Wireguard(-go) on LES NAT Virtuozzo VPS
Thought I'd post this as its own topic in case it's useful (mods, feel free to delete/move if it's inappropriate)
It's actually reasonably simple to setup the userspace wireguard-go binary yourself with this guide (full Wireguard requires a host node kernel module to be active on OpenVZ/Virtuozzo, and it's not on any LES providers that I know of because it's a pain (https://wiki.openvz.org/VPN_using_Wireguard) - if there are any be known :-)):
Notes from me:
- Pinning the unstable Debian repo to get the wireguard-tools package in a 128MB LES NAT VPS gave me "failed to fork" errors with apt commands. Switching to Anthony's new slimline Ubuntu 18.04 template meant I could use the Wireguard PPA instead, which doesn't use as much resources. Pinning the unstable repo might work fine on the new 256MB plans though...
- Compiling the wireguard-go binary is much better done on a local machine with more resources than a LES box (be sure to make the necessary adjustments detailed to keep RAM usage low!) Once it spits out the binary, push it onto your LES box with SCP/SFTP etc., copy it to /usr/local/bin and make it executable
I've got this setup working nicely on one of Ant's UK 128MB NAT VPSes, and even though Wireguard is the userspace go implementation, speeds have been better than OpenVPN for me. Of course, OpenVPN is older and much more thoroughly historically audited compared to Wireguard (but that's a digression for someone else to take up).
NB - Credit for the linked guide goes to Daniel15 of course.
This is also what I'm looking for.
I'm running wireguard + pihole on small VPS (128 MB RAM) with dedicated IPv4 quite stable. Hope to see how it goes on NAT vps.
If you compile wireguard-go, I'd recommend also compiling wireguard-tools. I've compiled both on Debian 11, and they work just fine on Debian 9 VPS.
Linked guide will show you how to setup basic VPN, but you won't be able to access outside internet. If you intend to use VPN as a proxy to outside internet, you also need to setup iptables NAT on the server and DNS on the client. Here is a good guide for configuration: https://angristan.xyz/how-to-setup-vpn-server-wireguard-nat-ipv6/
With these guides, I was able to setup VPN in 10 minutes. OpenVPN took 3 hours! On my VPS, wireguard-go (no optimizations applied) without clients uses 512 KB RAM. With one client (YouTube videos, speedtest) it uses 1.5-3 MB.
Installation on the client side or KVM VPS, of course, is simply "apt-get install wireguard".
Oh no, you've invoked an unpopular figure here... I'll leave it at that. I prefer this guide for actual Wireguard config:
You also need DNS for a "proxy" VPN. It's very important, but not obvious at first.
If you don't put DNS settings into your client configuration, wireguard will use your ISP DNS server. Websites can see it and use this information to identify you.
Doesn't work by default on Ubuntu 18.04:
You can either install openresolv, symlink resolvectl to resolvconf or copy Mullvad's handy trick:
PostUp = systemd-resolve -i %i --set-dns=X.X.X.X --set-domain=~.
to your config, replacing X.X.X.X with your desired DNS, or a list by repeating
--set-dns=X.X.X.Xfor each DNS server.
I like openresolv solution. It's 100 KB package and then client config is simply:
DNS = 192.168.0.2,192.168.0.3
I often install Pihole together with Wireguard and set DNS to 10.0.0.1 (pihole IP).
Would it possible to trigger CPU abuse warning if I tried to compile it locally?
Depending on how long time needed for the compilaton, it could trigger the CPU limit.