to that external ip so get that out of your mind if you want to do illegal stuff this is more to protect you from data collection and you know things spying on you outside of the the legal system the other thing you have to keep in mind is you can poison this well very easily if you log into a banking website or gmail or something like or facebook through your vpn guess what your new ip address is going to be propagated among your advertising profile they will immediately know who you are after that so you have to be careful to keep your safe browsing and your reckless browsing on different identities so just keep that in mind this is not a silver bullet but it is an effective bullet it's got some armor piercing it's got some frangibility but won't kill a werewolf the first thing we're going to do is set up our host to do this we're going to use lenode you don't have to use lenode any sort of cloud hosting will work for this you can even do this on your own server if you have a external ip address for it um i am going to use ubuntu for this ubuntu not sure exactly how you pronounce it uh i will warn you uh so when i was experimenting with this on my local network just to get it working i used debian and with that version of debian wireguard was back ported the install process was much more unpleasant i did get it working so you could use any distro for this that you want but if you're going if you have the option uh maybe stay away from debian so i'm kind of going to go cheap on this this is not something that is going to be doing anything other than running wireguard it should not have very much it should not be taxed by what we're doing here so i'm going to go for the two gigabyte plan and uh yeah i'll just keep that normal i'm not going to uh leave this up so in this tutorial i will be showing you my private keys i'll be showing you some ip addresses don't assume that those are still there don't try to attack them please because i'm going to tear this down as soon as this is done all right and then we'll just click if you're following along with lenode which we recommend we love lenode just set all this up you know choose your own region and if you wanted to use ssh keys obviously i'm not this is not a long-term thing i'm not going to bother with that but this would be a more secure way of accessing your vpn and then we will create and there it is ready to go again i'm gonna show you this ip address normally you wouldn't want people to know this under any circumstance but uh gonna tear this down as soon as i'm done so please don't try to attack random other lenode users trying to get to my vpn once our lenode instance is up and running and you will get a an output that will let you know that it's booting and then when it's booting and so when it's all when everything is done it's ready to go then you want to head on over to uh ssh i want to connect your box now the defaults uh the username will be root because that's the only account that exists right now and the password will be the password that you set during the creation process and here we are we're logged in get some information about your system there and uh we're ready to go so step one we want to go ahead and install wire guard to install wire guard the first thing we're going to do is add the repository for it now your distribution might already have this but it doesn't hurt to run this command again this will just ensure that we have the package manager information with which to install wireguard you press enter tell it that it's okay it's gonna download some stuff and then once that is complete we have to install wireguard of course if you're using a different distribution you might have a different package manager command but it will always be called wireguard we do want to continue it's going to take a whopping 344 kilobytes of disk space we can we can afford that and there we go so we should be able to go to etc wireguard again if you are not a root user you will not have permission to this use the sudo command and here we are it's empty but that's expected so we now have a installation of wire guard setup our next step will be to generate some keys encryption keys for our wire guard setup we can create our keys with a single command i'm going to put them here in the wire guard directory now it doesn't really matter where you put your keys you can put your keys directly in your configuration file or you can reference a file to use your keys in the configuration it's probably a little bit more secure i'm just going to put them directly in the configuration file here so i just need to see their contents i'm going to put them in the wireguard folder again you don't have to do that but you do have to make sure that you have permission to write wherever you run this command this will this will pipe the commands together to create both keys at the same time you could do individually as what as well if you want and once we run that we now have two key files and the contents of those will be our public and private keys now i'm gonna show you my private key in this video but keep in mind you never wanna do that in the real world and again i won't be using this installation because once i show you my private key it's no good i'm going to tear it down as soon as this video is done there are there's more than one way to set up wireguard and if you go to the wireguard official site you'll actually see a command by command way of doing this that is very inefficient that's not how we will be doing it we're going to use a configuration file and the configuration file with the wireguard quick command will give us the ability to just put all of the commands that we want to set up our interface in a file and call it to do them all at once rather than typing them in individually we will talk about that file and we'll go through it line by line to sort of show you what's going on but before we do that there's two things that we need to know we need to know the name of our network interface