reply on: Why Public Wi-Fi is a Lot Safer Than You Think \ stacker news ~bitcoin

496 sats \ 5 replies \ @ek OP 22 Dec 2022 \ parent \ on: Why Public Wi-Fi is a Lot Safer Than You Think bitcoin

To be honest, I got this idea of running my own VPN because of my dynamic IP issues with my public node: #106641.

I then also created a post on bitcointalk.org where people made me aware of using a VPN with port forwarding to have a static IP: https://bitcointalk.org/index.php?topic=5428788

Then I realized I have been using some weird workarounds using SSH tunnels to access my devices when I am not at home which would be obsolete with a proper VPN setup; the original use case of a VPN.

I am already using Mullvad VPN but as far as I am aware that only hides my IP ~~from my ISP~~ (edit: that was wrong, hides my IP from websites I visit) but does not solve this original use case. Maybe it can, but I wanted to know how this VPN stuff works anyway.

So off I went with Wireguard.

I had to change my VPS because Wireguard seems to only be available since Linux kernel v5.6 and my VPS provider was still using 4.15. Also, no option to upgrade the kernel because of their virtualization method (OS-level virtualization using openvz where kernel is shared). So I created another VPS at linode with full virtualization using kvm. Could even pick Arch Linux as my image :) So even learnt something about virtualization along the way, haha

This home access VPN is already setup. Wasn't that hard. The only part I was struggling with was understanding iptables and making the linode VPS act as a VPN "server" which forwards packets between devices (since it's the only one accessible from the internet). (Server in quotation marks because the Wireguard protocol does not distinguish between client and servers. Everyone is just a peer but can have different configs.)

Essentially, I have these configs:

"server":

[Interface]
ListenPort = 51871
PrivateKey = ***
Address = 10.0.0.1/32
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh

[Peer]
PublicKey = ***
AllowedIPs = 10.0.0.2/32, fdc9:281f:4d7:9ee9::2/128

[Peer]
PublicKey = ***
AllowedIPs = 10.0.0.3/32, fdc9:281f:4d7:9ee9::3/128

[Peer]
PublicKey = ***
AllowedIPs = 10.0.0.25/32, fdc9:281:4d7:9ee9::25/128

The server knows how to route to individual devices in the VPN.

"client":

[Interface]
ListenPort = 51902
PrivateKey = ***
Address = 10.0.0.x/32

[Peer]
PublicKey = ***
AllowedIPs = 10.0.0.0/24, fdc9:281f:4d7:9ee9::1/128
Endpoint = ***:51871
PersistentKeepalive = 30

Clients know only how to reach the server using the static IP as endpoint. So they sent all packets meant for any device in the VPN (10.0.0.0/24) to the server which then forwards the packets to the corresponding peer.

The part about iptables such that the server can forward IP packets is done in the PostUp script:

# /etc/wireguard/helper/add-nat-routing.sh
#!/bin/bash
# Setup IP forwarding rules such that clients can connect to each other.
# Following kernel parameters must be enabled:
# - net.ipv4.ip_forward = 1
# - net.ipv6.conf.all.forwarding=1
# See https://wiki.archlinux.org/title/WireGuard#Server_configuration
# and https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/

# 1. Setup NAT firewall rules
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE

# 2. Accept all traffic created by wg0 interface
iptables -A INPUT -i wg0 -j ACCEPT

# 3. Forward packets from wg0 to wg0
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT

Currently trying to figure out how to route all internet traffic of my mobile first to a device at home. Could only get this to work by routing all internet traffic to the VPS. But I don't want to use the connection of my VPS for my mobile usage since it's metered. Want to use my unlimited home internet connection.

Not sure if you wanted it this detailed but that's my progress so far haha

51 sats \ 4 replies \ @premitive1 22 Dec 2022

I cannot comprehend most of that, but I appreciate the level of detail.

0 sats \ 3 replies \ @ek OP 22 Dec 2022

haha, I appreciate you appreciating it

If you have any questions, let me know!

12 sats \ 2 replies \ @premitive1 22 Dec 2022

the general question of how to set up my own VPN thingy like you so that I can also access my devices when away ^_^

91 sats \ 1 reply \ @ek OP 22 Dec 2022

Ah haha, I see

First, you'll need a public IP as a "VPN entrypoint" and some basic linux knowledge since I only know how to do it using the terminal. I used a VPS for this entrypoint but I think if you can forward a port in your home router you can use a device at home, too.

But I can guide you through it if you want. You can write me on Discord.

24 sats \ 0 replies \ @premitive1 22 Dec 2022

I won't be able to set anything like that up soon, but when I can I will keep you in mind.