VPN
Virtual Private Network. An overlay network with additional encryption.
Use cases:
- Change IP address
- Bypass government/ISP restrictions
- Prevent ISP from spying on DNS queries
- Connect securely from an insecure network (e.g. public Wi-Fi)
- Access internal infrastructure from a public network (the original purpose of VPN)
VPN server is a host that routes traffic from other hosts outside the VPN (e.g. to the internet). It is basically a proxy server with additional encryption.
Cons of using VPN services:
- https://gist.github.com/joepie91/5a9909939e6ce7d09e29
- https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html
Protocols
- IPSec
- OpenVPN
- WireGuard
Comparison: https://www.ivpn.net/pptp-vs-ipsec-ikev2-vs-openvpn-vs-wireguard
WireGuard
A modern, performance-focused VPN protocol that uses UDP.
✏️ Note
The protocol does not cover key generation/distribution/revocation.
Setup
Guides:
- https://github.com/pirate/wireguard-docs
- https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6
- https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11
- https://medium.com/tangram-visions/what-they-dont-tell-you-about-setting-up-a-wireguard-vpn-46f7bd168478
💡 Hint
Thewgandwg-quickmanpages are also worth reading.
Config
Default location: /etc/wireguard/wg0.conf
A host is exposed internally via its Address (virtual network) and externally via its Endpoint (physical network).
The AllowedIPs parameter defines what traffic should be tunneled.
Use 0.0.0.0/0 to tunnel all traffic.
The wg-quick tool automatically changes the DNS servers to those specified in the config on up and resets them back on down.
The possibility of DNS leaks depends on how the VPN is configured:
- All traffic is tunneled: DNS requests are also tunneled.
- Some traffic is tunneled: DNS requests may be leaked if the default DNS server is used (usually provided by ISP).
💡 Hint
Use https://browserleaks.com and https://www.dnsleaktest.com to detect leaks.