Self Hosted WireGuard VPN on OpenBSD
HTML-код
- Опубликовано: 30 июн 2022
- Setting up a WireGuard VPN Server on OpenBSD with a Linux client.
Get yourself a Vultr VPS today
www.vultr.com/?ref=8791233
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my RUclips channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. 
Наука
![Skilla Baby - Misfits (Feat. Polo G) [Official Video]](http://i.ytimg.com/vi/IjsylSnNMyw/mqdefault.jpg)
Two important things that were not mentioned: Wireguard in-kernel support was first available in linux, it was recently merged in upstream openbsd, it's currently experimental on windows. I think there were software implementations on openbsd before the kernel support, so you'll want to ensure you are running a very recent kernel, and whatever you need to do to ensure you're running the kernel module for it to get the advertised performance. This probably isn't terribly relevant on slower internet speeds, but may be on slower vps.
Secondly, and more importantly, keep in mind that while a vpn may provide a secure connection between two endpoints, if you are concerned about privacy you can go ahead and toss that out of the window once that traffic hits a cloud service provider. Also don't assume your cloud vps is secure from the provider itself. If you are setting it up in this way your firewall rules at home should be such that you are treating the endpoint as a potentially hostile computer, grant no access back to your own services unless you need to. This kind of setup can be useful in certain cases though, to bypass geoip restrictions on videos, for remote work on the vps, etc. However the primary usecase from a security perspective is going to be creating a tunnel between two trusted endpoints, for example, your home and a laptop.
Good info.
I don't know wireguard as well as OpenVPN, but there are ways in OpenVPN to limit which VPN clients can talk to whom, on what ports, blah blah blah, because like you say from a industry point of view the VPN server is what's trusted, and all the personel connecting in are untrusted because their laptop might have been stolen, hacked, etc. But I imagine all of that could also be done through iptables/ipfw. The thing i think that wasn't mentioned in quite as much detail as i'd like is some background on the differences in the crypto protocols used, although that would be a series in its own right lol. Some of the wireguard crypto i've heard of before, but most not.
@@cannaroe1213 Generally the way you would do this on wireguard is with firewall rules at both sides. Wireguard provides a secure tunnel, but that's basically it.
"it was recently merged in upstream openbsd" huh? wireguard has been in the kernel for over two years now
@@blakkheim 2 years falls within my definition of recent personally. Like I said, there was a software implementation before that, so if you have a preexisting system, it's worth making sure you are recent enough to have the kernel module.
BSD stands for Based Secure Distribution.
I wouldn't call it based, it's a cuck license.
It should be openSSD
*BASED*
Based.
*B* a *S* e *D*
These deepfakes are so realistic. Can we have a tutorial on how to generate them, Luke?
I think it's a realistic latex jogger skin-suit. They cost $500+.
dumbest joke
@@lanpartylandlord6123 Okay and?
@@trayambakrai dumbest response
If it's not a deepfake then I swear they have to be roommates or something. I swear I've seen that room in one of Luke's videos before lol
This is Drake in a different, alternate universe.
bruh literally what i thought LOL
Drake wishes to be this BASED.
Is he still packing in this universe?
Take it back
Thanks for keeping your titles accurate, I might use them as a starting point at some point, so that makes it easier to find them.
I like this OpenBSD content, please make more! I've wanted to get into BSDs and OpenBSD specifically but found out that it's unfortunately nowhere near as covered as Linux on RUclips. Thanks!
The BSD's have a different way of promoting themselves. You can get most of the help through forums or their official mailing lists..
On a previous video he did mention many OpenBSD channels like
The OpenBSD guy (also on Odysee)
Root BSD (also on Odysee)
Zaney
If drake had a smart, programming, long lost gym bro brother...
dude that fade is SHARP!
Just finishing up my Peers on my own few WG installs, great timing! Looking great btw, looks like you've really made some impressive gains!
Really liked how you clearly said that the link vultr link is an affiliate link.
