Merge pull request #14 from ditatompel/ditatompels/new-articles

Ditatompels/new articles

archetypes/blog.md

@@ -31,5 +31,6 @@ authors:
 Summary.
 
 <!--more-->
+---
 
 Content.

archetypes/docs.md

@@ -35,5 +35,6 @@ authors:
 Summary.
 
 <!--more-->
+---
 
 Content.

archetypes/tutorials.md

@@ -34,5 +34,6 @@ authors:
 Summary.
 
 <!--more-->
+---
 
 Content.

content/tutorials/configure-wireguard-vpn-clients/index.md

@@ -0,0 +1,188 @@
+---
+title: "Configure WireGuard VPN Clients"
+description: "Information about how to import your WireGuard VPN config to your Android, iOS, MacOS, Windows and Linux machine."
+# linkTitle:
+date: 2023-06-06T23:51:13+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - WireGuard VPN
+categories:
+  - Privacy
+  - Networking
+tags:
+  - WireGuard
+  - iPhone
+  - Android
+  - Linux
+  - Windows
+  - MacOS
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+This article contains information about how to **import** your **WireGuard VPN** config to your **Android**, **iOS/iPhone**, **MacOS**, **Windows** and **Linux** machine.
+
+<!--more-->
+---
+
+This article is part of [**WireGuard VPN** series](https://insights.ditatompel.com/en/series/wireguard-vpn/). If you haven't read the previous series, you might be interested to [setup your own **WireGuard VPN server** using cheap ~$6 VPS]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}}) or [installing **WireGuard-UI** to manage your **WireGuard VPN server**]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md" >}}).
+
+[WireGuard](https://www.wireguard.com/) was initially released for the **Linux kernel**, it is now *cross-platform* (**Windows**, **macOS**, **BSD**, **iOS**, and **Android**). When you buy a **WireGuard VPN** from *VPN providers*, you will usually receive a configuration file (some providers also give you **QR Code** image). This configuration file is all you need.
+
+For Windows, MacOS, Android, and iOS, all you have to do is import the configuration file into the [official WireGuard application](https://www.wireguard.com/install/). For Linux who use `wg-quick` tool even more simpler, you just have to copy the configuration file to the `/etc/wireguard` folder.
+
+Even though the setup method is quite easy, I still want to write the steps on how to install or import the WireGuard configuration file here.
+
+The WireGuard configuration file given by *VPN provider* (or your **SysAdmin**) is just a text file, usually will look like this:
+```plain
+[Interface]
+Address = 10.10.88.5/32
+PrivateKey = gJc2XC/D2op6Y37at6tW1Sjl8gY/O/O4Apw+MDzAZFg=
+DNS = 1.1.1.1
+MTU = 1450
+
+[Peer]
+PublicKey = dW7TUSnRylgpo+rbNr1a55Wmg1lCBgjYnluiJhDuURI=
+PresharedKey = Ps4+a+xQfwKFBx+yWHKF7grUP3rzilOCQDftZ5A3z08=
+AllowedIPs = 0.0.0.0/0
+Endpoint = xx.xx.xx0.246:51822
+PersistentKeepalive = 15
+```
+> _Parts of IP address from `[Peer] Endpoint` above removed for privacy and security reason._
+
+## iPhone / iOS
+Download [official WireGuard client for iOS from App Store](https://apps.apple.com/us/app/wireguard/id1441195209?ls=1), make sure that the app comes from **"[WireGuard Development Team](https://apps.apple.com/us/developer/wireguard-development-team/id1441195208)"**.
+
+You can import configuration file by pressing <kbd>+</kbd> button from the top right of the app.
+
+### Using QR Code
+1. If your VPN provider give you **QR Code** image for your configuration, choose **"Create from QR code"** and scan your WireGuard configuration QR Code.
+2. When promoted to enter **name of the scanned tunnel** ([*example image*](wg-ios1.png)), fill with anything you can easily remember. *Avoid using character other than `-` and `[a-z]`*. Your new VPN connection profile will added to your WireGuard app.
+
+### Using import file or archive
+1. To import configuration from `.conf` file, you need to download the configuration file to your device. 
+2. After configuration file is downloaded to your device, choose **"Create from file or archive"** and pick file of your WireGuard configuration file.
+_Remember to avoid using character other than `-` and `[a-z]` for the interface **"name"**_.
+
+After your configuration was imported, simply tap **"Active" toggle button** of your desired VPN profile to **on** to connect [[*example image of connected WireGuard VPN in iOS app*](wg-ios2.png)].
+
+## Android
+Download [official WireGuard client for Android from Play Store](https://play.google.com/store/apps/details?id=com.wireguard.android), make sure that the app comes from **"[WireGuard Development Team](https://play.google.com/store/apps/developer?id=WireGuard+Development+Team)"**.
+
+You can import configuration file by pressing <kbd>+</kbd> button from the bottom right of the app.
+
+### Using QR Code
+1. If your *VPN provider* give you **QR Code** image for your configuration, choose **"Scan from QR code"** and scan your WireGuard configuration QR Code.
+2. When promoted to enter **Tunnel Name** ([*example image*](wg-android1.png)), fill with anything you can easily remember. _Avoid using character other than `-` and `[a-z]`_. Your new VPN connection profile will added to your WireGuard app.
+
+### Using import file or archive
+1. To import configuration from `.conf` file, you need to download the configuration file to your device. 
+2. After configuration file is downloaded to your device, choose **"Import from file or archive"** and pick file of your WireGuard configuration file.
