Your Virtual Private Network isn’t there to watch geo-blocked content.
Once VPNs were used to connect networks, like remote offices of a company.
Today they protect your information and privacy.
This is why your VPN isn’t an optional tool anymore.
It’s your shield against the unwanted attention and passive monitoring.
Without a VPN your ISP can see a lot:
- your browsing habits
- your downloads
- the used protocols
They don’t see your data. They see patterns. They draw the map.
With a consumer VPN you shift your trust to your VPN provider.
If you host your own VPN service – you put your trust in yourself and your hosting provider.
Guard Your Wires
WireGuard is a modern VPN protocol.
It’s simple, fast and secure and it’s part of the Linux kernel.
Smaller codebase means easier audits.
Server Installation and Configuration
Install the wireguard package with your package manager:
sudo apt install wireguard
Generate the server keys:
wg genkey > server_private.key
wg pubkey < server_private.key > server_public.key
sudo mv *.key /etc/wireguard/
Protect the keys with hardened permissions:
sudo chmod 400 /etc/wireguard/{server_private.key,server_public.key}
sudo chown root:root /etc/wireguard/{server_private.key,server_public.key}
In the following examples:
- Replace the IP address with your IP.
- Replace the interface with your LAN interface.
Enable the local IP forwarding:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/wireguard.conf
sudo sysctl --system
In the /etc/ufw/sysctl.conf:
net.ipv4.ip_forward=1
In the /etc/ufw/before.rules before the *filter line:
*nat:POSTROUTING ACCEPT [0:0]-A POSTROUTING -s 10.20.20.0/24 -o enp1s0 -j MASQUERADECOMMITAllow the routing in UFW:
sudo ufw route allow in on wg0 out on enp1s0
sudo ufw allow 51820/udp
Reload the UFW configuration:
sudo ufw disable
sudo ufw enable
WireGuard server configuration:
Minimal server configuration /etc/wireguard/wg0.conf.
# Server configuration[Interface]PrivateKey = <server_private_key>Address = 10.20.20.1/24ListenPort = 51820SaveConfig = false# Client's config[Peer]PublicKey = e2V40zdPiX43lqOamcoEI8J10uKaXWBeKwf+spWDWgc=AllowedIPs = 10.20.20.2/32Harden the file permissions:
sudo chmod 600 /etc/wireguard/wg0.conf
Start and enable the service:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
Verify the service:
sudo systemctl status wg-quick@wg0.service
Client Installation and Configuration
Install the wireguard package on the client machine as well.
Generate the key pair as you did on the server.
Don’t forget to harden their permissions.
Install the resolvconf package (optional on some systems):
sudo apt install resolvconf
WireGuard client configuration.
Minimal client config in /etc/wireguard/wg-ds.conf:
# Client's configuration[Interface]PrivateKey = <client_private_key>Address = 10.20.20.2/32SaveConfig = true# Server's configuration[Peer]PublicKey = tInj/aAAZIkv8RWzAyXq5ngbO9OUPz+Fkbog7LkgQzQ=Endpoint = <server_ip>:51820AllowedIPs = 10.20.20.0/24, 192.168.100.0/24PersistentKeepalive = 25PersistentKeepalive is crucial for services behind NAT.
Don’t forget the hardening:
sudo chmod 600 /etc/wireguard/wg-ds.conf
Bring up the connection:
sudo wg-quick up wg-ds
Verify it:
sudo wg show
Break down the connection if you don’t need it:
sudo wg-quick down wg-ds
Final Thoughts
This configuration protects your browsing only between the client and the server.
What leaves the server is visible to third parties.
The trace leads back to the server – then to you.
Your VPN is not anonymity.
It’s your elevated privacy.
Tom's IT Cafe 