Ditch NordVPN: WireGuard with an Ubuntu VPS and Windows client

What is WireGuard?

Simply put, WireGuard is a modern protocol for establishing a secure tunnel between two points. For a long time now, OpenVPN has been the defacto standard protocol to use in implementing a VPN tunnel, however; in 2015 when the WireGuard white paper was published, a new kid joined the block.

WireGuard ensures secure transportation of data using some tricks out of the book of asymmetric key cryptography. Using the terms “Client” and “Server” when referring to WireGuard is a slight inaccuracy. A more accurate term for referring to both is “Peer”. Consider two peers we’ll call Alice and Bob:

Alice and Bob both generate their own private keys using an algorithm like ED25519
Alice and Bob both generate thier own public keys based on the value of their private key
Alice shares their public key with Bob and Bob shares their public key with Alice
Alice uses Bob’s public key to encrypt data outbound to Bob, and Bob does the same for Alice

Remember, the public keys were created as a function of the private key. This means that no matter who intercepts the data in transit, it will be useless to them because they do not possess the private key required to unencrypt the message.

Acquiring a VPS

A VPS or Virtual Private Server, is a virtual machine that runs along others with its own evironment. To it, its as if it has its own hardware entirely to itself, unshared. These can be extremely cheap to rent and for this use case, you can get one for as low as 15 USD per annum. I recommend LowEndTalk for cheap VPS instances. Whenever and however you choose a VPS provider, you’ll want to choose Ubuntu 22.04 as your operating system. This is not neccessary, but will make following along to this tutorial free from hiccups. If you plan on using IPv6, make sure that is supported as well.

Setup SSH

You should receive an email with the login credentials and IP address of your newly created VPS instance. Time to get our hands dirty with the terminal. On your Windows client machine, i.e., your desktop, press keys WIN + X to open the power user menu. Release the keys and press A to open an elevated Windows PowerShell instance. To initiate an SSH connection to the VPS, you’re gonna need to cast this spell:

ssh username@your-vps-ip-address

Replace username with the actual username provided by your VPS host (this is usually ‘root’), and your_vps_ip with the IP address you received in the email. After the command executes, you’ll be prompted to enter the password that also came in the email. Type it in and press enter (note: you won’t see any characters as you type, but it’s taking your input). If everything goes according to plan, your command prompt should change to something like root@<ipaddress> $. If so, you are now connected and inside the shell of your VPS server however far away that may be, and you’re ready to move on.

Create a New User with Sudo Privileges (optional)

It is always highly advised to remove the ability to SSH into your VPS as root after first login. This is because there are constantly, at any given moment, bots that are attempting to brute force the password for the root user. You’re still logged in as root right? Cool. Let’s create a new user. We’ll call this user ‘neo’ because the matrix slaps:

let square: int -> int = fun x -> x * x

let s

adduser neo
# You'll be prompted to set and confirm a new password for neo.
# fill out any additional info or just hit ENTER to skip.

# grant neo the power of sudo by adding the user account to the 
# sudo group  which allows running commands with the privileges 
# of another user, by default the superuser:
usermod -aG sudo neo

Setting Up Public Key Authentication (optional)

Next, you’re going to set up a more secure way than basic password authentication, and that is going to be public key authentication. This involves generating a pair of cryptographic keys on your local machine and then putting the public key on the server.

To generate keys, open another powershell tab and run this command to generate a key pair using the ED25519 algorithm:

ssh-keygen -t ed25519 -C neo@your_vps_ipaddress

After running the command, ssh-keygen will ask where to save the new key. By default, it suggests saving the key pair in the ~/.ssh/ directory with the filename id_ed25519 for the private key and id_ed25519.pub for the public key. Press Enter to accept the default or specify a different path if you prefer.

After that, you’ll be prompted to create a passphrase to secure the key further. This is optional but advised if anybody else has access to your PC. After completing that, the keypair will be generated and available in the path specified previously. To make it visible to the ssh-agent service, run this knick knack

ssh-add path/to/your/private/key # if you kept the default, its ~/.ssh/id_ed25519

Assuming you now have a keypair generated, you’ll copy your public key to neo’s home directory on the server. You can do this easily with:

ssh-copy-id neo@your_vps_ip
# Enter neo's password when prompted, and your public key will be added to the 
# ~/.ssh/authorized_keys file on your VPS, allowing you to log in as neo without a password.

Now that neo can log in securely with a public key, it’s time to tell root to take a back seat. This is gonna require using a terminal based text editor. I’ll use vim, if you don’t know how to use vim though, use nano. To edit the SSH daemon configuration:

sudo vim /etc/ssh/sshd_config
#Find the line that says '#PermitRootLogin yes' and uncomment it

# /etc/ssh/sshd_config
PermitRootLogin no
# If there's no such line, add it to the file.

# While you're here, ensure that public key authentication is enabled (it should be by default)
# by verifying this line is uncommented and set to yes:
PubkeyAuthentication yes

For these changes to take effect, you’ll need to restart the SSH service. On Ubuntu, that’s as easy as:

sudo systemctl restart sshd

Before you log out from root, test the new setup in a new terminal window or tab. Try logging in as neo:

bash Copy code ssh neo@your_vps_ip If you set up everything correctly, you should be logged in without being asked for neo’s password, thanks to the magic of public key authentication.

ssh-copy-id neo@your_vps_ip
Enter neo's password when prompted, and your public key will be added to the ~/.ssh/authorized_keys file on your VPS, allowing you to log in as neo without a password.

## Installing WireGuard on the VPS
Now that you're in the belly of your VPS, it's time to install WireGuard. If you wisely chose Ubuntu 22.04, you can use the following commands to update your package manager's repository listing and
ensure your operating system is fully up to date and install WireGuard.

```bash
sudo apt-get update
sudo apt-get upgrade
sudo apt install wireguard -y
# This installs WireGuard and all the necessary components on your server.