WireGuard VPN

I travel somewhat frequently for work and end up using untrusted WiFi as a result. Being privacy conscious, and the primary IT helpdesk for my family, means that I want/need secure access to my resources. The homelab is super useful for demonstrating functionality and concepts, so I find that I use it fairly often when doing presentations. All of this is leading up to a theoretically simple solution: a VPN.

For years I used OpenVPN, which is generally considered a very good solution for most situations, even being used by some enterprises. However, over time I found the performance to be lackluster at best and the amount of time to establish connections was irritating.

A few months ago I had some spare time while on a work trip, so I made the switch to WireGuard. Yes, there’s lots of paranoia about it being validated, etc., etc. but it’s good enough for me. The switch has been surprisingly easy, even allowing me to use my Pi-Hole VM as both the DNS/DHCP and VPN host while providing excellent performance with fewer resources. There are countless helper scripts and other self-hosted GUIs for WireGuard, but honestly with only a few clients I haven’t found the need to use one…adding a client takes about 60 seconds manually.

The install process I used is straightforward and I, more or less, followed this guide.

  1. Install and server config
     

    Follow standard install instructions for CentOS and the “Server” and “Server Firewall” sections of the guide linked above.

    My instance is using the 10.8.0.0/24 subnet for clients and has port 33333 forwarded to it.

  2. Client config
     

    With the info we have (client private key, server public key), create the client config file:

    Two important bits:

    I’m pointing DNS to the server’s WireGuard interface here because it’s also my Pi-Hole server. If you do this, make sure that Pi-Hole is configured to listen on all interfaces (on the Settings -> DNS tab). If you don’t want this config, then set the DNS server to whatever is appropriate for you, e.g. 1.1.1.1.

    For the AllowedIPs, I am redirecting all IPv4 and IPv6 traffic across the tunnel. Even if you aren’t using IPv6, not including it here can lead to that client traffic leaking across the public network, so if that’s a concern be sure to include it here.

  3. Server config
     

    We need to add the client to the server’s config. To do this, we need the client’s public key from the previous step. Append the following to the server’s config file.

    Restart the WireGuard service after updating the server config: systemctl restart wg-quick@wg0.service

If you’re using a laptop or other “full” client, simply copy/paste the config from the server, then connect it and validate the connection using the wg command on the server. Using a phone it’s more difficult to copy/paste, so I use a QR code:

Simply scan the QR image from the WireGuard app on your phone when creating a new profile.

Leave a Reply