Personal VPN

1 VPN Connection
Premium Bandwidth
Encrypted Traffic
Salt Lake City, USA
Basic Support
Order Now - $10/Year (Recurring)

Pro VPN

1 VPN Connection
Priority Bandwidth
Encrypted Traffic
Salt Lake City, USA
Premium Support
Order Now - $50/Year (Recurring)

Datacenter: FiberState SLC1, Salt Lake City, USA

https://github.com/N-Storm/boringguard

Hey everyone! 👋

I wanted to share a piece of my private collection of custom ansible roles that I've created for configuring and managing various VPSs, lowends included. I've recently decided to make one of these roles, Boringguard, public to see if it might be useful to the community.

Features:

• Compatibility: It works with deb/apt-based distros like Debian 11+ (might work with 9+, haven't tested), Ubuntu 20.04+, Armbian, and RPM-based RHEL8+ distros (CentOS, Rocky, Alma, Oracle, etc).
• Boringtun Installation: This role can install Boringtun, a userspace Wireguard daemon implementation by CloudFlare, which doesn't require a kernel module. It's great for container-based VPSs (OpenVZ, LXC, Virtuozo, etc), especially if you have TUN/TAP capability. It even works on NAT VPSs with UDP port-forwarding.

• Binary Packages Included (.deb and .rpm): Since there's no official repo for Boringguard and no distro packages available, I've built binaries from sources for various architectures (x86_64, aarch64, ARMv7). This includes builds with MUSL lib as well as Glibc, to better suit resource-constrained devices. Should work on a variety of small/embedded devices, like SBCs, ARM routers, etc. Tested on Hetzner CAX ARM64 plans and ARMv7 Orange Pi One SBC.
  Don't trust my binaries? I'm absolutely with you here You can build and add your own. The packages to install are configurable in a yaml vars file. Let me know if you need a guide for building those packages. Just a ~couple of requests and I'll write recipe to automate building those packages I have there.

• Configurations and QR Codes: Configure the server with as many peers as you want and generate client config files and QR-codes.

• Idempotent with Persistent Config: The primary reason I created my own 'Wireguard installer' is probably its idempotency and persistent configuration. It's mostly inspired by the "Nyr wireguard-install script", but I found it lacking in the ability to restore VPN settings on VPS reinstall/migration/etc. (like almost every Wireguard install script), not to mention the absence of ARM support. This is where Ansible comes in as a more suitable tool for such tasks - you simply define your configuration with variables for each host (or even host group), tweak some settings or start with the defaults, and set up your VPN. Once generated, items like private keys and other settings will be stored on the host used for configuration (the "ansible host").
  I don't want to configure clients from scratch every time I need to rebuild a VPS. Or manually fix configs on VPS migration, for example. Can be a serious hassle if you have many VPSs or clients. Managed configuration approach solves a few things at once here:
  • a) generates a populated VPN config file which you can edit. When you run the playbook again, the new settings will be applied;
  • b) ensures that if you reinstall/migrate/change your VPS, running the playbook again will install and restore the same settings as before (assuming the hostname remains the same). Peers can connect with the same keys/certs as before.

This might not be a huge deal, but it's incredibly useful for me. As a part of a much larger "VPS toolkit" I have, which I'm not planning to make fully public (it's tailored to my specific environment). However, if Boringguard is useful to others, I might consider migrating more features from my private collection.

Docs & Feedback:

I haven't finished the documentation yet (missing Quick Start, etc.). Feel free to ask here if you're interested, and I'll work on improving the docs if there's enough interest.

Cheers! 🚀

Personally I have two right now, one from @crunchbits in WA and one from @Hostaris in Frankfurt, so I can cover two continents broadly, but I feel like I might need an East coast US one, another EU location that's not too close to Germany, and perhaps one in Asia. Or maybe 5 is overkill? Or maybe you are all running like 25 endpoints worldwide. Just trying to get a general idea of what everyone has setup!

