pull down to refresh

Currently setting up my own VPN using Wireguard out of interest and because I want to access my devices from anywhere in the world - how a VPN was meant to be used.
Thought I'd share this since I feel like there are many misconceptions about VPN and public Wi-Fi.
reply
please keep us apprised of your progress! by Us I mostly mean me
reply
To be honest, I got this idea of running my own VPN because of my dynamic IP issues with my public node: #106641.
I then also created a post on bitcointalk.org where people made me aware of using a VPN with port forwarding to have a static IP: https://bitcointalk.org/index.php?topic=5428788
Then I realized I have been using some weird workarounds using SSH tunnels to access my devices when I am not at home which would be obsolete with a proper VPN setup; the original use case of a VPN.
I am already using Mullvad VPN but as far as I am aware that only hides my IP from my ISP (edit: that was wrong, hides my IP from websites I visit) but does not solve this original use case. Maybe it can, but I wanted to know how this VPN stuff works anyway.
So off I went with Wireguard.
I had to change my VPS because Wireguard seems to only be available since Linux kernel v5.6 and my VPS provider was still using 4.15. Also, no option to upgrade the kernel because of their virtualization method (OS-level virtualization using openvz where kernel is shared). So I created another VPS at linode with full virtualization using kvm. Could even pick Arch Linux as my image :) So even learnt something about virtualization along the way, haha
This home access VPN is already setup. Wasn't that hard. The only part I was struggling with was understanding iptables and making the linode VPS act as a VPN "server" which forwards packets between devices (since it's the only one accessible from the internet). (Server in quotation marks because the Wireguard protocol does not distinguish between client and servers. Everyone is just a peer but can have different configs.)
Essentially, I have these configs:
"server":
[Interface] ListenPort = 51871 PrivateKey = *** Address = 10.0.0.1/32 PostUp = /etc/wireguard/helper/add-nat-routing.sh PostDown = /etc/wireguard/helper/remove-nat-routing.sh [Peer] PublicKey = *** AllowedIPs = 10.0.0.2/32, fdc9:281f:4d7:9ee9::2/128 [Peer] PublicKey = *** AllowedIPs = 10.0.0.3/32, fdc9:281f:4d7:9ee9::3/128 [Peer] PublicKey = *** AllowedIPs = 10.0.0.25/32, fdc9:281:4d7:9ee9::25/128
The server knows how to route to individual devices in the VPN.
"client":
[Interface] ListenPort = 51902 PrivateKey = *** Address = 10.0.0.x/32 [Peer] PublicKey = *** AllowedIPs = 10.0.0.0/24, fdc9:281f:4d7:9ee9::1/128 Endpoint = ***:51871 PersistentKeepalive = 30
Clients know only how to reach the server using the static IP as endpoint. So they sent all packets meant for any device in the VPN (10.0.0.0/24) to the server which then forwards the packets to the corresponding peer.
The part about iptables such that the server can forward IP packets is done in the PostUp script:
# /etc/wireguard/helper/add-nat-routing.sh #!/bin/bash # Setup IP forwarding rules such that clients can connect to each other. # Following kernel parameters must be enabled: # - net.ipv4.ip_forward = 1 # - net.ipv6.conf.all.forwarding=1 # See https://wiki.archlinux.org/title/WireGuard#Server_configuration # and https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/ # 1. Setup NAT firewall rules iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE # 2. Accept all traffic created by wg0 interface iptables -A INPUT -i wg0 -j ACCEPT # 3. Forward packets from wg0 to wg0 iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
Currently trying to figure out how to route all internet traffic of my mobile first to a device at home. Could only get this to work by routing all internet traffic to the VPS. But I don't want to use the connection of my VPS for my mobile usage since it's metered. Want to use my unlimited home internet connection.