Only RUclipsr I religiously follow now, never feel like he's out there to milk his subscribers for all they're worth and that just makes me want to support him more.
Looking jacked, man! Great vid.
I appreciate the good content you produced. Keep up the great work.
hey dude, just want to tell you that i love you and your videos ! keep going
I love how OpenBSD has most things that are needed preinstalled as part of the base installation, all of which is audited line by line several times a year.
It has unbound and nsd for DNS, httpd for web server, a standard dhcpd server, e-mail server code, and more. It doesn't have a database system like mysql or postgresql, etc but that can be added.
Yeah, I like the fact OpenSMTP for emailing is part of the base system as well as a bunch of other userspace programs and their daemon counterparts.
@@Elhamidi0249 It makes it easy and convenient to use nothing but a base install for a network device like a firewall or DHCP, and/or DNS server, etc. I like using my t as an ad and/or domain blocker without the need to install something like pi-hole.
@@adrianfisher3349 It also makes a good desktop OS thanks to X11 and 3 window managers to choose from coming preinstalled with a default config.
@@Elhamidi0249 I've been using it as my daily driver for years now. It's good for productivity because it doesn't allow me to waste time on Netflix or Prime Video, etc :D I wish it had better support for Latex though.
@@adrianfisher3349 I also plan to daily drive it as I am doing this right now mainly to move away from GNU/Linux because even something like GNU/Linux comes with add-on features and apps you really don't want to have on your daily driver. Sure, they make your life easier on your desktop but here's the thing: You don't need them at all, at least 99.9% of the time and if you do then it's the 0.1% of the time you actually need it. But I also want to learn and understand computers and operating systems in general better and that's a thing I personally struggle with GNU/Linux. Sure, GNU/Linux gives you the foundational knowledge of how an OS built off from which components but it feels like a salad bowl of tools smashed together and forceably mixed into one pot expecting everything works OOTB everything magically being very well integrated. That's also my little nit pick with FreeBSD too but on FreeBSD the devs put actually a good amount of work into the OS to make everything work together and fine-tune the base system components. The only thing is when you install apps from the ports tree they don't integrate very well into your FreeBSD install. Docs aren't so well integrated into the base system as in form of man pages but you got the FreeBSD Handbook which is your Arch Linux Wiki, only just for FreeBSD instead for Arch Linux.
But nonetheless both operating systems are top-notch, I used to use NomadBSD, a desktop FreeBSD derivative for USB flash drives with a custom Openbox setup and a carefully selected suite of everyday needed desktop applications, before switching over to OpenBSD and they made a really good job bringing FreeBSD to the mobile desktop computing market, everything works OOTB with everything you (don't) need (depends on how you view it), installation was remarkably easy thanks to their custom installer, hell, you could even choose you favorite apps right on while you installing your system like your favorite graphical file managers, browsers, both command-line and graphical text editors and more. Another cool thing is, since you sacrifice only a USB flash drive you don't touch your hard drives/(NVMe) SSDs installed into your computer. And NomadBSD is free and open source like every BSD out there. Of course I could also install FreeBSD on a flash drive and build my custom desktop from there, which I will definitely do at some point, but NomadBSD is an OOTB solution as I mentioned before and for exploring what FreeBSD could look and feel like it on a daily driven desktop is fantastic. I highly recommend it over other ready-to-go desktop BSD options like GhostBSD, derived from TrueOS and PC-BSD, both of which are defunct FreeBSD forks aiming at desktop users - GhostBSD is the only fork who has survived bringing a pleasant desktop experience thanks to their custom software repos and MATE as the default DE - and MidnightBSD, a fork of FreeBSD v4.4 to bring FreeBSD to the desktop user masses.
Bro I never new what you looked like. Kettlebell brother! Turkish get ups are my favorite.
@Mental Outlaw Great content! I think the community would love if you'd build on this how to add Pi-hole and Unbound on top of this server!
There are many config mistakes that are easy to make when adding DNS routing from one service to another and especially Pi-hole is cool but can be a bit quirky with the others.
