
Setting up a home VPN server with WireGuard - mikl
https://mikkel.hoegh.org/2019/11/01/home-vpn-server-wireguard
======
jeroenhd
Haven't seen it mentioned here yet, so this might be useful to someone getting
into WireGuard:

[https://github.com/subspacecloud/subspace](https://github.com/subspacecloud/subspace)

This is a tool that helps you generate and manage configurations for
WireGuard, generate qr code for configuring mobile devices and it even
integrates into SAML for authentication.

It's not as fancy as some other VPN management tools but this is an easy way
to get WireGuard set up without too much messing with configs

~~~
johntash
Thanks for linking this, I hadn't heard of subspace before.

Does it handle IP assignment/configuration as well?

~~~
nemosaltat
That’s the real question.

I wrote a little script that creates the configuration files, and shows a QR
code in the terminal to easily add new clients.

The problem I ran into is dynamic IP allocation, without extra logging, or
storing the client config files after they’ve been distributed. If I want to
avoid assigning a used IP, I need to know what I’ve already given out.

I mocked up a few things then decided the perfect was becoming the enemy of
the good. Since I’ll only ever have a few peers, I ultimately just decided
randomize the 4th octet, each time I create a new client config. Obviously,
this opens me up to a potential conflict in the future (prayers to St. YAGNI
for benevolence).

I suppose I could/should be pre-generating all the configs, handing one out at
random, then deleting it.

~~~
judge2020
This script[0] gets that part right by having a `lastip` file containing the
latest assigned IP, so the script counts up for new clients. You can add a
line for qrencode to the end to get the QR[1].

0:
[https://gist.github.com/Belphemur/b014a11f9ae6c20203276f214e...](https://gist.github.com/Belphemur/b014a11f9ae6c20203276f214e9e7d94)

1:
[https://gist.github.com/judge2020/e9631be086ea105005614c70a8...](https://gist.github.com/judge2020/e9631be086ea105005614c70a8999937#file-
generate-client-sh-L56)

~~~
nemosaltat
Thank you!! This is very close to what I’m doing.

------
valkum
Hosting my Wireguard server on a scaleway instance, I encountered a very slow
performance. Some web pages didn't load at all. Server was under no load.
Lowering the MTU on the client and the server from 1500 to 1360 solved the
problem. FYI

~~~
AlexandrB
Sounds like IP fragmentation. This is pretty normal with any VPN or tunnelling
protocol unless the MTU is set correctly.

[1]
[https://en.wikipedia.org/wiki/IP_fragmentation](https://en.wikipedia.org/wiki/IP_fragmentation)

~~~
wahern
It's worse with VPNs like Wireguard because Wireguard only supports tunneling
(e.g. IP in IP), which when you add the authentication header means a minimum
of 3x the overhead of a regular connection, whereas IPSec encapsulation
without tunneling only requires 2x the overhead (just the additional
authentication header). Worse, Wireguard also requires UDP encapsulation (i.e.
IP inside UDP+IP), which means 4x the overhead.

To be fair, IPSec tunneling is quite common (unsure if its the predominant
mode) because tunneling makes routing easier. And for road warrior setups
where the peer is often behind a NAT gateway, IPSec VPNs will also tend to use
UDP. In such cases there's no advantage to IPSec.

~~~
Avamander
IPSec is just usually an abysmal inane thing to set up, with defaults from the
90s and an extra bonus of error messages and documentation that just make you
cuss. I don't recommend anyone IPSec, whatever it offers, after you spend all
the time making sure your configuration is good, is really not worth it if you
can do Wireguard or even OpenVPN. Ugh, I'm annoyed just thinking about it
again.

~~~
izacus
The best part is when you find out your phone supports set of parameters A,
your tablet set of parameters B and your MacBook set of parameters C.... and
there's no intersection between sets.

------
whalesalad
Cool to see this done by hand. I’m running IPSec on my Edgerouter but am about
to redo my home network and lab environment and will likely implement
WireGuard.

