How to setup a Wireguard VPN for free!
Go grab a free account if you haven't already signed for one from Azure or you could use your AWS free compute hours with a small EC2 instance.
Create a the small VM that fits in the free price range
Set the networking rules to allow ANY traffic TCP/UDP over port 51820 (Wireguard really only used UDP though I am pretty sure). In azure you would do this by creating the Free VM (which can be created with a few clicks from that link after creating your account). Then once the VM is created and ready you and you have a status of "Your deployment is complete" you can open the "Deployment details" section and click on the Resource link of Type "Microsoft.Compute/virtumachines".
In the left sidebar there will be a link for Networking. Click this.
On the networking page click "Add Inbound port rule".
Create a rule with the following:
Source: Any Source port range: * Destination: Any Desitnation port range: 51820 Protocal: Any Action: Allow PriorityL 380 Name: Port_51820 Description: Wireguard
SSH into your VM.
Run the following:
# Generate public and private keys umask 077 wg genkey | tee privatekey | wg pubkey > publickey # Run these as root sudo su cat << EOF >> /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 EOF add-apt-repository ppa:wireguard/wireguard apt-get update apt-get install wireguard echo "This is the Server Private Key:" cat privatekey echo "This is the Server Public Key:" cat publickey echo "This will be the Client Private Key if you need to generate one (using the OSX Wireguardd App?):" wg genkey | sudo tee clientprivatekey cat clientprivatekey
Now if you are using the OSX Wireguard App you will create a new "empty tunnnel" by clicking the bottom left plus button. Paste in the following replacing IPAddressOfYourServer with your VM IP and then replace ClientPrivateKey with the value from the clientprivatekey file. ServerPublicKey will be replaced with the Server Public Key:
[Interface] PrivateKey = ClientPrivateKey ListenPort = 21841 Address = 192.168.2.2/32 DNS = 22.214.171.124 [Peer] PublicKey = ServerPublicKey AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = IPAddressOfYourServer:51820 PersistentKeepalive = 25
After replacing the values I mentioned and copying this into the Wireguard OSX App you will have a Client Public Key generated. It will be right above the text box you paste the configuration into. Take this value and replace PublicKeyFromClient> with it. Replace <PrivateKeyfromthe2ndComnmandAbove with the Server Private Key that was printed out in the last set of commands you ran on the VM. The run the following on your VM:
cat << EOF >> /etc/wireguard/wg0.conf [Interface] Address = 192.168.2.1 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = PrivateKeyfromthe2ndComnmandAbove DNS = 126.96.36.199 [Peer] PublicKey = PublicKeyFromClient AllowedIPs = 192.168.2.2/32 EOF
You may also want to setup a firewall on your VM by running:
sudo ufw allow 22/tcp sudo ufw allow 51820/udp sudo ufw enable
This is optional.
It is time to start the Wiregaurd server. Run this on your VM:
sudo wg-quick up wg0 sudo systemctl enable wg-quick@wg0 # Set wireguard to run on system start sudo wg show # Check the status
Note: after every change to your /etc/wiregaurd/wg0.conf file you will need to bring the wiregaurd service down and back up again:
sudo wg-quick down wg0 sudo wg-quick up wg0
You should now be able to go back to you Wireguard client and activate the connection. Google "What Is My IP" and verify that your IP has changed. You could then also try checking if you have DNS Leaks. Note that I am using Cloudflare DNS. I believe for a really secure VPN you would want to install DNS on your VPN as well but I have not bothered to attempt that yet.