Self Hosted WireGuard VPN on OpenBSD
HTML-код
- Опубликовано: 7 фев 2025
- Setting up a WireGuard VPN Server on OpenBSD with a Linux client.
Get yourself a Vultr VPS today
www.vultr.com/...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my RUclips channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
Two important things that were not mentioned: Wireguard in-kernel support was first available in linux, it was recently merged in upstream openbsd, it's currently experimental on windows. I think there were software implementations on openbsd before the kernel support, so you'll want to ensure you are running a very recent kernel, and whatever you need to do to ensure you're running the kernel module for it to get the advertised performance. This probably isn't terribly relevant on slower internet speeds, but may be on slower vps.
Secondly, and more importantly, keep in mind that while a vpn may provide a secure connection between two endpoints, if you are concerned about privacy you can go ahead and toss that out of the window once that traffic hits a cloud service provider. Also don't assume your cloud vps is secure from the provider itself. If you are setting it up in this way your firewall rules at home should be such that you are treating the endpoint as a potentially hostile computer, grant no access back to your own services unless you need to. This kind of setup can be useful in certain cases though, to bypass geoip restrictions on videos, for remote work on the vps, etc. However the primary usecase from a security perspective is going to be creating a tunnel between two trusted endpoints, for example, your home and a laptop.
Good info.
I don't know wireguard as well as OpenVPN, but there are ways in OpenVPN to limit which VPN clients can talk to whom, on what ports, blah blah blah, because like you say from a industry point of view the VPN server is what's trusted, and all the personel connecting in are untrusted because their laptop might have been stolen, hacked, etc. But I imagine all of that could also be done through iptables/ipfw. The thing i think that wasn't mentioned in quite as much detail as i'd like is some background on the differences in the crypto protocols used, although that would be a series in its own right lol. Some of the wireguard crypto i've heard of before, but most not.
@@cannaroe1213 Generally the way you would do this on wireguard is with firewall rules at both sides. Wireguard provides a secure tunnel, but that's basically it.
"it was recently merged in upstream openbsd" huh? wireguard has been in the kernel for over two years now
@@blakkheim 2 years falls within my definition of recent personally. Like I said, there was a software implementation before that, so if you have a preexisting system, it's worth making sure you are recent enough to have the kernel module.
Thanks for keeping your titles accurate, I might use them as a starting point at some point, so that makes it easier to find them.
I like this OpenBSD content, please make more! I've wanted to get into BSDs and OpenBSD specifically but found out that it's unfortunately nowhere near as covered as Linux on RUclips. Thanks!
The BSD's have a different way of promoting themselves. You can get most of the help through forums or their official mailing lists..
On a previous video he did mention many OpenBSD channels like
The OpenBSD guy (also on Odysee)
Root BSD (also on Odysee)
Zaney
BSD stands for Based Secure Distribution.
I wouldn't call it based, it's a cuck license.
It should be openSSD
*BASED*
Based.
*B* a *S* e *D*
This is Drake in a different, alternate universe.
bruh literally what i thought LOL
Drake wishes to be this BASED.
Is he still packing in this universe?
Take it back
Drake without the corny
These deepfakes are so realistic. Can we have a tutorial on how to generate them, Luke?
I think it's a realistic latex jogger skin-suit. They cost $500+.
dumbest joke
@@lanpartylandlord6123 Okay and?
@@trayambakrai dumbest response
If it's not a deepfake then I swear they have to be roommates or something. I swear I've seen that room in one of Luke's videos before lol
dude that fade is SHARP!
Really liked how you clearly said that the link vultr link is an affiliate link.
Only RUclipsr I religiously follow now, never feel like he's out there to milk his subscribers for all they're worth and that just makes me want to support him more.
I love how OpenBSD has most things that are needed preinstalled as part of the base installation, all of which is audited line by line several times a year.
It has unbound and nsd for DNS, httpd for web server, a standard dhcpd server, e-mail server code, and more. It doesn't have a database system like mysql or postgresql, etc but that can be added.
