pull down to refresh

To be honest, I got this idea of running my own VPN because of my dynamic IP issues with my public node: #106641.
I then also created a post on bitcointalk.org where people made me aware of using a VPN with port forwarding to have a static IP: https://bitcointalk.org/index.php?topic=5428788
Then I realized I have been using some weird workarounds using SSH tunnels to access my devices when I am not at home which would be obsolete with a proper VPN setup; the original use case of a VPN.
I am already using Mullvad VPN but as far as I am aware that only hides my IP from my ISP (edit: that was wrong, hides my IP from websites I visit) but does not solve this original use case. Maybe it can, but I wanted to know how this VPN stuff works anyway.
So off I went with Wireguard.
I had to change my VPS because Wireguard seems to only be available since Linux kernel v5.6 and my VPS provider was still using 4.15. Also, no option to upgrade the kernel because of their virtualization method (OS-level virtualization using openvz where kernel is shared). So I created another VPS at linode with full virtualization using kvm. Could even pick Arch Linux as my image :) So even learnt something about virtualization along the way, haha
This home access VPN is already setup. Wasn't that hard. The only part I was struggling with was understanding iptables and making the linode VPS act as a VPN "server" which forwards packets between devices (since it's the only one accessible from the internet). (Server in quotation marks because the Wireguard protocol does not distinguish between client and servers. Everyone is just a peer but can have different configs.)
Essentially, I have these configs:
"server":
[Interface] ListenPort = 51871 PrivateKey = *** Address = 10.0.0.1/32 PostUp = /etc/wireguard/helper/add-nat-routing.sh PostDown = /etc/wireguard/helper/remove-nat-routing.sh [Peer] PublicKey = *** AllowedIPs = 10.0.0.2/32, fdc9:281f:4d7:9ee9::2/128 [Peer] PublicKey = *** AllowedIPs = 10.0.0.3/32, fdc9:281f:4d7:9ee9::3/128 [Peer] PublicKey = *** AllowedIPs = 10.0.0.25/32, fdc9:281:4d7:9ee9::25/128
The server knows how to route to individual devices in the VPN.
"client":
[Interface] ListenPort = 51902 PrivateKey = *** Address = 10.0.0.x/32 [Peer] PublicKey = *** AllowedIPs = 10.0.0.0/24, fdc9:281f:4d7:9ee9::1/128 Endpoint = ***:51871 PersistentKeepalive = 30
Clients know only how to reach the server using the static IP as endpoint. So they sent all packets meant for any device in the VPN (10.0.0.0/24) to the server which then forwards the packets to the corresponding peer.
The part about iptables such that the server can forward IP packets is done in the PostUp script:
# /etc/wireguard/helper/add-nat-routing.sh #!/bin/bash # Setup IP forwarding rules such that clients can connect to each other. # Following kernel parameters must be enabled: # - net.ipv4.ip_forward = 1 # - net.ipv6.conf.all.forwarding=1 # See https://wiki.archlinux.org/title/WireGuard#Server_configuration # and https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/ # 1. Setup NAT firewall rules iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE # 2. Accept all traffic created by wg0 interface iptables -A INPUT -i wg0 -j ACCEPT # 3. Forward packets from wg0 to wg0 iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
Currently trying to figure out how to route all internet traffic of my mobile first to a device at home. Could only get this to work by routing all internet traffic to the VPS. But I don't want to use the connection of my VPS for my mobile usage since it's metered. Want to use my unlimited home internet connection.
Not sure if you wanted it this detailed but that's my progress so far haha
I cannot comprehend most of that, but I appreciate the level of detail.
reply
haha, I appreciate you appreciating it
If you have any questions, let me know!
reply
the general question of how to set up my own VPN thingy like you so that I can also access my devices when away ^_^
reply
Ah haha, I see
First, you'll need a public IP as a "VPN entrypoint" and some basic linux knowledge since I only know how to do it using the terminal. I used a VPS for this entrypoint but I think if you can forward a port in your home router you can use a device at home, too.
But I can guide you through it if you want. You can write me on Discord.
reply
I won't be able to set anything like that up soon, but when I can I will keep you in mind.
reply