Install Wireguard

sudo apt update
sudo apt install wireguard

Now that you have WireGuard installed, the next step is to generate a private and public keypair for the server.

Use the following umask command to ensure new directories and files (in your current terminal session only) get created with limited read and write permissions:

umask 077

Now you can proceed and create the private key for WireGuard using the following command:

wg genkey | sudo tee /etc/wireguard/private.key

The next step is to create the corresponding public key, which is derived from the private key. Use the following command to create the public key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

When you run the command you will again receive a single line of base64 enpred output, which is the public key for your WireGuard Server. Copy it somewhere for reference, since you will need to distribute the public key to any peer that connects to the server.

Choosing an IPv4 Range

You can choose any range of IP addresses from the following reserved blocks of addresses:

10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

For the purposes of this tutorial we’ll use 10.8.0.0/24 as a block of IP addresses from the first range of reserved IPs.

Creating a WireGuard Server Configuration

Once you have the required private key and IP address(es), create a new configuration file using nano or your preferred editor by running the following command:

sudo nano /etc/wireguard/wg0.conf

Add the following lines to the file, substituting your private key in place of the highlighted base64_enpred_private_key_goes_here value, and the IP address(es) on the Address line. You can also change the ListenPort line if you would like WireGuard to be available on a different port:

nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = base64_enpred_private_key_goes_here
Address = 10.8.0.1/24, fd0d:86fa:c3bc::1/64
ListenPort = 51820
SaveConfig = true

Starting the WireGuard Server

sudo systemctl enable wg-quick@wg0.service

Now start the service:

sudo systemctl start wg-quick@wg0.service

Double check that the WireGuard service is active with the following command. You should see active (running) in the output:

sudo systemctl status wg-quick@wg0.service

Configuring a WireGuard Peer

You can add as many peers as you like to your VPN by generating a key pair and configuration using the following steps. If you add multiple peers to the VPN be sure to keep track of their private IP addresses to prevent collisions.

To configure the WireGuard Peer, ensure that you have the WireGuard package installed using the following apt commands. On the WireGuard peer run:

sudo apt update
sudo apt install wireguard

Creating the WireGuard Peer’s Key Pair

umask 077

create the private key for the peer using the following command:

wg genkey | sudo tee /etc/wireguard/private.key

Next use the following command to create the public key file:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Copy it somewhere for reference, since you will need to distribute the public key to the WireGuard Server in order to establish an encrypted connection.

Creating the WireGuard Peer’s Configuration File

sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = base64_enpred_peer_private_key_goes_here
Address = 10.8.0.2/24
[Peer]
PublicKey = The base64 enpred public key from the WireGuard Server.
AllowedIPs = 10.8.0.0/24
Endpoint = 159.65.164.142:51820

Adding the Peer’s Public Key to the WireGuard Server

Ensure that you have a copy of the base64 enpred public key for the WireGuard Peer by running:

sudo cat /etc/wireguard/public.key
7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=

Now log into the WireGuard server, and run the following command:

sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips 10.8.0.2

If you would like to update the allowed-ips for an existing peer, you can run the same command again, but change the IP addresses. Multiple IP addresses are supported. For example, to change the WireGuard Peer that you just added to add an IP like 10.8.0.100 to the existing 10.8.0.2, you would run the following:

sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips 10.8.0.2,10.8.0.100

Once you have run the command to add the peer, check the status of the tunnel on the server using the wg command:

sudo wg
interface: wg0
public key: 2KOvl8HbUz1rxTJ/l46o/Yz4G34Q6rfFsmvOROu9HAY=
private key: (hidden)
listening port: 51820

peer: 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=
endpoint: 70.112.179.47:49999
allowed ips: 10.8.0.2/32
latest handshake: 10 minutes, 58 seconds ago
transfer: 20.80 KiB received, 25.17 KiB sent

Connecting the WireGuard Peer to the Tunnel

To start the tunnel, run the following on the WireGuard Peer:

sudo wg-quick up wg0

You will receive output like the following:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

You can check the status of the tunnel on the peer using the wg command:

sudo wg

You can also check the status on the server again, and you will receive similar output.

