Wireguard(-go) on LES NAT Virtuozzo VPS

edited November 2019 in Help

Thought I'd post this as its own topic in case it's useful (mods, feel free to delete/move if it's inappropriate)

It's actually reasonably simple to setup the userspace wireguard-go binary yourself with this guide (full Wireguard requires a host node kernel module to be active on OpenVZ/Virtuozzo, and it's not on any LES providers that I know of because it's a pain (https://wiki.openvz.org/VPN_using_Wireguard) - if there are any be known :-)):

Guide

https://d.sb/2019/07/wireguard-on-openvz-lxc

Notes from me:

  • Pinning the unstable Debian repo to get the wireguard-tools package in a 128MB LES NAT VPS gave me "failed to fork" errors with apt commands. Switching to Anthony's new slimline Ubuntu 18.04 template meant I could use the Wireguard PPA instead, which doesn't use as much resources. Pinning the unstable repo might work fine on the new 256MB plans though...
  • Compiling the wireguard-go binary is much better done on a local machine with more resources than a LES box (be sure to make the necessary adjustments detailed to keep RAM usage low!) Once it spits out the binary, push it onto your LES box with SCP/SFTP etc., copy it to /usr/local/bin and make it executable

I've got this setup working nicely on one of Ant's UK 128MB NAT VPSes, and even though Wireguard is the userspace go implementation, speeds have been better than OpenVPN for me. Of course, OpenVPN is older and much more thoroughly historically audited compared to Wireguard (but that's a digression for someone else to take up).

NB - Credit for the linked guide goes to Daniel15 of course.

Comments

  • sonicsonic OG
    edited November 2019

    This is also what I'm looking for.
    I'm running wireguard + pihole on small VPS (128 MB RAM) with dedicated IPv4 quite stable. Hope to see how it goes on NAT vps.

    Shared: Smallweb| VPS: Wishosting, NexusBytes, FlowVPS, VirMach, InceptionHosting, Linode
    Gapps legacy 100/200 users cheap 4 sale. PM

  • If you compile wireguard-go, I'd recommend also compiling wireguard-tools. I've compiled both on Debian 11, and they work just fine on Debian 9 VPS.

    Linked guide will show you how to setup basic VPN, but you won't be able to access outside internet. If you intend to use VPN as a proxy to outside internet, you also need to setup iptables NAT on the server and DNS on the client. Here is a good guide for configuration: https://angristan.xyz/how-to-setup-vpn-server-wireguard-nat-ipv6/

    With these guides, I was able to setup VPN in 10 minutes. OpenVPN took 3 hours! On my VPS, wireguard-go (no optimizations applied) without clients uses 512 KB RAM. With one client (YouTube videos, speedtest) it uses 1.5-3 MB.

    Installation on the client side or KVM VPS, of course, is simply "apt-get install wireguard".

    Thanked by greensysadmin
  • edited November 2019

    @intelpentium said:

    Linked guide will show you how to setup basic VPN, but you won't be able to access outside internet. If you intend to use VPN as a proxy to outside internet, you also need to setup iptables NAT on the server and DNS on the client. Here is a good guide for configuration: https://angristan.xyz/how-to-setup-vpn-server-wireguard-nat-ipv6/

    Oh no, you've invoked an unpopular figure here... I'll leave it at that. I prefer this guide for actual Wireguard config:

    https://www.stavros.io/posts/how-to-configure-wireguard/

  • greensysadmin said: I prefer this guide for actual Wireguard config:

    You also need DNS for a "proxy" VPN. It's very important, but not obvious at first.

    If you don't put DNS settings into your client configuration, wireguard will use your ISP DNS server. Websites can see it and use this information to identify you.

  • edited November 2019

    @intelpentium said:

    greensysadmin said: I prefer this guide for actual Wireguard config:

    You also need DNS for a "proxy" VPN. It's very important, but not obvious at first.

    If you don't put DNS settings into your client configuration, wireguard will use your ISP DNS server. Websites can see it and use this information to identify you.

    Doesn't work by default on Ubuntu 18.04:

    https://github.com/StreisandEffect/streisand/issues/1434

    You can either install openresolv, symlink resolvectl to resolvconf or copy Mullvad's handy trick:

    https://mullvad.net/en/help/wireguard-and-mullvad-vpn/

    Basically, add:

    PostUp = systemd-resolve -i %i --set-dns=X.X.X.X --set-domain=~.

    to your config, replacing X.X.X.X with your desired DNS, or a list by repeating --set-dns=X.X.X.X for each DNS server.

  • greensysadmin said: openresolv

    I like openresolv solution. It's 100 KB package and then client config is simply:
    [Interface]
    DNS = 192.168.0.2,192.168.0.3

  • I often install Pihole together with Wireguard and set DNS to 10.0.0.1 (pihole IP).

    Shared: Smallweb| VPS: Wishosting, NexusBytes, FlowVPS, VirMach, InceptionHosting, Linode
    Gapps legacy 100/200 users cheap 4 sale. PM

  • Would it possible to trigger CPU abuse warning if I tried to compile it locally?

  • mikhomikho Hosting ProviderOG

    @abnoeh said:
    Would it possible to trigger CPU abuse warning if I tried to compile it locally?

    Depending on how long time needed for the compilaton, it could trigger the CPU limit.

    Get 4 or more NAT servers (mix/match between packages) and get 45% recurring discount. https://clients.mrvm.net

Sign In or Register to comment.