Yeah, I like the fact OpenSMTP for emailing is part of the base system as well as a bunch of other userspace programs and their daemon counterparts.
@@Elhamidi0249 It makes it easy and convenient to use nothing but a base install for a network device like a firewall or DHCP, and/or DNS server, etc. I like using my t as an ad and/or domain blocker without the need to install something like pi-hole.
@@adrianfisher3349 It also makes a good desktop OS thanks to X11 and 3 window managers to choose from coming preinstalled with a default config.
@@Elhamidi0249 I've been using it as my daily driver for years now. It's good for productivity because it doesn't allow me to waste time on Netflix or Prime Video, etc :D I wish it had better support for Latex though.
@@adrianfisher3349 I also plan to daily drive it as I am doing this right now mainly to move away from GNU/Linux because even something like GNU/Linux comes with add-on features and apps you really don't want to have on your daily driver. Sure, they make your life easier on your desktop but here's the thing: You don't need them at all, at least 99.9% of the time and if you do then it's the 0.1% of the time you actually need it. But I also want to learn and understand computers and operating systems in general better and that's a thing I personally struggle with GNU/Linux. Sure, GNU/Linux gives you the foundational knowledge of how an OS built off from which components but it feels like a salad bowl of tools smashed together and forceably mixed into one pot expecting everything works OOTB everything magically being very well integrated. That's also my little nit pick with FreeBSD too but on FreeBSD the devs put actually a good amount of work into the OS to make everything work together and fine-tune the base system components. The only thing is when you install apps from the ports tree they don't integrate very well into your FreeBSD install. Docs aren't so well integrated into the base system as in form of man pages but you got the FreeBSD Handbook which is your Arch Linux Wiki, only just for FreeBSD instead for Arch Linux.
But nonetheless both operating systems are top-notch, I used to use NomadBSD, a desktop FreeBSD derivative for USB flash drives with a custom Openbox setup and a carefully selected suite of everyday needed desktop applications, before switching over to OpenBSD and they made a really good job bringing FreeBSD to the mobile desktop computing market, everything works OOTB with everything you (don't) need (depends on how you view it), installation was remarkably easy thanks to their custom installer, hell, you could even choose you favorite apps right on while you installing your system like your favorite graphical file managers, browsers, both command-line and graphical text editors and more. Another cool thing is, since you sacrifice only a USB flash drive you don't touch your hard drives/(NVMe) SSDs installed into your computer. And NomadBSD is free and open source like every BSD out there. Of course I could also install FreeBSD on a flash drive and build my custom desktop from there, which I will definitely do at some point, but NomadBSD is an OOTB solution as I mentioned before and for exploring what FreeBSD could look and feel like it on a daily driven desktop is fantastic. I highly recommend it over other ready-to-go desktop BSD options like GhostBSD, derived from TrueOS and PC-BSD, both of which are defunct FreeBSD forks aiming at desktop users - GhostBSD is the only fork who has survived bringing a pleasant desktop experience thanks to their custom software repos and MATE as the default DE - and MidnightBSD, a fork of FreeBSD v4.4 to bring FreeBSD to the desktop user masses.
Bro I never new what you looked like. Kettlebell brother! Turkish get ups are my favorite.
@Mental Outlaw Great content! I think the community would love if you'd build on this how to add Pi-hole and Unbound on top of this server!
There are many config mistakes that are easy to make when adding DNS routing from one service to another and especially Pi-hole is cool but can be a bit quirky with the others.
Anyway, thanks for the work you put in to help people with opsec. If you'd create scripts for the setup it would be quicker to replicate but ofc can be a bit more work.
@endofsummer Really? Why is that? Some dependencies missing or some configs that the OS doesn't allow you to touch?
If drake had a smart, programming, long lost gym bro brother...