+_Remember to avoid using character other than `-` and `[a-z]` for the interface **"name"**_.
+
+After your configuration was imported, simply tap **"Active" toggle button** of your desired VPN profile to **on** to connect [[*example image of connected WireGuard VPN in Android app*](wg-android2.png)].
+
+## Windows and MacOS
+I'll put Windows and MacOS in the same section because importing WireGuard config on those OS is pretty simillar. After [official WireGuard application](https://www.wireguard.com/install/) for your OS is installed:
+
+1. Click "**Add Tunnel**" button (or it's dropdown icon) and "**Import tunnel(s) from file...**", then pick file of your WireGuard configuration file.
+2. After connected to your VPN profile, try to check your IP address. Your VPN server should appear as your public IP, not your ISP IP address.
+![WireGuard VPN connected on Windows](wg-windows-connected.png#center)
+
+## Linux
+For Linux users, you need to install `wireguard` *package* to your system. Find how to install wireguard package from [official WireGuard](https://www.wireguard.com/install/) site or your *distribution* documentation page.
+
+### Using wg-quick
+The easiest and simplest way to use WireGuard is using `wg-quick` tool that comes from `wireguard` *package*. Put your WireGuard configuration file from your VPN provider to `/etc/wireguard` and start WireGuard connection with:
+
+```shell
+sudo systemctl start wg-quick@<interface-name>.service.
+```
+Replace `<interface-name>` above with filename (without the `.conf` extension) of WireGuard config given by your VPN provider.
+
+For example, If you rename the `wg0.conf` to `wg-do1.conf` in your `/etc/wireguard` directory, you can connect to that VPN network using `sudo systemctl start wg-quick@wg-do1.service`.
+
+Try to check your WireGuard connection by check your public IP from your browser or terminal using `curl ifconfig.me`. If your IP address is not changed, your first command to troubleshot is `sudo wg show` or `sudo systemctl status wg-quick@wg-do1.service`. 
+
+> _**Note 1**: By default `wg-quick` uses `resolvconf` to register new **DNS** entries. This will cause issues with network managers and DHCP clients that do not use `resolvconf`, as they will overwrite `/etc/resolv.conf` thus removing the DNS servers added by `wg-quick`._   
+> _The solution is to use networking software that supports `resolvconf`._
+
+> _**Note 2**: Users of `systemd-resolved` should make sure that `systemd-resolvconf` is installed._
+
+### Using NetworkManager
+**NetworkManager** on *bleeding-edge* *distros* such as **Arch Linux** has native support for setting up WireGuard interface.
+
+#### Using NetworkManager TUI & GUI
+![NetworkManager tui](wg-nmtui.png#center)
+
+You can easily configure WireGuard connection and *peers* using **NetworkManager TUI** or **GUI**. In this example, I'll use **NetworkManager GUI**.
+1. Open your **NetworkManager** GUI, click <kbd>+</kbd> to add new connection.
+2. Choose "**Import a saved VPN configuration**" and pick file of your WireGuard configuration file.
+3. Then, you can change "**Connection name**" and "**Interface name**" to anything you can easily remember. But, **avoid using character other than** `-` and `[a-z]` for "**Interface name**". It won't work if you use special character like *spaces*.
+
+![NetworkManager gui](wg-nmgui.png#center)
+
+#### Using nmcli
+`nmcli` can import a `wg-quick` configuration file. For example, to import WireGuard configuration from `/etc/wireguard/t420.conf`:
+```shell
+nmcli connection import type wireguard file /etc/wireguard/t420.conf
+```
+Even though `nmcli` can create a WireGuard connection profile, but it does not support configuring peers.
+The following examples configure WireGuard via the keyfile format `.nmconnection` files under `/etc/NetworkManager/system-connections/` for multiple peers and specific routes:
+```plain
+[connection]
+id=WG-<redacted>
+uuid=<redacted-uuid-string>
+type=wireguard
+autoconnect=false
+interface-name=wg-<redacted>
+timestamp=1684607233
+
+[wireguard]
+private-key=<redacted_base64_encoded_private_key>
+
+[wireguard-peer.<redacted_base64_encoded_public_key>]
+endpoint=<redacted_ip_address>:<redacted_port>
+persistent-keepalive=15
+allowed-ips=0.0.0.0/0;
+
+[wireguard-peer.<redacted_base64_encoded_public_key>]
+endpoint=<redacted_ip_address>:<redacted_port>
+persistent-keepalive=15
+allowed-ips=<redacted_specific_ip_network_routes_separated_by_semicolon>
+
+[ipv4]
+address1=10.10.88.2/24
+dns=192.168.1.105;192.168.1.252;
+method=manual
+
+[ipv6]
+addr-gen-mode=stable-privacy
+method=ignore
+```
+![nmcli wireguard connection example](wg-nmcli.png#center)
+
+## Notes
+- You can't connect to the same VPN server from 2 or more different devices with same key. **You every devices MUST have it's own unique key**.
+- For some operating system such as Windows, if you can't import your WireGuard configuration file from your WireGuard app, make sure that your WireGuard configuration file is ended with `.conf`.
+
+### Additional Notes
+- If you interested to [setup your own **WireGuard VPN server** using cheap ~$6 VPS]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}}),but have some technical difficulties; I can help you to set that up for small amount of **IDR** (_I accept **Monero XMR** for **credits** if you don't have Indonesia Rupiah_).
+- To find out how to contact me, please visit [https://www.ditatompel.com/pages/contact](https://www.ditatompel.com/pages/contact).

