A VPN (virtual-private-network) allows you to route all your traffic through a computer. This makes your browsing more secure and you can bypass regional-blocked content. Modern-day options include NordVPN, ExpressVPN, etc. but today I am going to show you why and how to create your own VPN using Wireguard.
Why?
Have you ever heard VPNs claiming: “Your ISP can see everything you do online!”. Well, I don’t want to spoil it but that is wrong. If you browse on a website with an https protocol, all data is encrypted. That means your ISP nor anybody who “listens” to your connection with the internet can tell what you did on the website. The only thing the providers can see is the website you requested. That means if you visit bankofamerica.com and login, your ISP will only see that you visited bankofamerica.com not your login data nor what you did there. Although https protocol provides encryption, still many people don’t want their web browsing history to be tracked, therefore they go for a VPN.
But think about it, who guarantees that VPN providers don’t do the same? Most VPNs state that they respect your privacy but isn’t that the same with most ISPs. Promises only are promises. In 2018 NordVPN got breached and they only found out 1 year later. PIA and Tunnelbear, two known VPNs, got acquired by McAfee, a company that isn’t known for their privacy, so at this point you can no longer trust any VPN unless you create one yourself.
Warning: If you run your VPN on your home-network take caution as somebody with the VPN can easily get access to your network. So it is recommended to take security-measures. You can follow a good guide here.
Are you eligible to create a VPN?
First of all you have to make sure you have a public IP address. Without such you cannot setup a VPN. To see if you have a public IP do this:
Get your public IP from here. Then go to powershell on your windows computer or on MAC open Terminal and type:
traceroute <publicip>tracert <publicip>If it shows some text and one line of code you’re good. If you see text and more than one line of code you use CG-NAT and don’t have a public IP. Visit to learn how to fix that.
Creating the VPN
In these days its basically as easy to create a VPN as to buy one. If you have a server at home you can skip ahead but if not, you will need a machine that is going to host your VPN. Vutlr.com is a popular option. Select a VM with at least 0.5 GB RAM, 1 core CPU and a bandwidth of your liking. At the time of writing the cheapest one goes for $5 a month.
- Install or choose Ubuntu Linux on your VM (I use Ubuntu Server 20.04.6 LTS)
- Connect to the VM with the steps shown on the website
Install PiVPN (don’t worry this will install Wireguard) with this command:
curl -L https://install.pivpn.io | bashYou may have to input your password or use:
sudo curl -L https://install.pivpn.io | sudo bashGo through the installation and if prompted, choose that you have a static IP. When you choose which VPN to download, tick Wireguard. In comparison to OpenVPN, the second option, Wireguard is much newer, light-weight and more user-friendly. Leave the port to 51820 and as the DNS server you have two options. If you just want to download the VPN, choose a DNS-server of your liking like Google or Cloudflare. But if you plan on installing Pi-Hole later to block ads, select custom DNS and set it to the IP of the machine. Continue through the installation until you exit the screen.
Adding users
It is recommended to create a user for every device you plan on using the VPN on. Why? Because if let’s say you lose your phone which has the VPN installed you have to remove the user so nobody can access your home-network, while still remaining logged-in on your other devices
To add a user run this and input a custom name:
pivpn -aConnecting to the VPN
If you want to connect with a phone:
Download the Wireguard-app and on the host machine run:
pivpn -qrSelect the user you want to connect to and scan the QR-code by going to the app and choosing “Scan QR-code”. Turn the VPN on and voila you have officially established a connection.
On a computer:
Go to Installation – WireGuard and choose your OS. Go trough the installation-wizard and follow these instructions: While you were adding a user on the host machine with pivpn -a, it should have displayed a path where the <user>.conf file is located. You have to copy that file to your computer to connect to the vpn. To do that open cmd on Windows or Terminal on Mac and run:
scp <username-of-linuxos>@<ip-of-host-machine>:<path/to/file> .scp <username-of-linuxos>@<ip-of-host-machine>:<path/to/file> .Replace <username-of-linuxos> with the username that you used when downloading pi-vpn. Replace <ip-of-host-machine> with it’s IP (public IP if not in your network) and (local IP if in your network). Then specify the path you got when adding the user + the file name (It may look a little like this: /home/root/configs/User1.conf). This will copy the file to the current directory of cmd which should be “C:\Users\<User>”. Open the wireguard-app and select the file. It will setup the VPN and you should be able to turn it on.
Troubleshooting:
Now about 50% of the time everything will work accordingly but the other 50% of the time there will be something you have to fix! Don’t worry, it happens to the best of us. Here are typical problems you might have and a troubleshooting guide to find a solution.
I cannot access the web!
If you have connected to the VPN but aren’t able to access the web this might fix it:
- Go to the host machine and type pivpn -d. Say yes to every prompt until the debugging is finished. Reconnect to the VPN and check the connection again.
- If running “sudo ufw disable” solves the problem, you have to edit the firewall settings like this:
Edit the wg0 file with:
and uncomment the following lines:sudo nano /etc/sysctl.conf
Then edit the sysctl.conf file using:net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
and uncomment the following lines:sudo nano /etc/ufw/sysctl.conf
Update the system using:net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1sudo sysctl -p - Check interface settings:
On the wireguard app rightclick on the VPN and select edit:
Check if the DNS is correct (Google = 8.8.8.8 or 8.8.4.4). The endpoint should be the public ip of the server. Change AllowedIPs to 0.0.0.0/0, ::/0. Then try again. If it still doesn’t work. Go to the host and check the interface settings with:
Check if everything is OK in the interface.sudo nano /etc/wireguard/wg0.conf
I cannot access a local machine!
If you cannot access a local machine, this might help you:
- Follow the steps that also are listed in “I cannot access the web” in the paragraph above. If that doesnÄt work then run
sudo nano /etc/wireguard/wg0.conf
In [Interface] add:PostUp = ip route add 224.0.0.0/24 dev wg0 table local metric 10; ip route add 169.254.0.0/16 dev wg0 table local metri>
PreDown = ip route delete 224.0.0.0/24 table local; ip route delete 169.254.0.0/16 table local; ip route delete ff00::/>
Check again.
I cannot enable the VPN from outside the network!
To access your VPN from outside the network you first have to open the port where the VPN was setup on. Go to your routers settings and go to port-forwarding or go to the website of your VM and search for a port-forwarding option. On your router select the IP of the host’s machine and open the port 51820 (or the port you set the VPN on) and choose UDP. Confirm everything and click OK. Now it should work.
Conclusion
Even though it is useful, setting up a VPN yourself, the key-features differ from a paid VPN. I would say, if you just want to browse more securely and access your home network from everywhere, the Wireguard VPN gets the job done. But you have to keep in mind that other VPN like ExpressVPN or NordVPN can do much more like bypass regional-blocks to access websites which are banned in your country or get more Netflix content. But by convincing a friend or buying a VM in another country lets you achieve the same. The cons of VPNs still are the internet speeds and if you setup your own VPN on an old laptop that is running in your basement, it won’t get any better. I hope this guide satisfied you and you can now enjoy that extra-privacy!
Want to buy a server or Rasberry Pi for under $100?