Not sure if you wanted it this detailed but that's my progress so far haha
reply
I cannot comprehend most of that, but I appreciate the level of detail.
reply
haha, I appreciate you appreciating it
If you have any questions, let me know!
reply
the general question of how to set up my own VPN thingy like you so that I can also access my devices when away ^_^
reply
Ah haha, I see
First, you'll need a public IP as a "VPN entrypoint" and some basic linux knowledge since I only know how to do it using the terminal. I used a VPS for this entrypoint but I think if you can forward a port in your home router you can use a device at home, too.
But I can guide you through it if you want. You can write me on Discord.
reply
I won't be able to set anything like that up soon, but when I can I will keep you in mind.
I'm surprised the EFF didn't mention privacy: public wifi without a login is good for everyone because it makes it harder to trace back web traffic to the individual user initiating it. Normalizing it also makes it easy for people who really need to do something anonymous to actually find an anonymous internet connection.
Similarly, this is why I leave my wifi at home open, without a password. It's also just being a good neighbor: why wouldn't you share your internet in case your neighbor needs it?
reply
Similarly, this is why I leave my wifi at home open, without a password. It's also just being a good neighbor: why wouldn't you share your internet in case your neighbor needs it?
Not sure how the laws in your country are, but here in Germany the owner of the internet connection is responsible for all traffic going through it.
If my neighbor needs it, I'll give him the password or guest access where I can change the password after some time.
reply
Well, Germany hasn't entirely rid itself of fascism...
Dunno what the laws actually are in Canada. But I've been doing this for ~15 years without any issues.
reply
Sounds fine if you know your neighbors, maybe in a suburb where your wifi only reaches the houses next to you. In many places though people don't really know who they are living next to. In a large apartment complex you could have 100s of people within reach of your wifi and have no idea what they might get up to if they have steady access to someone else's connection.
reply
The FUD against using public WIFI is nothing more than counterintel. If you are being careful with your cookies and being careful to only use websites in an anonymous way and make sure your WIFI MAC is randomized each time it connects (some adapters and OSs offer this option) using a public WIFI is much more private than using your home connection with a paid VPN. Excepting zero-day exploits of course, staying on the move with your secured laptop is much harder to create a profile of your activity than simply watching your home connection or using entropy correlation on your connection to a paid VPN. As long as you don't accept invalid certificates when connecting to your favorite password, email and storage provider, and you use onion sites for anything that could tie you to your true identity, there's little reason to be concerned about using a public WIFI connection.
reply
There are more attack vectors on a public networks than merely http package sniffing. i think this article is misleading.
Using public networks is risky, and if you don't know what you're doing you can be attacked easily. using a VPN helps a ton
reply
if you don't know what you're doing you can be attacked easily
That's the point of the article: With widespread HTTPs adoption, it cannot be done easily.
Please help me to understand why you think so:
What are these easy attack vectors where a VPN helps and which are explicitly about public Wi-Fi usage?
reply
Example: Evil-twin Attack to be launched on unsuspecting victim on a public network:
  1. Attacker sets up Network with the same ssid as you want to connect to.
  2. You are now connected tho the bad actor, and he is routing your traffic. He can spoof your DNS, unless you have taken precautions.
  3. you look up 'facebook.com' he reroutes you to 'faƧebook.com'. He also got his tls certificate for his domain to look legit.
  4. He serves you a login screen that looks just like the original one. you type in your credentials.
  5. he redirects your request to Facebook, logs you in, and steals your PW in the process
  6. you never know what hit you
There are more attacks, Man in the middle, DNS spoofing etc.
By using a vpn, the encrypted is connection made from your device to a secure network, and the requests are made from there, and sent back to you through a secure channel.
Https might encrypt the content, but it won't save you from spoofed DNS and the like
it cannot be done easily
it is definitely harder due to https, but I'd say it is still pretty easy
I'm hating on the article a little bit, because people are already lazy about security, and things like this give an even more false sense of safety. It's still good that https is used as much as it is now, but it's not a silver bullet.
Also: see the link @cryprocoin posted
reply