VPN on phone

whys

I have always wanted to setup my own VPN for privacy reasons. It’s a long overdue personal project.

Staying in a hotel, their wifi is way too slow. So I have been relying on my phone tether for internet access. It’s interesting that phone hotspot blocked connection to Steam so I couldn’t update some of my games. Hence, VPN seems like a good choice.

wireguard

I came across wireguard1 while researching OpenVPN. It’s an up-and-coming VPN, which advertised to be more performant and simpler than OpenVPN. I’m feeling adventurous so sure, why not.

how

server

I utilise my ovh vps to run VPN. I did run into a problem where I couldn’t redirect ipv6 traffic through my server. It turned out that ovh hadn’t setup IPv6 by default. At least their guide is easy and I got IPv6 working in no time.

install wireguard

The package isn’t in Ubuntu repo so I need to add its ppa.

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

allow forwarding traffic

In /etc/sysctl.conf, uncomment net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1. Then run the command sudo sysctl -p.

open port

# a random closed port
sudo ufw allow 12345

generate keys

Creating 2 public and private key files only readable by root:

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

config

#/etc/wireguard/wg0.conf
[Interface]
# ip used to identify between different peers
Address = 192.168.2.1/32, fd86:ea04:1115::1/128
# iptable config to redirect all traffic
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -$
# delete iptable config when wireguard stops
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING$
# port wireguard running on
ListenPort = 12345
PrivateKey = <server privatekey>
SaveConfig = true

client

Install wireguard and generate keys following the exact same steps as server. Below is my config for wireguard in client:

#/etc/wireguard/wg0-client.conf
[Interface]
Address = 192.168.2.2/32, fd86:ea04:1115::2/128
PrivateKey = <client privatekey>

[Peer]
PublicKey = <server publickey>
# allow all ip
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server ip>:12345
PersistentKeepalive = 25

Now, append to server’s /etc/wireguard/wg0.conf

[Peer]
PublicKey = <client publickey>
AllowedIPs = 192.168.2.2/32, fd86:ea04:1115::2/128

run

# server
sudo wg-quick up wg0
# client
sudo wg-quick up wg0-client

If everything is working fine, sudo wg will show handshake.

To auto start wireguard on boot, do systemctl enable wg-quick@wg0 on server.

phone

qrencode -t ansiutf8 < wg0-client.conf creates a qr image to import the config to phone app. I also installed an app to share vpn with other devices.

testing

I tested the connection with https://test-ipv6.com/, everything work fine with laptop client. But on phone, real IPv6 showed up on the website. At the moment, I’m unsure how to fix it.

Since I used my phone for tether, I could block IPv6 on laptop and no website would be able to tell my real IP. So leaking IPv6 is not really a major concern for now.