Wireguard VPN

This was my manual setup for Wireguard before wg-easy existed.

IPv6

I used my OVH VPS to run VPN. I did run into a problem where I couldn't redirect ipv6 traffic through my server. It turned out that OVH hadn't setup IPv6 by default.

For Ubuntu 18.04, netplan was used by default so I needed to modify /etc/netplan/50-cloud-init.yaml.

network:
    version: 2
    ethernets:
        ens3:
            dhcp4: true
            match:
                macaddress: {{ server_mac }}
            set-name: ens3
            addresses:
                    - {{ server_ipv6 }}/64
            gateway6: {{ server_gateway }}

Install

The package isn't in Ubuntu repo so I need to add its ppa.

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

Allow forwarding traffic

In /etc/sysctl.conf, uncomment net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=1. Then run the command sudo sysctl -p.

Open port in firewall

# a random closed port
sudo ufw allow 12345

Generate Keys

Creating 2 public and private key files only readable by root:

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Server config

#/etc/wireguard/wg0.conf
[Interface]
# ip used to identify between different peers
Address = 192.168.2.1/32, fd86:ea04:1115::1/128
# iptable config to redirect all traffic
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -$
# delete iptable config when wireguard stops
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING$
# port wireguard running on
ListenPort = 12345
PrivateKey = <server privatekey>
SaveConfig = true

Client config

Install wireguard and generate keys following the exact same steps as server. Below is my config for wireguard in client:

#/etc/wireguard/wg0-client.conf
[Interface]
Address = 192.168.2.2/32, fd86:ea04:1115::2/128
PrivateKey = <client privatekey>

[Peer]
PublicKey = <server publickey>
# allow all ip
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server ip>:12345
PersistentKeepalive = 25

Now, append to server's /etc/wireguard/wg0.conf:

[Peer]
PublicKey = <client publickey>
AllowedIPs = 192.168.2.2/32, fd86:ea04:1115::2/128

Start VPN

# server
sudo wg-quick up wg0
# client
sudo wg-quick up wg0-client

# show handshake
sudo wg

To auto start wireguard on boot, do systemctl enable wg-quick@wg0 on server.

Phone config

qrencode -t ansiutf8 < wg0-client.conf creates a qr image to import the config to Wireguard mobile app. I also installed VPN hostspot app to share VPN with other devices.

Testing

I tested the connection with https://test-ipv6.com, everything work fine with laptop client. But on phone, real IPv6 showed up on the website. At the moment, I'm unsure how to fix it.

Since I used my phone for tether, I blocked IPv6 on laptop and no website would be able to tell my real IP.

IPv6​

Install​

Allow forwarding traffic​

Open port in firewall​

Generate Keys​

Server config​

Client config​

Start VPN​

Phone config​

Testing​