Verify that your peer is using the VPN by using the ip route command.

ip route get 10.8.0.1
10.8.0.1 via 167.99.48.1 dev eth0 src 167.99.62.37 uid 0
cache

If your peer has a browser installed, you can also visit ipleak.net and ipv6-test.com to confirm that your peer is routing its traffic over the VPN.

Once you are ready to disconnect from the VPN on the peer, use the wg-quick command:

sudo wg-quick down wg0

Re:
https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
https://www.wireguard.com/install/
https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-debian-10/

Need to setup a VPN? Here’s how to download and install OpenVPN.

SERVER SETUP

Download the installer from https://openvpn.net/index.php/download/community-downloads.html and run it on the server computer.

Open the installer file and start the installation.

 

  1. Remember to adjust the Windows firewall (open the 1194 UDP port).
  2. Assign a static IP to the new created TAP interface (like 10.8.0.1).
  3. Install OpenVPN on each client. (This step can be skipped for now and done at any convenient time)
  4. Choose All check boxes for the install

Certificates and Keys

Preparatory Steps

Navigate to the C:\Program Files\OpenVPN\easy-rsa folder in the command prompt:

Press Windows Key + R
Type “cmd.exe” and press Enter.
cmd.exe

Right click to run as administrator
Navigate to the correct folder:

cd "C:\Program Files\OpenVPN\easy-rsa"
<a href="https://www.geekdecoder.com/wp-content/uploads/2014/08/cmdcall.jpg"><img class="alignnone size-large wp-image-5187" src="https://www.geekdecoder.com/wp-content/uploads/2014/08/cmdcall-1024x593.jpg" alt="" width="648" height="375" /></a>

Initialize the OpenVPN configuration:

init-config
<a href="https://www.geekdecoder.com/wp-content/uploads/2014/08/init.jpg"><img class="alignnone size-full wp-image-5188" src="https://www.geekdecoder.com/wp-content/uploads/2014/08/init.jpg" alt="" width="597" height="133" /></a>

NOTE: Only run init-config once, during installation.
Open the vars.bat file in a text editor:

notepad vars.bat

Edit the following lines in vars.bat, replacing “US”, “CA,” etc. with your company’s information:

set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain

Save the file and exit notepad.
Run the following commands:

vars

clean-all

Building Certificates and Keys

The certificate authority (CA) certificate and key:

build-ca

When prompted, enter your country, etc. These will have default values, which appear in brackets. For your “Common Name,” a good choice is to pick a name to identify your company’s Certificate Authority. For example, “OpenVPN-CA”:

Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [mail@host.domain]:

* This builds the ca key in C:\Program Files\OpenVPN\easy-rsa\keys

The server certificate and key:

build-key-server server

When prompted, enter the “Common Name” as “server”
When prompted to sign the certificate, enter “y”
When prompted to commit, enter “y”

Client certificates and keys:

For each client, choose a name to identify that computer, such as “mike-laptop” in this example.

build-key mike-laptop

When prompted, enter the “Common Name” as the name you have chosen (e.g. “mike-laptop”)
Repeat this step for each client computer that will connect to the VPN.
Generate Diffie Hellman parameters (This is necessary to set up the encryption)

build-dh

Set up the ta.key file.
In command prompt as administrator, go to cd “C:\Program Files\OpenVPN\bin”

# openvpn --genkey --secret ta.key

copy the file to the C:\Program Files\OpenVPN\config directory and to your config directory on your local machine.

Configuration Files

Find the sample configuration files:
Start Menu > All Programs > OpenVPN > OpenVPN Sample Configuration Files

Server Config File

go to C:\Program Files\OpenVPN\sample-config

Open server.ovpn

Find the following lines:

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

Edit them as follows:

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"

Find the following line for the Diffie hellman parameters:

dh

And edit as follows:

"C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"

Save the file as C:\Program Files\OpenVPN\easy-rsa\server.ovpn

Set up the ta.key file.

In the server configuration, add:
Set the ta.key path to C:\Program Files\OpenVPN\config\ta.key

tls-auth “C:\\Program Files\\OpenVPN\\config\\ta.key” ta.key 0

Client Installation

Download the installer to the client Windows 10 Machine and run the intsaller. Leave the defaults selected.