There’s also a more plug-n-play tool called Algo that is highly spoken of,
which automates a lot of this:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
TimTheTinker
Algo is pretty cool for setting up an IKEv2 VPN server, but under the hood it
uses StrongSwan, which is far more complicated in a code/engineering sense
than WireGuard.

That being said, I think Algo is often preferable to OpenVPN and IPSec,
especially when supporting macOS/iOS clients.

~~~
smhenderson
I know what you mean when it comes to OpenVPN and macOS. But any insight on
why you'd prefer Algo over OpenVPN? I've been using the latter for years but
would be interested in revisiting that if there are compelling reasons to do
so.

~~~
gesman
I think Algo is just a setup script, not a VPN itself?

------
vsviridov
I use wireguard for personal VPN on multiple servers, and to make things a bit
easier for provisioning I wrote this simple tool:
[https://gitlab.com/vsviridov/wg-provision](https://gitlab.com/vsviridov/wg-
provision)

------
Grollicus
I'm running WG for some time and it works really well. Was super easy to set
up - I did it in like 1-2hrs during a hacker conference last year, so even
with blinking led lights all around it was very straightforward.

On the other hand I've yet to achieve sane battery lifetimes on my smartphone
with a VPN active. I suspect it's because the VPN needs to reconnect whenever
one of my messengers checks for new messages, or similar background services.
Anyone have experience how to improve that?

~~~
ignoramous
I think it's the encryption overhead that burns the CPU cycles in turn
affecting battery life. Other than that, it could be a bug (not releasing
wakelocks, or waking up too frequently, or generally doing too many battery
intensive tasks) in the VPN client that drains battery.

I think, on Android at least, IPSec is impl in kernel space so technically a
VPN based on that should be more efficient. Wireguard is being upstreamed into
Linux, so there's a chance Android picks it up and the efficiency improves.

~~~
wahern
IPSec tends to use AES, which can be 2x to 4x more performant than ChaCha20
thanks to hardware acceleration. And the power savings may be even greater
than the throughput differences.

~~~
microcolonel
Should be added that this is highly dependent on the specific hardware. AES is
cripplingly slow where accelerators are misconfigured or otherwise
unavailable.

If you have a brain larger than your leg, you should consider configuring an
IPSec endpoint to save power on your phone.

------
CubicsRube
Maybe a dumb question, but does anyone sets up their VPN server in the cloud?
Could cheapest droplet on DigitalOcean [0] handle traffic for browsing or
youtube?

[0] [https://www.digitalocean.com/pricing/#standard-compute-
trigg...](https://www.digitalocean.com/pricing/#standard-compute-trigger)

~~~
arriu
Tried this, you will encounter a ton of sites that assume you are a bot. You
will find it annoying to browse quite a few sites. Some will outright refuse
to work.

~~~
1996
Get an ASN, get some IP space, and the issue is no longer a problem.

~~~
probst
How does one go about doing that? Getting an ASN I mean?

Edit: did some reading [1]. Clearly it's not easy to get an ASN. Not something
a private person would do.

1: [https://www.apnic.net/get-ip/faqs/asn/](https://www.apnic.net/get-
ip/faqs/asn/)

~~~
gsich
It can be done.

------
jedisct1
Unfortunately, Wireguard will not work if you are not on a network where only
TCP ports 80 and 443 are open.

For these, you can try DSVPN, which is even easier than Wireguard to set up:
[https://github.com/jedisct1/dsvpn](https://github.com/jedisct1/dsvpn)

~~~
Youden
Or you can run UDP over TCP with a tool like this one:
[https://github.com/wangyu-/udp2raw-
tunnel](https://github.com/wangyu-/udp2raw-tunnel)

~~~
kazen44
udp over tcp seems like a terrible idea in terms of performance.

Heck, running a VPN tunnel over TCP itself is already weird, considering the
protocols inside the tunnel handle dropped packets if they need to.

It would just result in more inefficiency, a smaller mss/mtu and less
throughput.

------
yeswecatan
I've been curious about VPNs for sometime but unfortunately am still confused
by the following questions:

\- my ISP can still see all of my traffic because my RPi would talk to my
router which has to exit my network at some point, right?

\- if I was on the East coast and wanted, say, YoutubeTV to believe I was on
the West coast I would need to have my client (laptop, would be cool if I
could get my Roku or TV to do this) pointed to my RPi on the other coast. Is
that how it works?