and our external ip address again i'm going to show you the external ip address normally you don't want people to know this just because you know the world is a terrible place and people will do horrible things if they can try to connect to you i'm again i will say i'm going to pull this down i know i'm saying it a lot but please don't attack this ip address it will no longer be me once you see this video so ipspace a will give us that information this is going to pull up all of the network interfaces on this machine there's only the one we need to worry about so the name of that is eth0 that's pretty standard but don't count on yours being this double check and make sure so you need to record this value and then this will be our ip address i'm just going to do ipv4 in this video but you can see the ipv6 is down here if you want to go that route so now we know this is our external ip address and our network name so now that we have those values record those values somewhere and we will start working on the configuration file so now we are going to set up our wireguard configuration file our server configuration i've already done this but we'll step through it line by line you can call this whatever you want but wg0 is the uh the standard and then the dot co and f uh you can run as many of these as you want as well you might want more than one wire guard set up here so you know you could do wg1 wd2 they call it whatever you want but the file name needs to match the name of the wireguard interface that you eventually create and in this case because we're going to use the quick command whatever we feed the quick command it will look for that file so we'll use wg zero the default now the first line of this file is interface and brackets that just tells it that this is the server interface because later on we'll add some peer configurations and this address line is very important this is the address that you want the wireguard instance to run on now notice this is an internal network address you want to use something from the internal network range because this is not a real address this is something we're creating for this wire guard instance to live on this is what you will access it with once you uh set up your tunnel let's go with good old 69 this is ipv4 you can also use ipv6 here if you want i'm just going to go with four save config equal true what this does is if we if we modify the wire guard configuration of wg0 via the command line then it will automatically update this file to reflect that as long as we have save config in here so that makes it more convenient if you uh let's say you add appear via the command line then it'll go ahead and add the pier in this configuration file which is convenient and here's the meet up is so the post up and post down commands what's gonna happen here when we use the the quick setup is once it establishes wg0 it is going to run the post up commands and then when wg0 is destroyed it's going to run the post down commands so we have iptable commands in here and so basically what we're doing we're we're adding a command here for incoming traffic to be accepted and then we're adding this routing command for eth0 now this is what you would replace with the name of your network interface when you ran ipspace a if yours was something different just make sure you remember to swap this out or it will never work and then finally we're going to add outgoing as well so the first line is incoming the last line is outgoing and then in the middle here we have which network interface to use for the forwards if you are going to use this as a vpn it's critical that you run this outgoing line here if you just want to for example create a tunnel that you're going to ssh into to use this machine then you don't necessarily need the outgoing line but since we're doing a vpn we want all the other traffic coming back to be able to get through and come back to us like our web traffic for example and then post down is just the polar opposite of that so again we have incoming and outgoing and we have the the route to the interface but in this case we are dash d we are destroying those so when wire guard comes down we don't want our ip tables to be open anymore so we tear that down every time that uh wire guard comes down with the quick down command the port is whatever you want it to be this is the standard one for wire guard but you just your client needs to know what port to connect to and we need to know what to open up on the firewall so we'll go with the standard and then the private key that we just generated again you could reference the file here if you want if you want to be a little bit more secure i'm just going to copy paste this in and once again don't ever show this to anybody so once we have this file created we can go ahead and start up our wg g0 one quick thing we're going to do to increase the security of this is to set up the uncomplicated firewall now we're using the ip tables for our uh configuration file but this now if you're going to use this system for other things there's going to be more steps to this you might need more ports because this is purely just for a vpn we want to go ahead and allow 22 because that's our ssh connection if we don't have this on a remote host we're in trouble and uh we're also going to add the wire guard port now this is the port that you defined in the configuration file if you define something else then you have to swap this port number out and we're going to allow udp over that because wire guard is just encrypted udp traffic and once we have those two rules in we can go ahead and enable the uncomplicated firewall which will just give us a little bit more security on this machine and because we still have the ability to communicate with the server we can be confident that those worked and we are allowing traffic over 22. that's the critical one if you missed that one you're gonna have to pull down your vm and start again now that we have the firewall set up we have