Client Config Files

This is similar to the server configuration.

Open client.ovpn ON THE SERVER MACHINE located at C:\Program Files\OpenVPN\sample-config
Find the following lines:

ca ca.crt
cert client.crt
key client.key

Edit them as follows:

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt"
key "C:\\Program Files\\OpenVPN\\config\\mike-laptop.key"

Notice that the name of the client certificate and key files depends upon the Common Name of each client.
You can also include the ca, cert and key content in the client file. You have to copy the file content inside the tag .

Edit the following line, replacing “my-server-1” with your server’s public Internet IP Address or Domain Name. If you need help, see Static Internet IP below.

remote my-server-1 1194

Save the file as C:\Program Files\OpenVPN\easy-rsa\mike-laptop.ovpn (in this example. Each client will need a different, but similar, config file depending upon that client’s Common Name.)
Copying the Server and Client Files to Their Appropriate Directories
Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys to C:\Program Files\OpenVPN\config\ on the server:

ca.crt
dh1024.pem
server.crt
server.key

Copy this file from C:\Program Files\OpenVPN\easy-rsa\ to C:\Program Files\OpenVPN\config\ on the server:
server.ovpn

Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):

ca.crt
mike-laptop.crt
mike-laptop.key

Copy these files from C:\Program Files\OpenVPN\easy-rsa\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):

mike-laptop.ovpn

Copy this file from C:\Program Files\OpenVPN\config\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):

ta.key

Also, instead of setting up the paths in the files, you can add them directly like follows. 

&lt;ca&gt;&lt;/ca&gt;
&lt;cert&gt;&lt;/cert&gt;
&lt;key&gt;&lt;/key&gt;

Starting OpenVPN

On both client and server, run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
Double click the icon which shows up in the system tray to initiate the connection. The resulting dialog should close upon a successful start.

Running OpenVPN as a Service

OpenVPN to be run from a non-administrator account.
OpenVPN to be started automatically on system startup. This is often preferred on the server machine, as well as any machines which will be constantly connected to the server.
Run the Windows Service administrative tool:
Press Windows Key + R
Type “services.msc” and press Enter.
services.msc
Find the OpenVPN service, and set its Startup Type to “automatic.”
Optionally, start the service now.

Further Considerations / Troubleshooting

Firewall Configuration
If you have connection problems, make sure to set a rule on your server’s firewall allowing incoming traffic on UDP port 1194.

Port Forwarding
If your server is behind a firewall/router, you will need to forward the port chosen for OpenVPN (in this example UDP 1194) to the server. Consult your router’s documentation for details on this.

To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic (changing) IP. Make sure to choose a static IP address that is not in the range your router might assign as a dynamic IP, but is within the router’s subnet (usually 192.168.0.xxx , 10.0.0.xxx , or similar).

Security Tips

Transmit all needed files to the client computers using a secure means such as a USB drive (email is not always a secure means).
Choose a port other than UDP 1194, and replace the port number wherever this guide mentions UDP port 1194.

IP or DNS leak

OpenVPN Internet Proxy Windows

This has all internet traffic route to the server IP so your IP is not disclosed.

Generate a TA key and place it in the same folder as the other certificates/keys:

cd C:\Program Files\OpenVPN\bin
openvpn --genkey --secret ta.key

Copy the key to the C:\Program Files\OpenVPN\config directory
Append the following lines to your server.ovpn profile:

# Route all traffic through VPN
push "redirect-gateway def1"
# Push Google DNS to prevent leak
push "dhcp-option DNS 8.8.8.8"
tls-auth ta.key 0 # This file is secret

Set the serer.ovpn file to use the following network as the network sharing below will use this network for the adaptor.