Anyway, thanks for the work you put in to help people with opsec. If you'd create scripts for the setup it would be quicker to replicate but ofc can be a bit more work.
@endofsummer Really? Why is that? Some dependencies missing or some configs that the OS doesn't allow you to touch?
2:40 Wireguard is a UDP only protocol anyway so blocking that is fairly easy by resticting outbound UDP. DPI firewalls can tell if your UDP 443 traffic is using QUIC or Wireguard and decide if it wants to drop or pass that traffic. If you want to hide the fact that your using a VPN is an obfuscation proxy of some sort. I was using a guest network that doesnt allow VPNs for some damn reason. I tried using Wireguard and that failed to connect. I then tried my backup openVPN server on 443 and the handshake completes and the connection established but it immediately disconnects. Ive looked into what was going on and I found that they are using a PaltoAlto firewall does a TCP reset attack against my open VPN connection. To get around this I've reconfigured openVPN to sit behind Stunnel proxy to mask the openVPN handshake by wrapping it in an TLS tunnel. Works flawlessly for me.
Used this to setup an openbsd box, thanks Kenny!
bruh was just searching how to setup a vpn on linode. Thanks man!!!
Love your videos mental outlaw, maybe you could give us some cool pfsense or openwrt videos too! Keep up the good work!
This's what I've been thinking of. Verry good
Excellent tutorial Luke 👌
We need a video on DDOS PROTECTION!
on God
EZ...
Just block port 69 and port 420
And don't forget to press ALT-F4 when you are done!
@@Reth_Hard Funny
its amazing to me that people are willing to commit a felony just to inconvenience someone. what a world we live in today.
@@kulled I've killed for less.
love the retro pc in the background
love the hair. very clean cut.
watched the first 10 seconds on the thumbnail and immediately clicked. +1 for the GOAT
ChadBSD content! Good job brother!
thanks for this video, helped guide me along with hardening my box
Vultr is also my go-to place for a VPS
Listen to your gut as far as your title and thumbnail ....I'm watching like and commenting no matter what my bro.
thanks for the video! any plans making one on split tunneling with regards to self hosted wireguard VPN?
Damn the deepfake is getting immensely buff 💪💪💪 keep it up
Have you considered ever doing a video on pfSense? It's an open source modem OS based on freebsd, you can buy modems with it pre-installed or you can build a cheap PC with a nice NIC card and install it on there. The security features are really extensive, it's a huge upgrade for anyone using standard modems to manage their network.
Would something like this be sufficient coverage for torrenting if self hosted, or would it be better to use something in a different country?
Thanks for the Video!
Unimportant question out of curiosity: Why it shows Belgium when you borrowed New Jersey server? Just an incorrect info from the ip check site?
watch out for that bicycle on the window, thing looks spooky af
An ironclad server by a deepfake gigachad. This is highly impressive stuff! 👊😁
If you're going to such great lengths for security as using OpenBSD, then maybe you should consider hosting the services on your own hardware and software image. The cloud provider (or whoever hacked them) could have placed backdoors in any software, maybe even in the hardware.
Explain what you mean? I want to make my own VPN , can I spoof location to the North Pole? Can I make the ISP name say anything I want?
@@unreleasedjuicewrld9792 If you only care about spoofing your location, then security probably isn't a great concern, other than preventing your server to become a part of a botnet, or do nasty things. You can use a cloud provider to buy a VPS on the North Pole, and install whatever OS and VPN software you want. The ISP name will be whatever ISP is used for your server though.
My point is that if you're so security conscious that you choose OpenBSD over say Linux, then you probably have extremely high privacy expectations (e.g. investigative journalism, activism, or criminal activity), and can't afford to trust any cloud provider. In that case you probably also want to fully control both the hardware and the software stack, and not use VPS or OpenBSD images from your cloud provider.