content/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md

@@ -0,0 +1,329 @@
+---
+title: "How to Setup Your Own WireGuard VPN Server"
+description: "How to manually setup your own WireGuard VPN server using ~$6 VPS"
+# linkTitle:
+date: 2023-06-05T19:04:57+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - WireGuard VPN
+categories:
+  - Privacy
+  - SysAdmin
+  - Networking
+  - Self-Hosted
+tags:
+  - VPN
+  - WireGuard
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+This article will guide you to setting up your own **WireGuard VPN** server using **Ubuntu 22.04** server on a **cheap ~$6 VPS** and use it as your internet gateway.
+
+<!--more-->
+---
+
+After [series of my IPsec VPN article](https://insights.ditatompel.com/en/series/ipsec-vpn/). Today, I want to share how to set up [**WireGuard VPN**](https://www.wireguard.com/) server. Because **WireGuard** use **UDP** instead of **TCP**, it's *extremely fast* compared to [L2TP/xAuth]({{< ref "/tutorials/ipsec-l2tp-xauth-ikev2-vpn-server-auto-setup/index.md" >}}) and [IKEv2 VPN]({{< ref "/tutorials/set-up-ikev2-vpn-server-and-clients/index.md" >}}) (my previous **IPsec VPN** articles).
+
+## Prerequisites
+- A **VPS** with Public IP address.
+- Comfortable with Linux *command-line*.
+- Basic knowledge of _**IPv4** subnetting_ (_to be honest, I'm not familiar with IPv6 subnetting, so this article is for **IPv4** only_).
+
+It doesn't matter which *cloud provider* you choose. in this article, I will use [**DigitalOcean**](https://m.do.co/c/42d4ba96cc94) (*refferal link*) **Droplet** for my **WireGuard VPN server** (You can get your **free $200** in credit over 60 days by registering using my *refferal code*).
+
+> _**NOTE**: You should know that **cloud providers usually charge extra amount of `$` for every GB of overuse bandwidth**. So, know your needs and your limits!_
+
+> _VPS server I use for this article will be destroyed when this article is published._
+
+## Deploying your new VPS (DigitalOcean Droplet, optional)
+> _If you already have your own VPS running, you can skip this step and go to next step: "[Setup your WireGuard Server](#setup-your-wireguard-server)"._
+
+1. Go to your project and **Create new Droplet**.
+2. Choose **droplet region closest to you** to avoid any potential network latency. In this example, I'll choose **Frankfurt** datacenter.
+3. Choose your **Droplet OS**, for this article, I'll use **Ubuntu** `22.04 LTS`.
+4. Choose your **Droplet size**. I'll start with basic, **1 CPU** with **1GB of RAM** and **1TB network transfer** ($6/month).   
+Adapt the VPS size to fit with your need to avoid extra charge of overuse bandwidth (1TB monthly transfer is enough for me).
+![DigitalOcean VPS size](do1.png#center)
+5. Set up your prefered *authentication method*, I **prefer using SSH public and private key** rather than *password auth*.
+6. Set any other options as *default*. _I'm sure you **don't need backup and managed database options** for this setup_.
+
+> _**WireGuard** did **NOT need high disk I/O, so NVMe disk is NOT necessary**._
+
+## Setup your WireGuard Server
+> _**IMPORTANT NOTE**: Since I'm not familiar with **IPv6** subnetting, I'll only use use IPv4._
+
+Once your VPS ready and running, it's recommended to update your OS first using `apt update && apt upgrade` command and `reboot` your VPS.
+
+> _If you want to manage **WireGuard** peers (client) on a single server easily, you might be interested to read "[Installing WireGuard-UI to Manage Your WireGuard VPN Server]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md" >}})"._
+
+### Install WireGuard
+Install WireGuard using `sudo apt install wireguard` command. Once WireGuard is installed, we need to generate private and public key pairs for our WireGuard server.
+
+> _Tips: You can create **vanity** public key address for **WireGuard** using tool like [warner/wireguard-vanity-address](https://github.com/warner/wireguard-vanity-address)._
+
+#### Generate Private Key
+You can use `wg genkey` command to generate your private key. Place your private key to somewhere save, for example: `/etc/wireguard/do_private.key`.
+```shell
+wg genkey | sudo tee /etc/wireguard/do_private.key
+```
+Write down the output, we'll need that later to generate our WireGuard Server public key. Example of my WireGuard server private key:
+```
+uO0GDXBc+ZH5QsLmf+qRyCtFmUV1coadJvQp8iM0mEg=
+```
+Change `/etc/wireguard/do_private.key` file permission with `sudo chmod 600 /etc/wireguard/do_private.key`.
+
+#### Generate Public Key
+Now, generate server public key from previously generated private key:
+
+```shell