A friend and I have tried similar deals for NordVpn and SurfShark on BlackFriday and got refunded with no problems. For US citizens there are many refund options, outside US you can select a virtual VISA or PayPal payout.

• Remember to read the details, i.e. only new customer, no cashback on optional addons
• Ends March 01 2024

Affiliate link
Non Affiliate link

/Joey

We're excited to bring you an exclusive deal on our VPN UNLIMITED

VPN UNLIMITED

• Unlimited Monthly Data - No need to worry about data limits each month.
• High-Speed Connection - Enjoy seamless web surfing with super-fast 10Gbit/s uplink servers.
• Network Optimizer - Optimize your latencies with our low latency network.
• IP Address - Dedicated static IPv4 address and enjoy the IPv6 address (/128 Static).
• Wireguard Protocol - We use Wireguard for lightning-fast and secure connections.
• Special Price: €8,78/year VAT included
• Discount Code: 6LP2P0G9PH
• Quantity available: 500

ORDER LINK
Note: choose yearly billing and select "Static IPv4 address" Addon when ordering.

Were we forgetting IPv6?: After ordered, comment here with the paid invoice id to obtain dedicated and static IPv6 /48 subnet assigned to your VPN.

Why Choose C1V Hosting?

• State-of-the-art data center
• Sustainable and eco-friendly operations
• Mon-Sat 9am-6pm expert support
• High-performance servers with top-tier connectivity
• Exceptional value for premium hosting solutions

Useful Links

• Terms of Service
• Looking Glass
• Autonomous System Info
• Refund Policy

I was first looking at the big providers like Mullvad for a VPN deal but a lot of these services are 5+ Euro per month and also come with strict device limits, sometimes as little as 5 connections. A friend on Discord said I should consider looking at getting a VPS and making my own VPN, which has now lead me here. I have enough previous knowledge that I can configure a WireGuard daemon and the configuration files, but I guess my main question is, can I accomplish what I am looking to do with a simple budget VPS?

Some of these Black Friday deals appear to be under $20 a year, and advertise 2TB bandwidth a month which I don’t think would be exceeded - people are typically streaming non high bitrate live TV with the odd torrent video here or there. And surely not 24/7…

Is there any pitfalls or problems I need to be aware of, or is this a sound and much more frugal solution than paying big VPN providers? Is there some TOS against media streaming or anything I should know, or running a VPN for up to 5+ people?

Big thanks for any advice, great forums and website you guys have here, I have been here 5+ years ago and glad to see it’s still alive and well

Cheers from Toronto

The connection is successful. If I add '0.0.0.0/0' to allowed IPs, v4 gets tunnelled, but not v6. Adding '::/0' seems to have no effect at all.

Here are some configs and screenshots.

From /etc/config/network

config interface 'v6_AT'
    option proto 'wireguard'
    option private_key 'xxxx'
    list addresses '10.7.0.2/24'
    list addresses 'fddd:2c4:2c4:2c4::2/64'
    list dns '1.1.1.1'
    list dns '2606:4700:4700::1111'
    option ip6table 'default'
    option force_link '1'

config wireguard_v6_AT
    option description 'id1-atharva'
    option public_key 'xxxx'
    option preshared_key 'xxxx'
    option route_allowed_ips '1'
    option endpoint_host 'xxxx'
    option endpoint_port 'xxxx'
    option persistent_keepalive '25'
    list allowed_ips '::/0'

I believe this has to do something with firewalls and routing, but I have not been able to find anything useful yet.

Any help is greatly appreciated, thanks in advance!!

Where can I find them now? It can be a bundle of servers from various places and I can pay upfront for a year or two.