the moment of truth we can actually start wireguard now wireguard has this great command wg-quick and what this is going to do is that is going to give us the ability to pull up and tear down wire guard based on that configuration file so i'm going to say wg quick up and then you have to point it to the proper instance of wireguard we'll just give it wg0 and it will look for wg0.conf in the wireguard folder if you called your configuration file something else you would replace that here and there we go so these are the individual commands that it's running you could do these individually as well again if you go to the wire guard install tutorial on their site they'll give you these individually if you want to understand them more but basically we're creating a wire guard type interface at wg0 and we're uh setting up the configuration there's the ip address the local ip address that we established that this is going to run on again this is one that we just made up that we want to choose for this so it needs to be not being used on your network and uh there's our ip tables so the commands that we gave it we didn't get any errors so we can assume that this is running and uh there's actually a way to see that which is wg show so there's our interface public key and the port that we're listing on so this is the information that your client will need as aside from the ip address to connect to our guard and speaking of the client this the server is working correctly now we need to set up our client now we will have to add the client as a trusted peer later but we need to know some information about the client before we do that i'm actually going to switch over to windows to set up the client we're going to do the one the client under windows uh setting up a client in linux is very much the same process you don't have to do some of the other stuff like the iptable stuff but you will just set up a configuration file and uh run it as same as you did this so we'll switch to windows and look at it from that perspective we still will use the same configuration file and stuff like that you just have to use an app that you get from wireguard in order to set all that up to get our windows installer we'll just head over to wireguard.com install and you can see that has clients for a variety of operating systems you can run this on your phone if you want we're going to go with windows so we will just download this windows 64 version and get that installed in wireguard you want to create a new tunnel with the uh add tunnel control down here it's a little bit annoying because uh obs doesn't capture the pop-ups very well in window mode so you want to add a new tunnel uh don't import from file but add a a blank tunnel and i'm just going to show you this one's already been set up because it didn't record the first time so name it whatever you want and uh i'm gonna call mine lenode because you know we love the node and we're gonna give them maximum value they didn't pay us for this but they have advertised with us in the past the public key is gonna be generated for you as will the private key so that you will only get these two lines once you start now the address we're going to put in here is going to be a local from the local address pool just an unused ip i use 69 for my server so i'm going to use 96 for my client and again this is ipv4 if you want you can do ipv6 as well as ipv4 here just comma separate your uh your addresses in here and then you want to set a dns server now i know what you're thinking you're thinking oh wait this is a video that's about privacy and you're going to use that dns yeah yeah it's easy to remember don't use google if you value your privacy and then you want to put in a peer section and the peer section is going to be the public key now this public key you know it's uh not this public key this is from your server so when you generated the keys for your server go back to there look at your public key file that's the value that you want to put here when it comes to allowed ip addresses uh all the zeros when you set it up for all the zeros you're saying put move all the traffic across this if you don't have that you'll notice that your little option down here will go away when you have this valid value in here you get the kill switch now what this is going to do is it's going to let it set so wireguard could fail in a variety of ways let's say that you know lenode gets hit by a comet the data warehouse and your wire guard goes away what could happen is that you could be doing something that you want to be private and suddenly lenode goes away and you lose that connection so now that you you're just you know you're going along and you're looking at stuff on the internet and you're using your real ip address all of a sudden to prevent that from happening make this check box and this is a kill switch so if the wire guard goes away everything goes away you lose your internet connection and you know to do something about it or curb your behavior until it can be rectified and finally the endpoint value this is the public ip address of our server so the vm that you just created this is its public ip address and this is the port that you set up and your configuration on the server this is the standard port that you want to use if you're just using the standard wire guard stuff and this is going to say so right now when we use this computer our external ip address is whatever we're getting uh you know from the router but once we set this up our external ip address will be through wireguard from that vpn and this is what we will look like to the internet once you have this set up you can uh save it but you cannot connect to it yet you will come out and you will get this screen this activate so you see all of you can have multiple uh interfaces set up here but you cannot yet activate because right now our server doesn't know anything about this peer so we have to give the server the information about this peer most importantly the keys so that