+sudo cat /etc/wireguard/do_private.key | wg pubkey | sudo tee /etc/wireguard/do_public.key
+```
+Write down the output, we'll need that later to configure WireGuard connection for *peers* (clients). Example of my WireGuard server public key:
+```
+7c023YtKepRPNNKfGsP5f2H2VtfPvVptn8Hn6jjmaz8=
+```
+
+### Configuring WireGuard Server
+Before configuring your **WireGuard** server, you need to **decide your private network address range for your WireGuard** connection (*tunnel* interface). You should choose valid [private network IP ranges](https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses). For example:
+- Between `10.0.0.0` - `10.255.255.255` (`10.0.0.0/8`)
+- Between `172.16.0.0` - `172.31.255.255` (`172.16.0.0/12`)
+- Between `192.168.0.0` - `192.168.255.255` (`192.168.0.0/16`)
+
+> _Tips: Avoid using your current used private IP ranges and commonly used private IP range. For example: Docker uses `172.17.0.0/16` ip range by default. If you use Docker, you must use another IP range for your WireGuard IP range to avoid conflict._
+
+In this article, I only use **IPv4** and use `10.10.88.0/24` for my WireGuard network.
+
+You'll also need to decide which **UDP** port WireGuard should listen to. Many *network appliance* out there (such as **Netgate**, **QNAP**, etc) set **UDP** port **51280** as their default WireGuard listen port. But, in this article, I'll use `UDP` port `51822`.
+
+Now, we have all (basic) required information for WireGuard server to run:
+- Server Public IP: `xxx.xx.xx0.246`
+- Server Private key: `uO0GDXBc+ZH5QsLmf+qRyCtFmUV1coadJvQp8iM0mEg=`
+- Server Public Key: `7c023YtKepRPNNKfGsP5f2H2VtfPvVptn8Hn6jjmaz8=`
+- Server Listen Port: `UDP` port `51822`
+- WireGuard Network: `10.10.88.0/24`
+
+Create file named `wg0.conf` for your WireGuard configuration under `/etc/wireguard` directory and fill with this example configuration:
+```plain
+# /etc/wireguard/wg0.conf
+
+[Interface]
+PrivateKey = <YOUR_SERVER_PRIVATE_KEY> # This example: uO0GDXBc+ZH5QsLmf+qRyCtFmUV1coadJvQp8iM0mEg=
+Address = <YOUR_SERVER_WG_IP_ADDRESS>  # This example: 10.10.88.1/24
+ListenPort = <SERVER_UDP_LISTEN_PORT>  # This example: 51822
+SaveConfig = true
+```
+> _**Note**: From the configuration above, notice that I pick `10.10.88.1` as my server IP address for WireGuard network._
+
+Replace `<YOUR_SERVER_PRIVATE_KEY>`, `<YOUR_SERVER_IP_ADDRESS>`, `<SERVER_UDP_LISTEN_PORT>` with your prefered configuration.
+
+#### Allowing IP forward
+In this article, we'll allow this WireGuard server as our default *gateway* for *peers* (clients), so any outgoing network traffic (except to your **LAN/WLAN** network) can go trough this WireGuard server. If you use WireGuard as *peer-to-peer* connection, yo don't need to do this.
+
+Edit `/etc/sysctl.conf` and add `net.ipv4.ip_forward=1` to the end of the file, then run `sudo sysctl -p` to load the new `/etc/sysctl.conf` values.
+```shell
+sudo sysctl -p
+```
+
+After that, you need to add firewall rules to allow peers (clients) to connect to server and routed properly.
+
+#### Setting up Firewall
+By default, Ubuntu system use comes with **UFW** to manage system firewall. You need to **add WireGuard listen port to firewall allow list**.
+```shell
+sudo ufw allow OpenSSH
+sudo ufw allow proto udp to any port 51822
+```
+> _Note that I also add **OpenSSH** to allow list to avoid losing connection to SSH if you didn't configure / activate it before._
+
+Replace `51822` to your configured **WireGuard listen port**.
+
+Enable / restart your `ufw` service using:
+```shell
+ufw enable # to enable firewall, or
+ufw reload # to reload firewall
+```
+
+Next, you need to know which network interface used by your server as its *default route*. You can use `ip route list default` to see that. Example output of my `ip route list default` command:
+
+```plain
+default via 164.90.160.1 dev eth0 proto static
+```
+Write down the word after `dev` output, that's your default network interface. We will need that infromation later. In this example, my default network interface is `eth0`. 
+
+Now add this following configuration to your `/etc/wireguard/wg0.conf` under `[Interface]` section:
+```plain
+PostUp = ufw route allow in on wg0 out on eth0
+PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+PreDown = ufw route delete allow in on wg0 out on eth0
+PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+```
+
+Replace `eth0` from above configuration with your server default network interface.
+
+Your `/etc/wireguard/wg0.conf` shoud look like this:
+```plain
+# /etc/wireguard/wg0.conf
+
+[Interface]