@@szaszm_ why do I actually need to buy a VPS at the North Pole? How does it know it’s at the North Pole? Surly it can be spoofed? When I used Tor one time I looked at my IP, and it was in the middle of the ocean and the ISP name was also custom & the IP numbers seemed somewhat customized too.
@@unreleasedjuicewrld9792 Geoip. When using a VPN, you're masking your own IP address by routing your traffic through the VPN. The other endpoint therefore only sees the VPN server connecting to it, not your home IP address. Tor is a different story, there you use the exit node's IP address in a similar way, except there are more hops inside the network, and it's less traceable.
Could you just run a router in an amazon web thing, and thus be secure so long as they don't specifically notice you're doing that?
What do you think about Waterfox it's really important 'cause I uninstalled firefox but now I am not sure whether it was a good decision or not
I didn't watch the video past the 2 minute mark. How useful is this for say downloading from the high seas?
Just out of curiosity:
What advantages does a setup like Wireguard VPN into ssh for server access have over regular cert based ssh authentication? Is this just to add one extra layer of authentication, in case the cert gets compromised somehow?
Yes it's an extra security layer. You configure your web servers to only allow SSH connections from the VPN. So in order for someone to connect they need your ssh keys and VPN access
Should we expect to see you sponsoring every RUclipsrs very soon?
:P
It would be cool to see a tutorial for Bitwarden, NextCloud, and email servers on OpenBSD.
Very similar of what i use, good stuff
Finally, more OpenBaSeD content on this channel.
@MentalOutlaw Great work!
wow you've gained a lot of muscle since i last saw you in one of your videos, maybe you can start doing fitness videos too.
Please make a video about Element and the Matrix protocol, and hosting a home-server with Synapse and Coturn. You have to use SSL for TLS connections and it's overall a really solid messaging platform. Check it out!
looking jacked af
I wanted to do an fpga device that sits between your modem and isp that silently analyzes your traffic and connects to your pc with an expansion slot to verify traffic but I'm really not a hardware guy
The source code of your diet... that’s the key to success & an impenetrable mind
👊💪
I admit that I don't really understand this topic too well yet.
is it possible to use WIREGUARD and layer another VPN on top of it that can obfuscate the use of a VPN?
or are there better solutions if I want to obfuscate the usage of a VPN like just using the openvpn protocol.
Also, how does the "current charges" part of of vultr here work?
OpenVPN's obfuscation methods are, if i'm not mistaken, mainly about using SSL/TLS over port 443 to make it look like HTTPS requests/responses. While this will deter 99% of network admin "dashboard wizards", the traffic signiture of an OpenVPN SSL connection isn't like normal webtraffic and can be detected. VPNs aren't really about hiding the fact that you're talking, only what you say. For the former, something like Tor or whatever the CIA are pushing these days is what you need.
I see that OpenBSD is not available on AWS Lightsail. FreeBSD is available, whould that be fine to use?
Happy Canada day guys!
most goated channel
Are you doing packages on the background?
I'm trying to get WireGuard operational on my Pi. Would this set up work similarly with PiVPN?
I wonder, is it possible to develop a protocol that would work below TCP/IP or UDP and would encrypt port numbers, so that local and remote port numbers are only known to sender and reciever, but not to devices in the middle
Should be doable. I think you can even stop sending port numbers all together if both server and clients do one specific thing. Even if you need some sort of port numbers, you can encode/encrypt port numbers however you want. Port numbers are just a hint for the kernel to push the packet to a correct socket opened by a correct process. If clients and server know what they are doing then conventional port numbers are not needed.
For example you can write your server and client programs so that they read ALL network packets and find packets sent to them by reading something else than the port number in the packet
I dont have a public interface like the one shown at 14:30 , I am using a self hosted system for the VPN. can anyone help? Should I just put the network interface I am using to connect to the internet?
I was hoping to get a wireguard video based on open bdsm but this will have to do
RUclips didn't recommend this to me. had to find it in your recent uploads.