~~~
judge2020
1\. Yes, other than other things that are self-encrypted eg. HTTPS. You would
need to host the VPN somewhere else (eg. Cloud hosting, but that brings issues
with many sites having blacklisted your IP range) if you still don't trust
your ISP. I imagine this VPN solution is primarily for keeping your home
connection's IP address while on a mobile network, or where you're on public
wifi and really don't trust the network operator.

2\. Yes, but be wary about actually doing this; I can't find any cases but
YouTube TV (or the Google session security system itself) might get suspicious
about constantly jumping between the east and west coast.

------
heyoni
Anyone know roughly where to look for in terms of potential bottlenecks? I’m
running my server on an rpi4 and sometimes feel like I’m not getting great
speeds to my home VPN server. I did do my due diligence by wiring it directly
through Ethernet but I suspect my router (google WiFi) may be slowing things
down.

~~~
irq
Does your rpi4 have proper cooling? Unlike all past rpis, the stock cooling on
the rpi4 is easily overwhelmed by even slight load, and it drastically slows
down in that situation.

~~~
heyoni
I put on an aluminum case for passive cooling and now it runs around 48
celsius as opposed to 70+ before. That should be good right?

~~~
irq
Does the case make direct metal to metal contact with all 3 major heat
producing chips on the rpi4? IIRC, the chip related to ethernet gets very,
very hot in use and not all metal rpi4 cases actually make contact with it.

~~~
heyoni
It's this case here I've got: [https://flirc.tv/more/raspberry-
pi-4-case](https://flirc.tv/more/raspberry-pi-4-case)

It looks like it does...maybe I should stick my finger in there. I should
probably monitor my CPU history a bit better, I'm just relying on pihole's
panel at the moment.

------
desdiv
I've been using WireGuard for years and it's been great, now I'm looking into
some advanced resilient/redundant setups and was wondering whether it's
possible or not with WireGuard:

1\. I have two unreliable ISP links to the internet. Is it possible to have
dual redundancy WireGuard connections to the same server? I.e. each UDP packet
is replicated (with the appropriate headers) and a copy sent over each link.

2\. My ISP links have heavy throttling at peak hours with heavy packet losses.
Is it possible to trade bandwidth for reliability and send each UDP packet
twice (with the appropriate headers)? I don't mind halving my maximum
theoretical bandwidth; I'd rather have a 1Mb/s reliable connection than a
10Mb/s unreliable connection.

------
ptsneves
I set up a lightsail instance for 3 dollars with algo. The only configuration
in algo I made was that I disabled peer isolation so I can control my home and
server appliances from anywhere. No problem whatsoever with blocked sites. The
only weird thing is that I get American YouTube which has quite longer ads.
Also it's kind of funny to see ads from the USA. I am an emigrant in Poland
and funnily I sometimes tune the portuguese online radio to hear the
portuguese ads.

~~~
awzeemo
Same! If you're trying to tinker with security stuff Høgh makes a great post,
but for anything else Algo is the way to go.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

------
xbhdhdhd
Ive attempted to setup openVPN a few times and ended up giving up. Anyone know
if there has been an effort to help non networking experts deploy it?

~~~
bananaeater
For use on a VPS with an external IP, I've had success with this
[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

For use to connect to home network drives, I've used ZeroTier
[https://www.zerotier.com/](https://www.zerotier.com/). I've never had an
external IP for home internet, so I always ran in headaches trying to do a
home VPN to channel my internet traffic while I'm out and about (and that's
why I use a VPN on a VPS for that).

~~~
SturgeonsLaw
Seconding this recommendation - I've used Nyr's script to deploy OpenVPN a
couple of times and it's worked well.

I can also recommend OpenVPN's virtual appliances:
[https://openvpn.net/virtual-appliances/](https://openvpn.net/virtual-
appliances/) They work out-of-the-box and come with a web UI for
configuration, if that's your thing.

That said, I've moved on to Wireguard lately and will be unlikely to use
OpenVPN for personal VPN networks in the future.

------
dmos62
To hijack the thread a bit, what's your favorite way of accessing your home
server that's behind a NAT (and you can't port-forward)?