What is the differences between Adguard Free & Premium (ex: Family lifetime plan)?

do the free one block ads at network level or just in web browser?

i'm thinkin to buy family lifetime plan on Stacksocial to get rid android in app ads

Here is a dirty diagram of how things would look like:

1. VPS
   2602:fed2:8888:106:: /64 assigned
   eth0 = 2602:fed2:8888:106::1
   wg0 = 2602:fed2:8888:106:100::1
   -- wg tunnel --

2. Home client
   wg0 = 2602:fed2:8888:106:100::10 (this will become a 'default gateway' at home - receiving traffic from multiple hosts)
   eth0 = 192.168.1.100

-- client 1 fowards packets to 192.168.1.100 asking for an IPv6 address. Hoping it automatically gets one from the available /64 space.

VPS provider won't give more IPv6 space than /64 unfortunately - I haven't tried asking for a /128 for a ptp thats routed to it - I was reading that may work but dont know.

I did try /etc/ndppd.conf with this config but did not see any requests comming from wg0 instance:

proxy eth0 {
  autowire yes
  rule 2602:fed2:8888:106::/64 {
      iface wghub
  }
}

Anyone with experience that could comment?

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

Is it impossible to run wireguard in these containers or is it a PEBKAC issue? Do you recommend any of the userspace wireguard implementations and, if so, which?

GitHub:
https://github.com/Nyr/wireguard-install

One-liner:
wget https://github.com/Nyr/wireguard-install/raw/master/wireguard-install.sh && bash wireguard-install.sh

Supported distros:
- Ubuntu
- Debian
- Centos
- Fedora
- AlmaLinux
- Rocky Linux

FAQ:

Will it work in my Raspberry Pi?
Probably, I don't have one to test. Install the raspberrypi-kernel-headers package and hope for the best. But you should consider using a distribution with built-in kernel support when it becomes available.

OpenVZ support?
Yes, via boringtun.

Can you add x feature?
Maybe, if it's worth it. But I'll keep the installer simple and functional, so keep that in mind. Niche features are unlikely to be implemented.

I like the project, how can I help?
Tell other people about it! wireguard-install is new and many people do not yet know about it. Some other low-quality tools based on my openvpn-install work exist, with credits and copyright notices removed. It's a sad sight to me after nearly a decade maintaining openvpn-install.

I get a /64 block of IPv6 address of which 1 is allocated to the eth0 interface on my VPS. I then allocate a /112 block to Wireguard outside of the eth0 address, and statically assign IPv6 address from this block to wireguard clients.

MaxKVM does not do routed IPv6, but uses on-link IPv6, so I have to enable proxy_ndp on my VPS so that the eth0 interface would respond to neighbor solication (NS) messages with a neighbor advertisement (NA) for addresses in the /112 block.

sudo sysctl -w net.ipv6.conf.all.proxy_ndp = 1
sudo ip -6 neigh add proxy 2402:xxxx:xxxx:xxxx::200:4 dev eth0

When I try to ping an external IPv6 address on my wireguard client, the upstream router of the VPS would then ask who has the 2402:xxxx:xxxx:xxxx::200:4 address so that it knows where to route the response to. The issue though is that the upstream router is sending NS messages with a fe80::xxxx:xxxx:xxxx:fdc0 (IPv6 EUI-64 address) and expecting a reply back to that fe80 address. See tcpdump output below.

jon@max1 /etc: sudo tcpdump -i eth0 -v 'icmp6[icmp6type]=icmp6-neighborsolicit or icmp6[icmp6type]=icmp6-neighboradvert'
04:32:07.414482 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::xxxx:xxxx:xxxx:fdc0 > ff02::1:ff00:4: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2402:xxxx:xxxx:xxxx::200:4
      source link-address option (1), length 8 (1): xx:xx:xx:xx:fd:c0
04:32:07.482930 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::yyyy:yyyy:yyyy:2d51 > fe80::xxxx:xxxx:xxxx:fdc0: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2402:xxxx:xxxx:xxxx::200:4, Flags [solicited]
      destination link-address option (2), length 8 (1): xx:xx:xx:xx:2d:51
04:32:07.550926 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::yyyy:yyyy:yyyy:2d51 > fe80::xxxx:xxxx:xxxx:fdc0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::xxxx:xxx:xxxx:fdc0
      source link-address option (1), length 8 (1): xx:xx:xx:xx:2d:51

Since I enabled ndp proxying, my VPS tries to respond back to the router's fe80 address with a NA, but determines that it cannot, and sends a NS asking for how to route to that address. As a result, my wireguard client gets a host unreachable error because it gets no response.