+PrivateKey = <YOUR_SERVER_PRIVATE_KEY> # This example: uO0GDXBc+ZH5QsLmf+qRyCtFmUV1coadJvQp8iM0mEg=
+Address = <YOUR_SERVER_WG_IP_ADDRESS>  # This example: 10.10.88.1/24
+ListenPort = <SERVER_UDP_LISTEN_PORT>  # This example: 51822
+SaveConfig = true
+
+PostUp = ufw route allow in on wg0 out on eth0
+PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+PreDown = ufw route delete allow in on wg0 out on eth0
+PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+```
+
+Now our WireGuard server is ready. Try to start your WireGuard server using `systemd`:
+```shell
+sudo systemctl start wg-quick@wg0.service
+```
+
+Note that `wg0` above is taken from your configuration file under `/etc/wireguard` directory (but without `.conf` file extension). If your configuration file is named `internal.conf`, you can start that configuration using `systemctl start wg-quick@internal.service`.
+
+Check that your WireGuard server is running using `systemctl status wg-quick@wg0.service` command:
+
+```plain
+● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
+     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
+     Active: active (exited) since Mon 2023-06-05 14:52:31 UTC; 2h 2min ago
+       Docs: man:wg-quick(8)
+             man:wg(8)
+             https://www.wireguard.com/
+             https://www.wireguard.com/quickstart/
+             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
+             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
+    Process: 714 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
+   Main PID: 714 (code=exited, status=0/SUCCESS)
+        CPU: 131ms
+
+Jun 05 14:52:30 fra1-do1 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
+Jun 05 14:52:30 fra1-do1 wg-quick[714]: [#] ip link add wg0 type wireguard
+Jun 05 14:52:30 fra1-do1 wg-quick[714]: [#] wg setconf wg0 /dev/fd/63
+Jun 05 14:52:30 fra1-do1 wg-quick[714]: [#] ip -4 address add 10.10.88.1/24 dev wg0
+Jun 05 14:52:30 fra1-do1 wg-quick[714]: [#] ip link set mtu 1420 up dev wg0
+Jun 05 14:52:31 fra1-do1 wg-quick[714]: [#] ufw route allow in on wg0 out on eth0
+Jun 05 14:52:31 fra1-do1 wg-quick[790]: Skipping adding existing rule
+Jun 05 14:52:31 fra1-do1 wg-quick[790]: Skipping adding existing rule (v6)
+Jun 05 14:52:31 fra1-do1 wg-quick[714]: [#] iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+Jun 05 14:52:31 fra1-do1 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
+```
+
+![WireGuard systemd](wireguard-systemd.png#center)
+
+To automatically start WireGuard service when the system start, you can execute `sudo systemctl enable wg-quick@wg0.service` command.
+
+## Setup WireGuard Peer (*client*)
+In this section, I'll use Linux machine to connect to our configured WireGuard server using `systemd` service. For other method such as connecting using **NetworkManager** GUI, Different OS and mobile devices, I'll add that later to another article.
+
+Configuring WireGuard peer (client) in Linux using `systemd` is almost the same as setting up WireGuard server. The different is you didn't need to configure firewall and IP forward for peers. All you need to do is install WireGuard, create private and public key, configure DNS server you want to use, add start the service.
+
+### Generating Private and Public Key Pairs (Client Side)
+If you already have your own WireGuard key pairs, you can use that keys, skip this step and go to the next step: "[Configuring WireGuard Peer (client)](#configuring-wireguard-peer-client)".
+
+> _Tips: You can create **vanity** public key address for **WireGuard** using tool like [warner/wireguard-vanity-address](https://github.com/warner/wireguard-vanity-address)._
+
+#### Generate Peer Private key
+You can use `wg genkey` command to generate your private key. Place your private key to somewhere save, for example: `/etc/wireguard/do_private.key`.
+```shell
+wg genkey | sudo tee /etc/wireguard/do_private.key
+```
+Write down the output, we'll need that later to generate WireGuard peer public Key. Example of my WireGuard peer public key:
+```
+WApLrVqFvXMbvsn+62DxfQCY8rsFqmHCEFAabAeA5WY=
+```
+Change `/etc/wireguard/do_private.key` file permission with `sudo chmod 600 /etc/wireguard/do_private.key`.
+
+#### Generate Peer Public Key
+Generate peer public key from previously generated peer private key:
+
+```shell
+sudo cat /etc/wireguard/do_private.key | wg pubkey | sudo tee /etc/wireguard/do_public.key
+```
+Write down the output, we'll need that public key later to be added to our WireGuard server. Example of my WireGuard peer public key:
+```
+6gnV+QU7jG7BzwWrBbqiYpKQDGePYQunebkmvmFrxSk=
+```
+
+### Configuring WireGuard Peer (client)