Looking jacked, man! Great vid.
hey dude, just want to tell you that i love you and your videos ! keep going
If you're going to such great lengths for security as using OpenBSD, then maybe you should consider hosting the services on your own hardware and software image. The cloud provider (or whoever hacked them) could have placed backdoors in any software, maybe even in the hardware.
Explain what you mean? I want to make my own VPN , can I spoof location to the North Pole? Can I make the ISP name say anything I want?
@@unreleasedjuicewrld9792 If you only care about spoofing your location, then security probably isn't a great concern, other than preventing your server to become a part of a botnet, or do nasty things. You can use a cloud provider to buy a VPS on the North Pole, and install whatever OS and VPN software you want. The ISP name will be whatever ISP is used for your server though.
My point is that if you're so security conscious that you choose OpenBSD over say Linux, then you probably have extremely high privacy expectations (e.g. investigative journalism, activism, or criminal activity), and can't afford to trust any cloud provider. In that case you probably also want to fully control both the hardware and the software stack, and not use VPS or OpenBSD images from your cloud provider.
@@szaszm_ why do I actually need to buy a VPS at the North Pole? How does it know it’s at the North Pole? Surly it can be spoofed? When I used Tor one time I looked at my IP, and it was in the middle of the ocean and the ISP name was also custom & the IP numbers seemed somewhat customized too.
@@unreleasedjuicewrld9792 Geoip. When using a VPN, you're masking your own IP address by routing your traffic through the VPN. The other endpoint therefore only sees the VPN server connecting to it, not your home IP address. Tor is a different story, there you use the exit node's IP address in a similar way, except there are more hops inside the network, and it's less traceable.
Just finishing up my Peers on my own few WG installs, great timing! Looking great btw, looks like you've really made some impressive gains!
watched the first 10 seconds on the thumbnail and immediately clicked. +1 for the GOAT
Love your videos mental outlaw, maybe you could give us some cool pfsense or openwrt videos too! Keep up the good work!
I appreciate the good content you produced. Keep up the great work.
Listen to your gut as far as your title and thumbnail ....I'm watching like and commenting no matter what my bro.
Have you considered ever doing a video on pfSense? It's an open source modem OS based on freebsd, you can buy modems with it pre-installed or you can build a cheap PC with a nice NIC card and install it on there. The security features are really extensive, it's a huge upgrade for anyone using standard modems to manage their network.
Vultr is also my go-to place for a VPS
I can assure that wire guard is one the best line encryptions available, wireshark can only identify the protocol and no info other than that.
You're joking, right? Identifying the protocol means that it can be easily blocked by overzealous sysadmins.
@@KutAnimus Better to be blocked than cucked
bruh was just searching how to setup a vpn on linode. Thanks man!!!
2:40 Wireguard is a UDP only protocol anyway so blocking that is fairly easy by resticting outbound UDP. DPI firewalls can tell if your UDP 443 traffic is using QUIC or Wireguard and decide if it wants to drop or pass that traffic. If you want to hide the fact that your using a VPN is an obfuscation proxy of some sort. I was using a guest network that doesnt allow VPNs for some damn reason. I tried using Wireguard and that failed to connect. I then tried my backup openVPN server on 443 and the handshake completes and the connection established but it immediately disconnects. Ive looked into what was going on and I found that they are using a PaltoAlto firewall does a TCP reset attack against my open VPN connection. To get around this I've reconfigured openVPN to sit behind Stunnel proxy to mask the openVPN handshake by wrapping it in an TLS tunnel. Works flawlessly for me.
Used this to setup an openbsd box, thanks Kenny!
An ironclad server by a deepfake gigachad. This is highly impressive stuff! 👊😁
love the retro pc in the background
For those who are concerned about tracking, my major American state university still has not blocked Tailscale or WireGuard VPNs on the student network, so most IT people probably do not know about it.
This never made any sense to me, why do they do this? Doesn't this impair learning for CS students?
@@subnumeric they do not really care. if you get your gear, you are good.