However, if I ping the global IPv6 address that is the IPv6 gateway (which is also the router) from the wireguard client, I will see a NS coming from that global IPv6 address. And because it is the gateway, my VPS has no problems with responding with a NA and IPv6 starts working on my wireguard client.

04:39:34.124527 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2402:zzzz:zzzz::1 > ff02::1:ff00:4: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2402:xxxx:xxxx:xxxx::200:4
      source link-address option (1), length 8 (1): xx:xx:xx:xx:fd:c0
04:39:34.718943 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) <My Public IPv6 address> > 2402:zzzz:zzzz::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2402:xxxx:xxxx:xxxx::200:4, Flags [solicited]
      destination link-address option (2), length 8 (1): xx:xx:xx:xx:2d:51

Is it normal to block ICMPv6 access to the fe80 address of the upstream router?

For now though, I have switch to NATed IPv6 for my wireguard clients, but what a waste of the /64 block though.

Thanks
Jonathan

On my KVM VPSes, I'm using the iptables rule iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
which would translate to iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE for OpenVZ I figured. However, iptables on my OpenVZ NAT VPS complains 'Chain 'MASQUERADE' does not exist'.

I already switched to the legacy version of iptables instead of nf using update-alternatives –config iptables but the error remains. And indeed, if I run iptables -L I see only three chains: INPUT, FORWARD and OUTPUT...

In the meantime I found this set of iptables rules that makes the VPN connection work:

#Forwarding
iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#Hardening?
iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -j DROP

However, apart from being 5 rules instead of just 1 simple rule, I'm not sure if the rules above are too permissive.

Since I'm no iptables hero myself, I was hoping someone could help me out here in figuring out the correct set of iptables rules to get WireGuard running on my NAT VPS.

Thanks!

Wireguard is now in bionic-updates.
PPA+dkms no longer required for bionic users.

Apparently, there was an official announce by Jason Donenfeld (author) on the mailing list on the next day : Aug 3, 2020.

You can safely remove the PPA config from /etc/apt/sources.d/ if you were previously on it on the supported OSes.
https://lists.zx2c4.com/pipermail/wireguard/2020-August/005737.html

Hi folks,

At long last, Ubuntu now supports WireGuard on releases 20.04, 19.10,
18.04, and 16.04, which means we've got all currently supported LTS
releases covered. For that reason, we're in the process of sunsetting
the PPA that previously provided packages to some users. This email
details possible changes users might consider.

The right way to install WireGuard on Ubuntu now consists of a single
command:

$ sudo apt install wireguard

This "wireguard" package will automatically pull in either one or two
packages with it:

1) wireguard-tools: this will always be pulled in and provides wg(8)
and wg-quick(8).
2) wireguard-dkms: this will only be pulled in if your kernel doesn't
already come with WireGuard.

As suggested by (2), most Ubuntu kernels now come with WireGuard out of
the box, even older releases, to which WireGuard has been backported.
This is great news and will result in much better reliability during
upgrades, as well as smoother compatibility with SecureBoot.

--snipped--

As a very good general recommendation for people new to wireguard ,
USE https://github.com/Nyr/wireguard-install/ (read the README first)

I have reviewed nyr's wireguard-install script and I am satisfied that it is well done.
I compared it with a manually configured wireguard tunnel, and all the defaults seem sensible.
Anything that saves you time should be welcomed.
Shoutout to @nyr, a long time LET/S MVP.

I wonder: Are you aware of any good Wireguard auto-install scripts like the one that @Nyr provides for OpenVPN?
Would be very grateful for your hints!

Thanks a lot in advance & one love,
the Amitz & his brother