+Before configuring your **WireGuard** peer (client), you need to **decide your WireGuard private IP address for your peer** connection (*tunnel* interface). You should use unused IP address for peer(s) from your WireGuard network IP range. In this article, `10.10.88.1/24` already used by my WireGuard server, so I can't use that IP for peer(s). I'll use `10.10.88.2/24` (or `10.10.88.2/32`) instead.
+
+Now, we have all (basic) required information for WireGuard peer (client) to run:
+- Server Public IP: `xxx.xx.xx0.246`
+- Server Public Key: `7c023YtKepRPNNKfGsP5f2H2VtfPvVptn8Hn6jjmaz8=`
+- Server Listen Port: `UDP` port `51822`
+- WireGuard Network: `10.10.88.0/24`
+- Client IP address: `10.10.88.2/24`
+
+Create file named `wg-do1.conf` for your WireGuard configuration under `/etc/wireguard` directory and fill with this configuration example:
+```plain
+# /etc/wireguard/wg-do1.conf
+
+[Interface]
+PrivateKey = <YOUR_PEER_PRIVATE_KEY> # This example: WApLrVqFvXMbvsn+62DxfQCY8rsFqmHCEFAabAeA5WY=
+Address = <YOUR_PEER_IP_ADDRESS>     # This example: 10.10.88.2/24
+DNS = 1.1.1.1 8.8.8.8                # You can use any public / your own DNS resolver if you want
+
+[Peer]
+PublicKey = <YOUR_SERVER_PUBLIC_KEY> # This example: 7c023YtKepRPNNKfGsP5f2H2VtfPvVptn8Hn6jjmaz8=
+AllowedIPs = 0.0.0.0/0               # Route all external traffic to here
+Endpoint = <YOUR_SERVER_PUBLIC_IP_ADDRESS>:<SERVER_UDP_LISTEN_PORT> # This example: xxx.xx.xx0.246:51822
+PersistentKeepalive = 15
+```
+
+Replace `<YOUR_PEER_PRIVATE_KEY>`, `<YOUR_PEER_IP_ADDRESS>`, `<YOUR_SERVER_PUBLIC_KEY>`, `<YOUR_SERVER_PUBLIC_IP_ADDRESS>`, and `<SERVER_UDP_LISTEN_PORT>` with yours.
+
+Note:
+- `AllowedIPs` = `0.0.0.0/0` means all traffic will go trough that peer (in this case, our WireGuard server).   
+You can specify / selective routing specific IP to specific peer (if you connected to multiple peers / servers).   
+For example, if you only want to route traffic to IP 1.0.0.1 and 8.8.4.4 using specific peer and use your current internet connection as default route, you can remove `0.0.0.0/0` and add `1.0.0.1/32,8.8.4.4/32` (separated by comma) to `AllowedIPs` value.
+- `PersistentKeepalive` = `15` : How many seconds for peer send *ping* to the server regularly, so the server can reach the peer sitting behind **NAT**/firewall.
+- `DNS` You can also specify DNS servers you want to use in your `DNS` configuration value.
+
+Now, our peer (client) configuration is complete. you can try to connect your device to your WireGuard server using `systemd` service.
+
+```shell
+sudo systemctl start wg-quick@wg-do1.service
+```
+> _**Note 1**: `wg-do1` above is taken from your configuration file under `/etc/wireguard` directory (but without `.conf` file extension). If your configuration file is named `vpn-wireguard.conf`, you can start that configuration using `systemctl start wg-quick@vpn-wireguard.service`._
+
+> _**Note 2**: By default `wg-quick` uses `resolvconf` to register new DNS entries. This will cause issues with network managers and DHCP clients that do not use `resolvconf`, as they will overwrite `/etc/resolv.conf` thus removing the DNS servers added by `wg-quick`._   
+> _The solution is to use networking software that supports `resolvconf`._
+
+> _**Note 3**: Users of `systemd-resolved` should make sure that `systemd-resolvconf` is installed._
+
+To verify your configurations is properly configured, try to check your public IP from your browser or terminal using `sudo wg show` or `curl ifconfig.me`.
+
+![wg show](wg-show.png#center)
+
+![What is my IP](wg-vpn-do-ip.png#center)
+
+## Conclusion
+WireGuard is my favorite VPN protocol. It's fast and less resource usage compared with other VPN protocols. It's highly configurable and works with multiple environments. It can be used for *peer-to-peer* connection, *client-server* connection, or creating secure *mesh network*.
+
+When combined with **Nginx** as *reverse proxy*, you can even exposing your local HTTP server (and mostly any services) sitting behind **NAT**/firewall to the internet.
+
+Anyway, managing large scale of WireGuard network can be very dificult. But, there are a tool to help you managing large scale WireGuard networks, such as [Netmaker](https://www.netmaker.io/).
+
+### Additional Notes
+- If you have some technical difficulties setting up your own WireGuard server, I can help you to set that up for small amount of **IDR** (_I accept **Monero XMR** for **credits** if you don't have Indonesia Rupiah_).
+- To find out how to contact me, please visit [https://www.ditatompel.com/pages/contact](https://www.ditatompel.com/pages/contact).