This's what I've been thinking of. Verry good
Well thats a first for seeing what MentalOutlaw looks like
Damn the deepfake is getting immensely buff 💪💪💪 keep it up
Should we expect to see you sponsoring every RUclipsrs very soon?
:P
Definitely gonna do something like this although I’ve got the musks latest starlink, which has no support for a static IP, so I’ve gotta do some black magic to figure that out.
Dynamic DNS
For self hosting services?
Only the wireguard server requires a static, so in outlaws example, the vps server should be the wireguard server.
0:15 indeed our guy
Man's looking jacked
wow you've gained a lot of muscle since i last saw you in one of your videos, maybe you can start doing fitness videos too.
thanks for this video, helped guide me along with hardening my box
It would be cool to see a tutorial for Bitwarden, NextCloud, and email servers on OpenBSD.
looking jacked af
watch out for that bicycle on the window, thing looks spooky af
ChadBSD content! Good job brother!
never know he is a giga chad all along
Finally, more OpenBaSeD content on this channel.
@MentalOutlaw Great work!
He looks different from what I imagined
@@cool-soap I thought he was a anime girl
Honestly idk where the deep fake meme came from, but it's still a classic. Honestly your channel is pretty different than Luke's
In 10 years maybe we'll see black luke walking in the woods ranting about God and linux, I can only hope.
love the hair. very clean cut.
Please make a video about Element and the Matrix protocol, and hosting a home-server with Synapse and Coturn. You have to use SSL for TLS connections and it's overall a really solid messaging platform. Check it out!
Will definitely do this once I have time. I have a spare raspberry pi lying around I think its gonna be perfect for this.
that spare raspberry Pi is worth gold right now.
@@tanmaypanadi1414 bro wtf just checked their price. Didn't know they got this expensive. Might have to go for those chinese alternatives if I ever need one.
Fr thought this was Jayson Tatum for a sec
Excellent tutorial Luke 👌
RUclips didn't recommend this to me. had to find it in your recent uploads.
Bros looking like a giga Chad meme person
Unimportant question out of curiosity: Why it shows Belgium when you borrowed New Jersey server? Just an incorrect info from the ip check site?
I was hoping to get a wireguard video based on open bdsm but this will have to do
The source code of your diet... that’s the key to success & an impenetrable mind
👊💪
Happy Canada day guys!
I wanted to do an fpga device that sits between your modem and isp that silently analyzes your traffic and connects to your pc with an expansion slot to verify traffic but I'm really not a hardware guy
I should try this, I've been using wireguard for years but I use a CentOS vps to host my vpn
Jason Tatum got into IT
😂
90% of comments about Mental Outlaw surprising appearance
10% about self-hosting a VPN
Thanks for your wonderful videos. The Vultur AUP is very poor and says you can’t post anything that is “Offensive Content. Content that is harmful to minors in any way, defamatory, libelous, obscene, abusive, threatening, discriminatory, harassing, invasive of privacy, false, intentionally misleading, patently offensive, or otherwise objectionable” Which I think is bogus. I like to work with hosting companies who just say you can’t do anything illegal or that tries to bypass their policies. The “offensive” thing opens you up to having them shut you down for any reason.
U mention that u think its a good protocol. Just curious do u have any security background, not asking to be rude or anything, just realized i dont know were you doing before youtube?
Network engineering, so yeah I have some security background but not as much as penetration testers (although one of my good friends is a pen tester)
@@MentalOutlaw oh cool i didnt know that
Thank you brudda!
quality content but please fix your microphone. good video might do this some day :)
These deepfakes are getting really good. Good job M8!!!
Would something like this be sufficient coverage for torrenting if self hosted, or would it be better to use something in a different country?
What I want to know is are the rooms of every American always painted light grey with white woodwork?
Oh Jason Tatum got a beard now damn
Thanks for the tips!
LOL @ the Stand w Ukr/Biden flag. Are you also tipple boosted?