~~~
krazykringle
Zerotier (mentioned below) is perfect for this!

To expand a little bit: it provides an (almost) zero-configuration way to set
up a private 'layer 2' network that you can connect your home server to, and
any other machines that you want to be able to connect to it or to each other.
It handles NAT traversal completely transparently.

In practice, it means that if I have a (say) NFS server connected to a
Zerotier network I control, I can connect to it transparently from anywhere
from another machine on that network, no matter what NATs / firewalls either
machine is behind, even if they change. Perfect for phones, roving laptops,
etc. I've gone to a model where I do most of my development (over mosh/tmux)
on my home machine, from wherever I happen to be.

No home firewall configuration needed at all.

~~~
finchisko
Maybe because it's not open source, only free for personal use?

~~~
politelemon
According to their pricing page,

> ZeroTier’s software is open source and free to use for most purposes
> including personal use, internal use within a business or academic
> institution, and evaluation for uses that require commercial licensing.

I was able to find this:
[https://github.com/zerotier/ZeroTierOne](https://github.com/zerotier/ZeroTierOne)

~~~
mcfedr
That sentence is an contradiction, it's either open source or requires a
commercial license, cannot be both.

------
tgtweak
Just use softether - free, simple, open source, fast and secure. Best of all
it runs on almost any platform you could want to run it on (both server and
client!)

You can even bounce off or azure to set up the tunnel when your vpn server is
behind a natted firewall. It supports 16-channel connections to max out line
throughput even over very long distances between server and client. It can
support native windows clients, has openvpn shim for legacy client's on that
side. I'm not doing it justice - there's so many features (all gui-
configurable) that are supremely thought out.

Truly one of the best examples of free software I can think of.

Edit:
[https://github.com/SoftEtherVPN/SoftEtherVPN](https://github.com/SoftEtherVPN/SoftEtherVPN)

~~~
mikl
> free, simple, open source, fast and secure

So is Wireguard?

~~~
tgtweak
Not saying wireguard isn't.

I will say I've used softether on 10gbps links and hit 8gbps between two
continents and that was nearly impossible with every other solution 5 years
ago when I first set it up. It's been running flawlessly since then.

~~~
tanderson92
Wireguard didn't exist 5 years ago, so this comparison seems inapt on the
current topic. That is, unless you merely want to promote softether... :-)

------
metalliqaz
I've been using OpenVPN on my home pfSense box, it's working pretty good and
didn't require I install anything except the OpenVPN app on my phone. Not sure
if WireGuard has anything to offer that would motivate a switch.

~~~
philjohn
As others have said ... it's faster HOWEVER I've had some issues when
travelling where OpenVPN wasn't blocked but WireGuard was in some hotels. So I
have both, if I can, I use wireguard, otherwise OpenVPN is slower, but does
the job.

~~~
mikl
You’re can choose a port number to run Wireguard on that should pass through
all but the craziest firewall. 53 or 443 could work. Or run it OpenVPN’s port
1194.

Only limitation is that it has to be UDP, Wireguard doesn’t support TCP.

~~~
derpsabert
443 and 1194 only make sense for TCP since there's nothing of note that
commonly runs on those UDP ports.

~~~
mikl
443/UDP is used for HTTP/3 (aka QUIC), and is pretty quickly becoming
ubiquitous – and OpenVPN also supports UDP, so if the port is open for TCP, it
might well also be open for UDP.