content/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.md

@@ -0,0 +1,311 @@
+---
+title: "Installing WireGuard-UI to Manage Your WireGuard VPN Server"
+description: 
+# linkTitle:
+date: 2023-06-06T04:20:43+07:00
+lastmod:
+draft: false
+noindex: false
+# comments: false
+nav_weight: 1000
+# nav_icon:
+#   vendor: bootstrap
+#   name: toggles
+#   color: '#e24d0e'
+series:
+  - WireGuard VPN
+categories:
+  - Privacy
+  - SysAdmin
+  - Networking
+  - Self-Hosted
+tags:
+  - WireGuard
+  - WireGuard UI
+  - Nginx
+images:
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+To manage **WireGuard** *peers* (client) on a single server easily, you can use **WireGuard-UI**, a web-based user interface to manage your WireGuard setup written in Go.
+
+<!--more-->
+---
+
+[Wireguard-UI](https://github.com/ngoduykhanh/wireguard-ui) is a *web-based* user interface to manage your **WireGuard** server setup written by [ngoduykhanh](https://github.com/ngoduykhanh) using **Go** programming language. This is an alternative way to install and easily manage your WireGuard VPN server. 
+
+If you prefer to install WireGuard server *"from scratch"* and manage it manually, you can follow my previous article about "[How to Setup Your Own WireGuard VPN Server]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.md" >}})".
+
+## Prerequisites
+- A **VPS** (**Ubuntu** `22.04 LTS`) with Public IP address and **Nginx** installed.
+- Comfortable with Linux *command-line*.
+- Basic knowledge of _**IPv4** subnetting_ (_to be honest, I'm not familiar with IPv6 subnetting, so this article is for **IPv4** only_).
+- Able to configure **Nginx** *Virtual Host*.
+
+In this guide, our goals:
+- Server run _**WireGuard** daemon_ listen on port `51822/UDP`.
+- **WireGuard UI** run from `127.0.0.1` on port `5000`.
+- **Nginx** act as *reverse proxy* and serve **WireGuard UI** service using **HTTPS**.
+
+## Prepare Your Server
+First, make sure your system is *up-to-date* and **WireGuard is installed** on your server. 
+```shell
+sudo apt update && sudo apt upgrade
+sudo apt install wireguard
+```
+
+Edit `/etc/sysctl.conf` and add `net.ipv4.ip_forward=1` to the end of the file, then run `sudo sysctl -p` to load the new `/etc/sysctl.conf` values.
+```shell
+sudo sysctl -p
+```
+This is required to allow **IP forwarding** on your server.
+
+### Setting up Firewall
+By default, **Ubuntu** system use comes with **UFW** to manage system *firewall*. You need to **add WireGuard listen port to firewall allow list**.
+```shell
+sudo ufw allow OpenSSH
+sudo ufw allow 80 comment "allow HTTP" # will be used by Nginx
+sudo ufw allow 443 comment "allow HTTPS" # will be used by Nginx
+sudo ufw allow proto udp to any port 443  comment "allow QUIC" # If your Nginx support QUIC
+sudo ufw allow proto udp to any port 51822 comment "WireGuard listen port"
+```
+> _Note that I also add **OpenSSH** to allow list to avoid losing connection to SSH if you didn't configure / activate it before._
+
+Enable / restart your `ufw` service using:
+```shell
+sudo ufw enable # to enable firewall, or
+sudo ufw reload # to reload firewall
+```
+
+
+## Download & Configure WireGuard-UI
+Download [Wireguard-UI from its latest release page](https://github.com/ngoduykhanh/wireguard-ui/releases) to your server. Choose the one that match with your **server OS** and **CPU architecture**.
+
+Extract downloaded `.tar.gz` file:
+```shell
+tar -xvzf  wireguard-ui-*.tar.gz
+```
+
+Create new directory `/opt/wireguard-ui` and move the `wireguard-ui` *binary* (from extracted `.tar.gz` file) to `/opt/wireguard-ui`.
+
+```shell
+mkdir /opt/wireguard-ui
+mv wireguard-ui /opt/wireguard-ui/
+```
+
+Create environment file for WireGuard-UI (This will be loaded using `EnvironmentFile` from `systemd` unit file later):
+```plain
+# /opt/wireguard-ui/.env
+SESSION_SECRET=<YOUR_STRONG_RANDOM_SECRET_KEY>
+WGUI_USERNAME=<YOUR_WIREGUARD_UI_USERNAME>
+WGUI_PASSWORD=<YOUR_WIREGUARD_UI_PASSWORD>
+```
+
+If you want to enable email feature, you need to set up your _SMTP_\*_ environment variable. See [WireGuard UI Environment Variables details](https://github.com/ngoduykhanh/wireguard-ui#environment-variables) for more information.
+
+### Finding Server Default Interface
+Then, find out which network interface used by your server as its *default route*. You can use `ip route list default` to see that. Example output of my `ip route list default` command:
+```plain
+default via 164.90.160.1 dev eth0 proto static
+```
+Write down the word after `dev` output, that's your default network interface. We will need that information later. In this example, my default network interface is `eth0`. 
+
+Create `/opt/wireguard-ui/postup.sh`, and fill with this example config:
+```bash
+#!/usr/bin/bash
+# /opt/wireguard-ui/postup.sh
+ufw route allow in on wg0 out on eth0
+iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+```
+The `postup.sh` bash script above will be executed when WireGuard service is **started**.
+
+Create `/opt/wireguard-ui/postdown.sh`. and fill with this example config:
+```bash
+#!/usr/bin/bash
+# /opt/wireguard-ui/postdown.sh
+ufw route delete allow in on wg0 out on eth0
+iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+```
+The `postdown.sh` bash script above will be executed when WireGuard service is **stopped**.
+
+Replace `eth0` value from those two bash script above with your default network interface (*see [Finding Server Default Interface section](#finding-server-default-interface) above*).
+
+Then, make those two bash script (`/opt/wireguard-ui/postup.sh` and `/opt/wireguard-ui/postdown.sh`) executable:
+```shell
+chmod +x /opt/wireguard-ui/post*.sh
+```
+
+### WireGuard-UI daemon SystemD
+To manage **WireGuard-UI** daemon (Web UI) using `systemd`, create `/etc/systemd/system/wireguard-ui-daemon.service` systemd file, and fill with this following configuration:
+```systemd
+[Unit]
+Description=WireGuard UI Daemon
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=root
+Group=root
+Type=simple
+WorkingDirectory=/opt/wireguard-ui
+EnvironmentFile=/opt/wireguard-ui/.env
+ExecStart=/opt/wireguard-ui/wireguard-ui -bind-address "127.0.0.1:5000"
+
+[Install]
+WantedBy=multi-user.target
+```
+The `systemd` configuration will run WireGuard UI daemon on `127.0.0.1:5000`.
+
+Now reload your `systemd` daemon configuration and try to start `wireguard-ui-daemon.service`.
+```shell
+sudo systemctl daemon-reload