@@goodcitizen4587 Yes.
Didnt understood a thing, might need to rewatch, but great job
BSD mania!
Very similar of what i use, good stuff
We need a video on the recent kungfu panda bear and winnie the pooh scandal!
thanks for the video! any plans making one on split tunneling with regards to self hosted wireguard VPN?
I self host WireGuard using docker. It’s easy, simple and secure.
if i host Wireguard on my home network, I wouldn't be gaining any privacy from my ISP?
I see that OpenBSD is not available on AWS Lightsail. FreeBSD is available, whould that be fine to use?
What do you think about Waterfox it's really important 'cause I uninstalled firefox but now I am not sure whether it was a good decision or not
most goated channel
I dont have a public interface like the one shown at 14:30 , I am using a self hosted system for the VPN. can anyone help? Should I just put the network interface I am using to connect to the internet?
6:57 it says you have an intel cpu, but you selected an amd cpu
amd64 stands for the x86 or x64 architecture itself, it doesn't mean that its running something made for amd
Im not gonna lie, we look extremely similar
Linode’s AUP is much better. “Abuse. The Services may only be used for lawful purposes. You shall not use any Service to engage in, foster, or promote illegal, abusive, fraudulent, or irresponsible behavior, including without limitation:
Creation or distribution of unsolicited bulk email and mailing lists;
Creation of an account after being previously terminated by Linode without our prior written permission;
Disruption or interference of any data system or network, computer or communications system, software application, or network or computing device;
Monitoring data or traffic on any network or system without the express authorization of the owner of the system or network etc.”
I'm trying to get WireGuard operational on my Pi. Would this set up work similarly with PiVPN?
I didn't watch the video past the 2 minute mark. How useful is this for say downloading from the high seas?
Didn't he deploy an AMD box? Why neofetch says Intel?
Guacamole moment
Hey @Mental Outlaw can you do some price services overview.
Disadvantage over OpenVPN is for some LAN games which require Layer 2 connection, which Wireguard cannot do.
Why you don't use docker ? One command and you start a docker container with your vpn server, if for exemple someone find remote code execution or something like this in wireguard, he can only access to wireguard container, no more ;)
docker is explicitly not meant to be any form of secure containment. their developers will tell you this.
1. Docker is not supported on OpenBSD
2. The VPS is used exclusively for Wireguard, so you don't need an extra isolation layer
Could you just run a router in an amazon web thing, and thus be secure so long as they don't specifically notice you're doing that?
I wonder, is it possible to develop a protocol that would work below TCP/IP or UDP and would encrypt port numbers, so that local and remote port numbers are only known to sender and reciever, but not to devices in the middle
Should be doable. I think you can even stop sending port numbers all together if both server and clients do one specific thing. Even if you need some sort of port numbers, you can encode/encrypt port numbers however you want. Port numbers are just a hint for the kernel to push the packet to a correct socket opened by a correct process. If clients and server know what they are doing then conventional port numbers are not needed.
For example you can write your server and client programs so that they read ALL network packets and find packets sent to them by reading something else than the port number in the packet
I really need to switch my VPN to wireguard from openVPN. I am using pfsense though and the last time I checked netgate had a shit implementation. I need to role to opensense, but that means taking down my 3 sites and that would be a PITA to swap, but I still need to. First world problems.
damn u got some waves today
The like and comment to hack the algorithm is very important
for future videos, can you make a video about v2ray or xray? it's an interesting topic because chinese mainland people are using that protocol to bypass GFW.
Isn’t wireguard in the base install now? Man wg(4)
Are you doing packages on the background?
Just out of curiosity:
What advantages does a setup like Wireguard VPN into ssh for server access have over regular cert based ssh authentication? Is this just to add one extra layer of authentication, in case the cert gets compromised somehow?
Yes it's an extra security layer. You configure your web servers to only allow SSH connections from the VPN. So in order for someone to connect they need your ssh keys and VPN access