Bobcares
Client Area
Emergency Support
DigitalOcean | Latest | VPN

All about Digitalocean Wireguard

by | Jun 3, 2022

DigitalOcean WireGuard is a lightweight VPN that supports IPv4 and IPv6 connections.

As part of our Digitalocean managed service, Bobcares responds to all inquiries, big or small.

Let’s look into the Digitalocean platform to learn more about wireguard.

DigitalOcean WireGuard

WireGuard is a new VPN implementation in the Linux 5.6 kernel in 2020 and is faster and easier to use than other popular VPN options such as IPsec and OpenVPN. So we can use a VPN to access untrusted networks as if they were private networks. It allows us to use our smartphone or laptop to access the internet safely and securely when connected to an untrusted network, such as the WiFi at a hotel or coffee shop.

For peers to establish an encrypted tunnel between themselves, WireGuard’s encryption relies on public and private keys. To ensure simplicity, security, and peer compatibility, each version of WireGuard employs a unique cryptographic cypher suite. Other VPN software, such as OpenVPN and IPSec, authenticate and establish encrypted tunnels between systems using Transport Layer Security (TLS) and certificates. While different versions of TLS support hundreds of different cryptographic suites and algorithms, this provides a lot of flexibility in terms of supporting different clients, but it also makes configuring a VPN that uses TLS more time consuming, complex, and error prone.

Install the WireGuard server.

  1. Firstly, install the wireguard package:

    sudo apt update

    sudo apt install wireguard

  2. After that, switch to the root user.

    sudo -s

  3. Make sure that only root user can access any files created after this point.

    umask 077

  4. Then, in /etc/wireguard, generate keys.

    cd /etc/wireguard

    wg genkey | tee privatekey | wg pubkey > publickey

  5. Now we have a private key that only the server should have and be aware of, as well as a public key that all VPN clients connecting to this server should be aware of.
  6. Then, at /etc/wireguard/wg0.conf, create a configuration file.
  7. When we use wg-quick to start/stop the VPN interface, it creates one with the name wg0.
  8. Then, using cat /etc/wireguard/privatekey, print out our private key, and then add the following to the configuration file: 
    # /etc/wireguard/wg0.conf on the server
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
# Use your own private key, from /etc/wireguard/privatekey
PrivateKey = k^XBKbavc3#=dqymh*#STut4hmLd856ssyEVr8@ffBRZ^mFP
  9. Finally, we can start the VPN

    wg-quick up wg0 : create and configure the user interface

    wg : To see the interface’s WireGuard-specific details

  10. If you want the VPN to start automatically when you boot up your server, use these command.

    systemctl enable wg-quick@wg0

Set up WireGuard client

  1. Firstly, install WireGuard

    sudo apt update

    sudo apt install wireguard

  2. After that, switch to the root user.

    sudo -s

  3. Make sure that only root user can access any files created after this point.

    umask 077

  4. Then, in /etc/wireguard, generate keys.

    cd /etc/wireguard

    wg genkey | tee privatekey | wg pubkey > publickey

  5. Then, create a configuration file with the following content at /etc/wireguard/wg0.conf: 
    # /etc/wireguard/wg0.conf on the client
[Interface]
# The address your computer will use on the VPN
Address = 10.0.0.8/32

# Load your privatekey from file
PostUp = wg set %i private-key /etc/wireguard/privatekey
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 10.0.0.1

[Peer]
# VPN server's wireguard public key (USE YOURS!)
PublicKey = ewSCb&v?fUF95+KyhTKaAN4F^25!2cPGmw%UbaLAR+uxc99T

# Public IP address of your VPN server (USE YOURS!)
# Use the floating IP address if you created one for your VPN server
Endpoint = 123.123.123.123:51820

# 10.0.0.0/24 is the VPN subnet
AllowedIPs = 10.0.0.0/24

# To also accept and send traffic to a VPC subnet at 10.110.0.0/20
# AllowedIPs = 10.0.0.0/24,10.110.0.0/20

# To accept traffic from and send traffic to any IP address through the VPN
# AllowedIPs = 0.0.0.0/0

# To keep a connection open from the server to this client
# (Use if you're behind a NAT, e.g. on a home network, and
# want peers to be able to connect to you.)
# PersistentKeepalive = 25

  6. The VPN server must be configured to allow connections from the client before the VPN can be started on the client. Reopen /etc/wireguard/wg0.conf on the VPN server and make the following changes: 
    # /etc/wireguard/wg0.conf on the server
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
# Use your own private key, from /etc/wireguard/privatekey
PrivateKey = k^XBKbavc3#=dqymh*#STut4hmLd856ssyEVr8@ffBRZ^mFP

[Peer]
# VPN client's public key
PublicKey = ewSCb&v?fUF95+KyhTKaAN4F^25!2cPGmw%UbaLAR+uxc99T
# VPN client's IP address in the VPN
AllowedIPs = 10.0.0.8/32

    The [Peer] section has been added to allow the VPN server to coordinate encryption keys with the client and to verify that traffic from and to the client is permitted.

  7. Then, on the server, restart the WireGuard interface to apply the changes.

    wg-quick down wg0 && wg-quick up wg0

  8. If we don’t want active VPN connections to be disrupted or dropped,reload the configuration file with:-

    wg syncconf wg0 <(wg-quick strip wg0)

  9. Finally, we can start the VPN on the client wg syncconf wg0 <(wg-quick strip wg0)

    wg-quick up wg0

    wg

Using a Chromebook to Connect

It’s preferable to use the official Android WireGuard app when connecting to a WireGuard VPN from a Chromebook. Because crouton uses a chroot, my attempts to run WireGuard under it failed, and I was stuck with the Chromebook’s old Linux kernel (4.19) and unable to add kernel modules or network interfaces from within crouton. Similarly, crostini does not support updating or using custom kernel modules, but it does offer a convenient way to SSH into VPN-accessible servers while the Android WireGuard app is running.

Using other devices to connect

If we want to connect to a VPN from a device that doesn’t have root access, we can install wireguard-go, a userspace implementation of WireGuard. Look into setting up WireGuard on our router (e.g. instructions for OpenWRT) so we can route all of those devices’ outbound traffic through a VPN if we want to connect to a VPN from devices we don’t control (e.g. smart TVs, IoT sensors).

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our Support team shows how wireguard works on the Digitalocean platform.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Related posts:

  1. How to Deploy Node.js Application to DigitalOcean Server
  2. DigitalOcean Certbot Let’s Encrypt | Installation & more
  3. Monitoring OnApp for VCD with Papertrail Log Management Tool
  4. How to Install Docker on Digitalocean Droplet?

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares

Use your time to build great apps. Leave your servers to us.

Managing a server is time consuming. Whether you are an expert or a newbie, that is time you could use to focus on your product or service. Leave your server management to us, and use that time to focus on the growth and success of your business.

TALK TO US Or click here to learn more.

Related Articles

  1. How to Deploy Node.js Application to DigitalOcean Server
  2. DigitalOcean Certbot Let’s Encrypt | Installation & more
  3. Monitoring OnApp for VCD with Papertrail Log Management Tool
  4. How to Install Docker on Digitalocean Droplet?

Never again lose customers to poor
server speed! Let us help you.

GET STARTED