+sudo systemctl start wireguard-ui-daemon.service
+```
+
+Verify your `wireguard-ui-daemon.service` is running properly by using `systemctl status wireguard-ui-daemon.service`:
+```plain
+● wireguard-ui-daemon.service - WireGuard UI Daemon
+     Loaded: loaded (/etc/systemd/system/wireguard-ui-daemon.service; disabled; vendor preset: enabled)
+     Active: active (running) since Mon 2023-06-05 23:57:47 UTC; 5s ago
+   Main PID: 4388 (wireguard-ui)
+      Tasks: 4 (limit: 1115)
+     Memory: 17.1M
+        CPU: 1.243s
+     CGroup: /system.slice/wireguard-ui-daemon.service
+             └─4388 /opt/wireguard-ui/wireguard-ui -bind-address 127.0.0.1:5000
+
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Git Ref                : refs/tags/v0.5.1
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Build Time        : 06-05-2023 23:57:47
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Git Repo        : https://github.com/ngoduykhanh/wireguard-ui
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Authentication        : true
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Bind address        : 127.0.0.1:5000
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Email from        :
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Email from name        : WireGuard UI
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Custom wg.conf        :
+Jun 05 23:57:47 fra1-do1 wireguard-ui[4388]: Base path        : /
+Jun 05 23:57:49 fra1-do1 wireguard-ui[4388]: ⇨ http server started on 127.0.0.1:5000
+```
+
+If everything works well, you can see that **WireGuard-UI** is listening on `127.0.0.1:5000` (but, for now, you cannot access the web UI from remote machine until you finished the *[Configuring Nginx for WireGuard-UI section](#configuring-nginx-for-wireguard-ui)* below). 
+
+Make `wireguard-ui-daemon.service` run at start up:
+```shell
+sudo systemctl enable wireguard-ui-daemon.service
+```
+
+
+### Auto Restart WireGuard Daemon
+Because **WireGuard-UI** only takes care of WireGuard configuration generation. You need another `systemd` to watch for the changes and restart the **WireGuard** service. Create `/etc/systemd/system/wgui.service` and fill with this following example:
+```systemd
+[Unit]
+Description=Restart WireGuard
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service
+
+[Install]
+RequiredBy=wgui.path
+```
+
+Then, create `/etc/systemd/system/wgui.path`:
+```systemd
+[Unit]
+Description=Watch /etc/wireguard/wg0.conf for changes
+
+[Path]
+PathModified=/etc/wireguard/wg0.conf
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Apply `systemd` configurations changes by issuing this following commands:
+```shell
+systemctl enable wgui.{path,service}
+systemctl start wgui.{path,service}
+```
+
+### Configuring Nginx for WireGuard-UI
+If **Nginx** not installed on your server, you need to install it first. You can use Nginx from **Ubuntu default repository** or using [Nginx official repository for Ubuntu](https://nginx.org/en/linux_packages.html#Ubuntu).
+
+After Nginx installed, create **Nginx virtual host server block** for WireGuard UI:
+
+```nginx
+server {
+    listen 80;
+    server_name wgui.example.com;
+    root /usr/share/nginx;
+    access_log off;
+    location /.well-known/acme-challenge/ { allow all; }
+    location / { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name wgui.example.com;
+    access_log off;
+
+    ssl_certificate     /path/to/your/ssl/cert/fullchain.pem;
+    ssl_certificate_key /path/to/your/ssl/cert/privkey.pem;
+
+    root /usr/share/nginx;
+    location / {
+        add_header Cache-Control no-cache;
+
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:5000/;
+    }
+}
+```
+- Replace `wgui.example.com` with your (sub)domain name.
+- Replace `ssl_certificate` and `ssl_certificate_key` with your certificate files.
+
+Now restart your nginx configuration `sudo systemctl restart nginx`.
+
+**Please note** that Nginx server block configuration above is **very basic config**. If you need recommended SSL configuration for Nginx, follow this [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/). If you want to use [Let's Encrypt](https://letsencrypt.org/) certificate, install `python3-certbot-nginx` and request your certificate using `certbot --nginx -d wgui.example.com`.
+
+## Using WireGuard-UI
+Now afrer configuring all those required services, it's time to **configure our WireGuard config using WireGuard-UI**. Go to your WireGuard-UI (sub)domain and login with username and password you've configured before from `/etc/wireguard-ui/.env`.
+
+> _**Do not** press **"Apply Config"** before you finished configuring your WireGuard setting from WireGuard UI._
+
+Go to **"WireGuard Server"** page and configure WireGuard config:
+- **Server Interface Addresses**: `10.10.88.1/24`
+- **Listen Port**: `51822`
+- **Post Up Script**: `/opt/wireguard-ui/postup.sh`
+- **Post Down Script**: `/opt/wireguard-ui/postup.sh`
+
+![WireGuard- UI Server Settings](wg-ui-server-config.png#center)
+
+Then go to **"Global Settings"**, verify that all your config is correct (especially for **"Endpoint Address"** and **"Wireguard Config File Path"**).
+
+After that, try to **Apply** your configuration.
+
+Verify that everything is running (try to check using `wg show` or `ss -ulnt` from *command-line*).
+
+### Creating Peer (client)
+Creating peers using WireGuard UI is pretty simple, all you need to do is press **"+ New Client"** button from the top right of the page and fill required information. You only need to fill **"Name"** field for most use case.
+
+After adding your peers (clients), press **"Apply Config"** and try to connect to your WireGuard VPN server from your devices. The configuration file for your devices can be downloaded from **WireGuard UI**. You can also easily scan configuration for your mobile devices by scanning configuration **QR code**.
+
+![WireGuard UI clients page](wg-ui-clients.png#center)
+
+What next? How about [Configure WireGuard VPN Clients]({{< ref "/tutorials/configure-wireguard-vpn-clients/index.md" >}})?
+
+### Notes
+- If you have some technical difficulties setting up your own WireGuard server, I can help you to set that up for small amount of **IDR** (_I accept **Monero XMR** for **credits** if you don't have Indonesia Rupiah_).
+- To find out how to contact me, please visit [https://www.ditatompel.com/pages/contact](https://www.ditatompel.com/pages/contact).