The good use cases for “privacy” focused VPN services are vanishing. Improved encryption and protocols prevent many of the ways a casual attacker can spy on you with wifi. On top of that, many such providers have been caught selling user data to third parties and turning over information to authorities under subpoena, making them possibly worse than any attacker you’re sharing the hotel wifi with.
Running your own cloud VPN is easy and affordable. Once you know how to set it up, you can run it on most hosting providers anywhere in the world, or set it up at home so that you can virtually hop on your home network while you’re out and about. Actually installing Wireguard is the main part that’s different between operating systems.
OpenBSD Server
It's probably no surprise that I run Wireguard on my OpenBSD Servers. OpenBSD has had full kernel support for Wireguard for years, so it's just a matter of installing the userland tools, and setting up the interface.
doas pkg_add wireguard-tools
/etc/hostname.wg0:
inet 10.0.0.1 255.255.255.0 NONE
up
!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
Amazon Linux
Amazon Linux is just one easy example I found of a Red Hat-based system. These steps should work similarly on others like Rocky or Alma.
sudo wget -O /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
sudo yum upgrade
sudo yum clean all
sudo yum install wireguard-tools wireguard-dkms iptables-services
Debian Linux
As the root of many other distributions like Ubuntu and RaspiOS, it made sense to also cover Debian since these instructions will also likely work on many distributions.
sudo apt update
sudo apt install wireguard
Generating Public and Private Keys
Most of the travel routers I've seen don't have a way to generate Wireguard keys on the device if you're manually configuring it. These can be generated on your VPN server and imported. We're changing the umask here to ensure the files are not world or group readable. We're going to be editing files as root, so just use sudo -i (linux) or doas -s (OpenBSD)
sudo -i
umask 077
Create the client keys:
wg genkey | tee client-private.key | wg pubkey > client-public.key
And then server keys:
cd /etc/wireguard
wg genkey | tee private.key | wg pubkey > public.key
Figure out your main network interface:
ip a
In Amazon AWS EC2, the interface was enX0 but it may very well be eth0 or something ridiculous like enp37s8lmaowtf depending on your configuration. You'll need this interface name for your iptables rules.
Using this example skeleton configuration file as a template, paste it into /etc/wireguard/wg0.conf and edit the interface name and fill in the appropriate public and private keys. You can pick any port number you wish. There is no standardized port for Wireguard.
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = [the contents of /etc/wireguard/private.key]
ListenPort = 57609
Address = 10.0.0.1/24
PostUp = iptables -t nat -I POSTROUTING -o [Interface] -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o [Interface] -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o [Interface] -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o [Interface] -j MASQUERADE
[Peer]
PublicKey = [the contents of client-public.key]
AllowedIPs = 10.0.0.2/32
Final Setup and starting the server
OpenBSD
For OpenBSD, you won't need the Address or IPTables entries in wg0.conf above. You'll need to tell PF to NAT traffic for wg0, though. Again, you'll need the primary interface name, which you can find with ifconfig. Place the following lines into /etc/pf.conf AFTER the "pass" and before the block commands at the end of the file and restart pf.
pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to ([Interface]:0)
doas pfctl -f /etc/pf.conf
Enable IP Forwarding by adding these lines to /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
To start Wireguard, run the following commands, or reboot:
doas sysctl net.inet.ip.forwarding=1
doas net.inet6.ip6.forwarding=1
doas sh /etc/netstart wg0
Linux
For Amazon Linux or Debian, it's also similar. Add these to /etc/sysctl.conf:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Reload sysctl:
sudo sysctl -p
Enable and start the Wireguard service with systemctl
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
Travel Router Configuration
I've been using GL.iNet routers with Wireguard for about 3 years. The example screenshots are from my GL-SFT1200 "Opal" travel router. Manually configure the Wireguard client and set these values:
Interface
IP Address: 10.0.0.2 (or your "peer" address from the Wireguard server config)
Private key: Contents of client-private.key file we generated earlier
Peer
Public Key: Contents of /etc/wireguard/public.key from the wireguard server
Endpont host: IP address and port of your wireguard server (e.g. 3.45.67.89:57609)
Allowed IPs: 0.0.0.0/0 (or, all IP addresses are allowed through the Wireguard server)
Once you have configured the Wireguard client, you can connect to the VPN. Browse to an IP address checking site like whatismyip.com to verify you're coming from the VPN server's IP address.
Many travel routers have a mode switch on the side that allows you to easily change how the router works. I set up my Opal router so that the mode switch enables or disables Wireguard on the fly so I have more flexibility without worrying about having to log into the admin control panel and change settings.