VPN

WireGuard – openvpn

Introduction

I greatly enjoy reading project blogs on Medium, finding a lot of inspiration there. However, it’s blocked in some countries. To address this, I decided to set up my own VPN server using OpenVPN and WireGuard, both of which are free, open-source VPN solutions. I chose to run the VPN server on an AWS EC2 instance located in Singapore, which is close to my country.

OpenVPN

Step 1: Installing OpenVPN Access Server

Started by updating package lists and installing required packages on the AWS EC2 instance:

apt update && apt -y install ca-certificates wget net-tools gnupg

Downloaded the OpenVPN Access Server repository signing key:

wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repository.asc

Added the OpenVPN Access Server repository to package sources:

echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/as-repository.asc] http://as-repository.openvpn.net/as/debian focal main" > /etc/apt/sources.list.d/openvpn-as-repo.list

Updated package lists again and installed OpenVPN Access Server:

apt update && apt -y install openvpn-as

Step 2: Accessing OpenVPN Server Information

After the installation was completed, the OpenVPN Access Server started running on the EC2 instance. I received the following server information:

Access Server 2.12.0 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log

Access Server Web UIs are available here:
Admin UI: https://ec2-public-ip:943/admin
Client UI: https://ec2-public-ip:943/

To login please use the "openvpn" account with the password "iDk0RlmTvB2m".
(Note: The password can be changed on the Admin UI)

Step 3: Configuring Security Group

To ensure proper communication with the OpenVPN server, I opened ports 943 (OpenVPN default port), 443, and 80 in the EC2 instance’s security group. Additionally, I exposed the VPN server using the EC2’s public IP.

Step 4: Configuring OpenVPN Access Server

Logged in to the OpenVPN Access Server’s Admin UI using the “openvpn” account and the provided password.

Changed the Hostname or IP Address to the EC2’s public IP in the Configuration > Network Settings.

Step 5: Creating a User

In the Admin UI, I created a new user with the following credentials:

Username: username 
Password: supersafe

Step 6: Accessing the VPN

After creating new user. I accessed the OpenVPN server’s Client UI using the EC2’s public IP: https://ec2-public-ip:943/.

Step 7: Downloading the User Profile

In the Client UI, I downloaded the user profile with the .ovpn extension.

Step 8: Connecting to the VPN on Ubuntu

On my local Ubuntu machine, I navigated to the folder where the user profile was downloaded and connected to the VPN using the following command:

sudo openvpn --config profile.ovpn

Finally, Successfully documented the process of setting up and configuring a VPN server using OpenVPN Access Server on an AWS EC2 instance in Singapore.

WireGuard

Step 1: Installing WireGuard and Generating a Key Pair

I started by updating the package lists and installing WireGuard:

sudo apt update
sudo apt install wireguard

Next, I created a private key for WireGuard and ensured that only the root user could access it:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

To create the corresponding public key derived from the private key, I used the following command:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Step 2: Choosing an IPv4 Address

For my WireGuard server, I needed a range of private IPv4 addresses for clients and the tunnel interface. I selected the reserved IP block 10.8.0.0/24 for this tutorial. This range allows up to 255 peer connections.

The server’s private tunnel IPv4 address was set to 10.8.0.1/24, but any address in the range from 10.8.0.1 to 10.8.0.255 could be used.

Step 3: Creating a WireGuard Server Configuration

I proceeded to create the WireGuard server configuration file using the command:

sudo nano /etc/wireguard/wg0.conf

In the configuration file, I added the following information, replacing placeholders with actual data:

[Interface]
PrivateKey = {{WireGuard_Server}}
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true

Step 4: Adjusting the WireGuard Server’s Network Configuration

I wanted to route peer internet traffic through the WireGuard server, so I configured IP forwarding:

sudo nano /etc/sysctl.conf

I added the following line for IPv4 at the bottom of the file:

net.ipv4.ip_forward=1

To apply these changes, I loaded the new values:

sudo sysctl -p

Step 5: Configuring the WireGuard Server’s Firewall

To allow WireGuard VPN traffic through the server’s firewall, I enabled masquerading by editing the WireGuard server’s configuration:

sudo nano /etc/wireguard/wg0.conf

At the bottom of the file, after the SaveConfig = true line, I added the following lines:

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

I also opened the necessary ports:

sudo ufw allow 51820/udp
sudo ufw allow OpenSSH

Step 6: Starting the WireGuard Server

I configured WireGuard to run as a systemd service using the wg-quick script, ensuring it started at boot:

sudo systemctl enable [email protected]

Step 7: Configuring a WireGuard Peer

On the WireGuard peer, I installed WireGuard using the following commands:

sudo apt update
sudo apt install wireguard

Step 8: Adding the Peer’s Public Key to the WireGuard Server

Before connecting the peer to the server, I added the peer’s public key to the WireGuard Server. This step was crucial for routing traffic over the VPN:

sudo wg set wg0 peer {{WireGuardPeerPublickey}} allowed-ips 10.8.0.2

Step 9: Connecting the WireGuard Peer to the Tunnel

Before starting the tunnel, I installed the resolvconf utility on the WireGuard peer:

sudo apt install resolvconf

To start the tunnel, I ran the following command on the WireGuard Peer:

sudo wg-quick up wg0

This concludes the setup of WireGuard on my Ubuntu 20.04 instance in the Singapore region.

Finally, i did a DNSleak test to see if i connected to the VPN servers correctly.

Comparison

In this comparison, I won’t dive into the details of the security aspect and how the both VPNs work. My primary goal for using the VPN is to access the internet seamlessly whenever I return to my home country. Additionally, with my knowledge right now I’m at just a configuration level.

Performance: I conducted internet speed tests using both WireGuard and OpenVPN, as well as without a VPN. In the results, I observed that WireGuard is faster than OpenVPN.

Flexibility: OpenVPN offers remote access and site-to-site VPN capabilities. I used the site-to-site community server, which is free but has a limitation of only allowing two clients on the server. In contrast, with WireGuard, I successfully configured it for five devices, and it operated without any issues. However, I have yet to determine the maximum number of clients that can be accommodated on a single WireGuard server

Conclusion

Thank you so much and if you find something is not right or unclear I’m open to feedback so feel free to contact me via my email or LinkedIn.

Additional Resources

How To Set Up WireGuard on Ubuntu 20.04 – DigitalOcean

Access Server Quick Start Guide – OpenVPN