Definitely gonna do something like this although I’ve got the musks latest starlink, which has no support for a static IP, so I’ve gotta do some black magic to figure that out.
Dynamic DNS
For self hosting services?
Only the wireguard server requires a static, so in outlaws example, the vps server should be the wireguard server.
Man's looking jacked
I really need to switch my VPN to wireguard from openVPN. I am using pfsense though and the last time I checked netgate had a shit implementation. I need to role to opensense, but that means taking down my 3 sites and that would be a PITA to swap, but I still need to. First world problems.
I can assure that wire guard is one the best line encryptions available, wireshark can only identify the protocol and no info other than that.
You're joking, right? Identifying the protocol means that it can be easily blocked by overzealous sysadmins.
@@KutAnimus Better to be blocked than cucked
For those who are concerned about tracking, my major American state university still has not blocked Tailscale or WireGuard VPNs on the student network, so most IT people probably do not know about it.
This never made any sense to me, why do they do this? Doesn't this impair learning for CS students?
@@subnumeric they do not really care. if you get your gear, you are good.
if i host Wireguard on my home network, I wouldn't be gaining any privacy from my ISP?
Guacamole moment
Will definitely do this once I have time. I have a spare raspberry pi lying around I think its gonna be perfect for this.
that spare raspberry Pi is worth gold right now.
@@tanmaypanadi1414 bro wtf just checked their price. Didn't know they got this expensive. Might have to go for those chinese alternatives if I ever need one.
Good stuff
I should try this, I've been using wireguard for years but I use a CentOS vps to host my vpn
Thanks for the tips!
LOL @ the Stand w Ukr/Biden flag. Are you also tipple boosted?
@@goodcitizen4587 Yes.
0:15 indeed our guy
quality content but please fix your microphone. good video might do this some day :)
Hey @Mental Outlaw can you do some price services overview.
THANK YOU
ayo my man got a fresh cut
BSD mania!
He looks different from what I imagined
@@cool-soap I thought he was a anime girl
for future videos, can you make a video about v2ray or xray? it's an interesting topic because chinese mainland people are using that protocol to bypass GFW.
Didnt understood a thing, might need to rewatch, but great job
Well thats a first for seeing what MentalOutlaw looks like
Isn’t wireguard in the base install now? Man wg(4)
damn u got some waves today
his head movements and body language in general is very AI-like ngl, gpt4?
Oh Jason Tatum got a beard now damn
What I want to know is are the rooms of every American always painted light grey with white woodwork?
Disadvantage over OpenVPN is for some LAN games which require Layer 2 connection, which Wireguard cannot do.
Honestly idk where the deep fake meme came from, but it's still a classic. Honestly your channel is pretty different than Luke's
In 10 years maybe we'll see black luke walking in the woods ranting about God and linux, I can only hope.
Fr thought this was Jayson Tatum for a sec
Nice Fade
Nice!
We need a video on the recent kungfu panda bear and winnie the pooh scandal!
If ur using a vpn, could u bypass the isp block for port forwarding? My isp disabled all port forwarding
yeh setup port forwarding on the vpn server
U mention that u think its a good protocol. Just curious do u have any security background, not asking to be rude or anything, just realized i dont know were you doing before youtube?
Network engineering, so yeah I have some security background but not as much as penetration testers (although one of my good friends is a pen tester)
@@MentalOutlaw oh cool i didnt know that
What about Fedora server? That's also "secure by default" as far as I understand
it's still linux so definitely not
VPS is only as secure as the host you use.
Probably not nearly as private as a dedicated server
I haven't been able to use openvpn without dns leaks except when using kde's network manager and specifying dns servers, and then the connection might drop and leak shit anyway :/
The trick is to make the openvpn server as the default network gateway and disallow all outgoing unless through the gateway. I mean yes that's a huge pain in the ass, but the TLDR is that if you *could* subvert your own vpn, so could a hacker, so you have to make it impossible for yourself not to go through the vpn to access the internet.
openvpn with static key mode easly gets through dpi firewalls