------
cmod
FWIW: On a recent trip to China, Wireguard setup on a Digital Ocean VPS was
the only VPN to work consistently and reliably throughout. Express VPN was
recommended as the "best" for China, but I found it rarely worked.

~~~
kirvyteo
Thanks for the tip. I have been sourcing for alternatives to ExpressVPN for
China. Last year was pretty ok but on a recent trip, it had difficulty
connecting 70% of the time and failed in multiple cities inland and on the
coast. Seems like I need to setup my own now.

------
big_chungus
Question: I use wireguard and like it, but have a problem. At work, I can only
get out on ports 80 and 443 TCP. I've tried openvpn, but it's a pain, slow,
etc. Any better options? My dilemma is stuff like sshuttle, dsvpn, etc. all
seems to be linux-only, linux & mac, etc; I need something with windows,
linux, mac, and android.

~~~
rahimnathwani
Assuming it's just port blocking, and you're not behind a proxy or DPI, just
run a shadowsocks server listening on 80 or 443.

There are good, free clients for Windows, Android and Mac. The client for
Android hat will handle both connecting to the shadowsocks server and
establishing a local SOCKS proxy, and redirecting regular network requests
over that proxy. I'm not sure if the clients for other platforms do that, or
if they only work with apps that can use a SOCKS proxy.

~~~
big_chungus
This is the answer for which I was looking; thank you for your help!

------
trimtab
I've been using tinc for quite while. How does it compare to Wireguard?

One Tinc advantage is that it can run on an Openwrt router.

~~~
cartoonworld
Whats wrong with wg on openwrt? [https://openwrt.org/docs/guide-
user/services/vpn/wireguard/s...](https://openwrt.org/docs/guide-
user/services/vpn/wireguard/start)

------
jsmith12673
Just tried going through this tutorial. I can get traffic to forward through
the server just fine, but for some reason, DNS refuses to resolve. I've tried:

\- Having no DNS explicitly specified

\- Having unbound DNS server run locally

\- Using public facing DNS like 1.1.1.1

And none of them seem to make DNS resolve. Anyone else run into this?

~~~
mikl
Question is if you can reach any systems after the server. Have you tried
pinging 8.8.8.8 or some other IP while connected?

~~~
jsmith12673
Indeed. For example, I can ping 8.8.8.8, or I can directly curl an IP for a
webpage. It's just the DNS portion that doesn't get through.

------
yardie
Anyone have recommendations on home routers that can run Wireguard?

~~~
rahimnathwani
ASUS RT-AC86U with Koolshare firmware (derived from Merlin firmware) has
Wireguard binaries, but no GUI configuration for it.

I expect that any Asus router that can run Merlin should allow you to ssh in
to install Wireguard. But you might need to cross-compile it on another
system, and obviously the lower end models might struggle with CPU usage.

~~~
yardie
Does this apply to the RT-68U (which I do have)?

~~~
rahimnathwani
Probably not.

The Koolshare group (whose modified version of Asus Merlin is targeted at
folks in China) have stopped development for the RT-AC68U, and IIRC this was
before they started working on integrating Wireguard into their builds.

It looks like Asuswrt-Merlin uses different kernel version for different
routers (probably because the use the kernel from Asus' own open source
releases). I'm pretty sure the kernel for the AC68U is too old to support
Wireguard.

This link has more info: [https://github.com/RMerl/asuswrt-
merlin.ng/issues/210](https://github.com/RMerl/asuswrt-merlin.ng/issues/210)

------
Osiris
Does anyone know of any inexpensive VPS or cloud instances that provide
support for wireguard?

~~~
balladeer
Check LowEndTalk for cheap VPS. That’s where I head when I need few to play
with or for things like a seedbox.

~~~
Osiris
Most VPS services I've used don't have the WireGuard kernel module installed
and, of course, you can't install kernel modules in VPSs.

~~~
detaro
You can install kernel modules in most types of VPS. OpenVZ is the only
somewhat common type that doesn't support it.

~~~
Osiris
KVM VPSs are generally significantly more expensive than OpenVZ, so for side
projects where I want a cheap (<$5/mn) plan I've always used the OpenVZ VPSs.

------
the_resistence
I wish I understood the technicalities better. This doesn't work in mainland
China.

