Wireguard is fairly new but already ready to replace OpenVPN. It provides a secure connection tunnel from a client to a server using public and private key authentication.
In this tutorial I will assume that you already have some basic knowledge of networking and command line.
The other day I was struggling configuring my Wireguard instance to use Pi-Hole while also using the Cloudflare DNS and my company's DNS over a OpenVPN connection to reach the servers of the company.
As a result I decided to write my guide, based on my experience. The little graph below resume what we'll end up with.
As the name of the project tends to pretend, Pi-Hole is not only reserved for Raspberry Pi. You can run it on a traditional server too and that's what we're going to do.
All you need is running this simple command:
curl -sSL https://install.pi-hole.net | bash
If you need more information for the install, check out this guide.
Once it's installed, head towards the web admin page of the Pi-Hole and go on the
Settings page > DNS.
Here you can select which Upstream DNS servers you want to use and setup your own DNS too.
So in my case, my company DNS address is
10.51.1.1which result in this configuration:
You're done with Pi-Hole for the DNS, you might want to play with it a bit to block ads correctly.
In our network graph the Open-VPN connection is only used to speak with my company network. It's running Open-VPN due to our router running
To set it up it's pretty easy, you just have to get your
apt-get install openvpn
Define your credentials:
echo "username" >> /etc/openvpn/credentials echo "password" >> /etc/openvpn/credentials
And start the tunnel:
openvpn --config /path/config.ovpn --daemon
You should see a new
tun0 interface when you type:
Let's install and configure out Wireguard instance now!
The install process is just 3 commands long:
apt-get install linux-headers-$(uname --kernel-release) add-apt-repository ppa:wireguard/wireguard apt-get update && apt-get install wireguard
Now we can configure Wireguard.
Start by creating the needed folder and the private/public keys of the server:
mkdir -p /etc/wireguard/keys cd /etc/wireguard/keys umask 077 wg genkey | tee privatekey | wg pubkey > publickey
We'll now create
/etc/wireguard/wg0.conf which is our Wireguard config:
PrivateKey = private_key # from the step above Address = 172.16.0.0/12,fd5b:5840:9e9f:a477::1/64 # you can change it, but IT STAY PRIVATE IPS ListenPort = 8999 PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE; iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o he-ipv6 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE; iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o he-ipv6 -j MASQUERADE [Peer] PublicKey = public_key_client_one AllowedIPs = 172.16.66.2,fd5b:5840:9e9f:a477::ca:571e/128 # update if you changed the Address from above [Peer] PublicKey = public_key_client_two AllowedIPs = 172.16.66.3,fd5b:5840:9e9f:a477::746f:786f/128 # update if you changed the Address from above
Once it's configured, make it start and launch at boots:
systemctl enable firstname.lastname@example.org systemctl start email@example.com
As it's not the main goal of this tutorial and as it's not very complicated, I'll just give you an example of a client's config.
[Interface] PrivateKey = client_private_key Address = 172.16.66.3/32,fd5b:5840:9e9f:a477::746f:786f/64 DNS = 10.18.1.57 # IMPORTANT (IP OF THE PI-HOLE) [Peer] PublicKey = server_public_key AllowedIPs = 0.0.0.0/0,::/0 # ROUTE ALL TRAFIC Endpoint = 188.8.131.52:8999 # IP OF THE SERVER:PORT PersistentKeepalive = 15