# server 192.168.137.0 255.255.255.0

Append the following lines to your client.ovpn profile:

# Block DNS leak
block-outside-dns
tls-auth ta.key 1 # This file is secret

Service tweaks on the Windows server
Open the Services window
Find Routing and Remote Access and set it to: Startup type – Automatic
Start the service
Adapter tweaks
Open the network adapters window
Right-click your internet adapter (e.g. Ethernet) and then: Properties -> Sharing -> Allow other network users to connect through this computer’s Internet connection
(if applicable) From the drop-down list select your OpenVPN TAP adapter (e.g. Ethernet?)
Note: Only one adapter can be shared at a time, so if you don’t see the Sharing tab, make sure no other adapter is being shared.

Registry tweaks

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

Optional: Configure a static route (if behind router)
You have to route all packets sent to the client’s virtual IP back to the VPN server.

Example using Cisco router:

10.8.0.0 – virtual network subnet
255.255.255.0 – virtual network subnet mask
192.168.1.175 – VPN server internal IP (in the subnet of the router)

Hardening iformation; https://community.openvpn.net/openvpn/wiki/Hardening

Setting up new user certificates

Navigate to the C:\Program Files\OpenVPN\easy-rsa\ folder in the command prompt. NOTE: Make sure that the ca.crt and ca.key are located in the C:\Program Files\OpenVPN\easy-rsa\keys directory!

Press Windows Key + R
Type “cmd.exe” and press Enter.
cmd.exe

Right click to run as administrator
Navigate to the correct folder:

cd "C:\Program Files\OpenVPN\easy-rsa\keys"

Run the following:

vars

For each client, choose a name to identify that computer, such as “newuser-openvpn” in this example.

build-key newuser-openvpn

Open the C:\Program Files\OpenVPN\sample-config directory. Copy the client.ovpn to the name for the new user, ie, newuser-openvpn.ovpn.

Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys and C:\Program Files\OpenVPN\easy-rsa\sample-config on the server to C:\Program Files\OpenVPN\config\ on each client (newuser-openvpn.ovpn, in this example):

ta.key
ca.crt
newuser-openvpn.ovpn.crt
newuser-openvpn.ovpn.key
newuser-openvpn.ovpn.ovpn

Copy to the C:\Program Files\OpenVPN\config on the new user computer.

 

Other resources: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide

To get started, search for and install network-manager-vpnc package from Ubuntu Software Center. Or, do a:

sudo apt-get install network-manager-vpnc

Once installed, you can follow below steps to setup Cisco VPN for Ubuntu:

1.) Move your cursor to right-top corner system tray area, click on Network Manager icon and choose VPN Connections -> Configure VPN

2.) In next window, click on Add button to add a new connection and then choose Cisco Compatible VPN (vpnc) from the drop-down menu.

3.) Click on Create and you’re able to type in your Cisco VPN details in next window. After all, check off “Use this connection only for resources on its network” otherwise your traffic significantly slowed down

Have a PCF File?


cd /etc/vpnc
mv default.conf default.conf.bk

Now convert the pcf file:


pcf2vpnc namofpcffile.pcf default.conf

Then to run it, you simply do


sudo vpnc /path/to/new.conf

Install eplel repo


# rpm -ivh http://mirror.vcu.edu/pub/gnu+linux/epel/6/i386/epel-release-6-8.noarch.rpm


# yum -y install vpnc
# chmod 700 /etc/vpnc/vpnc-script
# cp /etc/vpnc/default.conf /etc/vpnc/default.conf.orig

Save your .pnc file from Networking to /etc/vpnc/ folder

Install the VPN .pnc file as a default.conf file

Get the pcf to vpnc configuration file converter


# wget http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc

Make it executable


# chmod +x pcf2vpnc

Move it to a place in our path


# mv pcf2vpnc /usr/local/bin/


# cd /etc
# pcf2vpnc /path/username.pcf default.conf
# chown root:root default.conf
# chmod 600 default.conf

Edit the config file to either use your username and password, or to manually enter


# nano default.conf
# Uncomment for auto login
# Xauth username myusername
# Xauth password userpass
# Uncomment for manual login
Xauth interactive

Backup resolv.conf

As a final configuration step, it is a good idea to make a backup of your resolv.conf file. The vpnc program will replace the resolv.conf upon connection and will restore it when you disconnect.

Connect and Disconnect

You must be logged in as Root for this to work

# vpnc
# vpnc-disconnect