the encryption can be done with our windows client configured we need to go back to the server and the uh wire guard needs to be running so if you have taken it down since you want to set up your client be sure to bring wire guard back up with wg quick and once it's running you can use wg show to show you the status of it i'm not gonna do that because it'll expose my ip address but once you are sure that it's running with wg show then you can set up here so here we see wg set wg0 remember that if you used a different wire guard interface name substitute that and then peer now this is the public key of my windows wire guard my client it'll be the same if you used a linux client so we can take a look at that here you see there's the public key that matches the value that we're putting in here and then we're going to set allowed ips and this is going to be the the ip address that we created in the local subnet for our wire guard client and once again we'll take a look here you can see there you don't need the slash 24 you just need the raw ip address here and run that and when you run that it will generate a configuration file automatically because we have the auto config when this connection takes place and the windows client will actually randomize its port and it will update automatically now because we're using this as a vpn we want everything to come through this tunnel as we have it right now you could connect with your client and you could get to you could ssh in two what so you could use the ip address that you set for your server in this case 69 and you could go to that which will be a local address on your client computer and you will actually go through the tunnel and get to the lenode server so you will have you know that that tunnel to the node server we want all of our traffic to go through this and one thing that could just drive you out of your mind if you follow some of the tutorials is that ipv4 and ipv6 forwarding is very often disabled by default so we need to go to etc sysctl.conf and we need to look for this line net ipv4 ipforward equals one if you're using ipv6 this one will also need to be uncommented you need to uncomment those and you need to reboot very important because otherwise you will have no idea why your internet is failing and it would simply be because there's no forwarding going on here another thing to look out for is you know when you spool up one of these vpn or vms it's probably a good idea to just go ahead and apt upgrade and app update everything just to make sure that you know everything's good to go before you get started because i've also experienced some weirdness and then you want to reboot the machine after that as well so i would do that set everything up set those forwards and then reboot everything before the final step of connecting with the client now with all of that done our server freshly rebooted we head back to our client and we just need to click that activate button you will get a notification in the bottom right from windows saying wireguard has been activated you'll see some activity start down here at the bottom and the transfer section and if we head over to a web browser we can head to a site that's going to show us our external ip address and there we are our lenode ip address from our windows client atlanta united states that's what we chose when we set up our the node server for where physically our server was located do a dns leak test and they're all coming from atlanta all coming from google so we're all good we now have all of our traffic going through our vpn on lenode because the vpn server is not something we want to have to log into ever again other than to do updates we probably want this to start when the system starts so if there's any unexpected reboot or something like that wireguard is just automatically going to start so systemctl enable and then we pass the field wg quick at wg0 again replace wg0 with your interface name if you chose something else when you created your wireguard config and we will create that next time the system reboots wireguard will come up at the same time as the system boots now we only did a single client here and we i only did a windows client of course the linux client setup is pretty much the same way you just create your configuration file uh now you might be thinking hey i watched the level one text channel i'm not a normie i've got like six computers in my house am i gonna have to set this up on all of them well if you're an advanced power user you can set this up at the router level level and you can put your whole network on it or you can have different virtual networks so that you can have you know some devices on the wire guard and some office and stuff like that and we are actually probably going to have some more content related to that kind of stuff in the future but the good news is your wire guard server doesn't have to be changed the wire guard server you set up from this video can be used again when you get to the uh the whole network router setup so there it is it's pretty basic to set up you should keep it updated like all things you should keep your your cloud vm updated so you know you do have to interact with it from time to time but for the most part just remember to keep the good traffic on the vpn and keep the dangerous traffic or maybe vice versa but just make sure that you don't uh out your vpn with your real identity and it will serve you well you can do things that might be a little embarrassing uh we've all got things we do on the internet that we don't want other people to know about right now there's nothing wrong with that so just use a vpn and do it yourself
Info
Channel: Level1Linux
Views: 34,240
Rating: undefined out of 5
Keywords: technology, science, design, ux, computers, linux, software, programming, level1, l1, level one, l1Linux, Level1Linux
Id: yDgpBC7c1uY
Channel Id: undefined
Length: 32min 8sec (1928 seconds)
Published: Wed Aug 26 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.