Self Hosted WireGuard VPN on OpenBSD
ฝัง
- เผยแพร่เมื่อ 20 ก.ย. 2024
- Setting up a WireGuard VPN Server on OpenBSD with a Linux client.
Get yourself a Vultr VPS today
www.vultr.com/...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my TH-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
Two important things that were not mentioned: Wireguard in-kernel support was first available in linux, it was recently merged in upstream openbsd, it's currently experimental on windows. I think there were software implementations on openbsd before the kernel support, so you'll want to ensure you are running a very recent kernel, and whatever you need to do to ensure you're running the kernel module for it to get the advertised performance. This probably isn't terribly relevant on slower internet speeds, but may be on slower vps.
Secondly, and more importantly, keep in mind that while a vpn may provide a secure connection between two endpoints, if you are concerned about privacy you can go ahead and toss that out of the window once that traffic hits a cloud service provider. Also don't assume your cloud vps is secure from the provider itself. If you are setting it up in this way your firewall rules at home should be such that you are treating the endpoint as a potentially hostile computer, grant no access back to your own services unless you need to. This kind of setup can be useful in certain cases though, to bypass geoip restrictions on videos, for remote work on the vps, etc. However the primary usecase from a security perspective is going to be creating a tunnel between two trusted endpoints, for example, your home and a laptop.
Good info.
I don't know wireguard as well as OpenVPN, but there are ways in OpenVPN to limit which VPN clients can talk to whom, on what ports, blah blah blah, because like you say from a industry point of view the VPN server is what's trusted, and all the personel connecting in are untrusted because their laptop might have been stolen, hacked, etc. But I imagine all of that could also be done through iptables/ipfw. The thing i think that wasn't mentioned in quite as much detail as i'd like is some background on the differences in the crypto protocols used, although that would be a series in its own right lol. Some of the wireguard crypto i've heard of before, but most not.
@@cannaroe1213 Generally the way you would do this on wireguard is with firewall rules at both sides. Wireguard provides a secure tunnel, but that's basically it.
"it was recently merged in upstream openbsd" huh? wireguard has been in the kernel for over two years now
@@blakkheim 2 years falls within my definition of recent personally. Like I said, there was a software implementation before that, so if you have a preexisting system, it's worth making sure you are recent enough to have the kernel module.
These deepfakes are so realistic. Can we have a tutorial on how to generate them, Luke?
I think it's a realistic latex jogger skin-suit. They cost $500+.
dumbest joke
@@lanpartylandlord6123 Okay and?
@@trayambakrai dumbest response
If it's not a deepfake then I swear they have to be roommates or something. I swear I've seen that room in one of Luke's videos before lol
BSD stands for Based Secure Distribution.
I wouldn't call it based, it's a cuck license.
It should be openSSD
*BASED*
Based.
*B* a *S* e *D*
This is Drake in a different, alternate universe.
bruh literally what i thought LOL
Drake wishes to be this BASED.
Is he still packing in this universe?
Take it back
Thanks for keeping your titles accurate, I might use them as a starting point at some point, so that makes it easier to find them.
I like this OpenBSD content, please make more! I've wanted to get into BSDs and OpenBSD specifically but found out that it's unfortunately nowhere near as covered as Linux on TH-cam. Thanks!
The BSD's have a different way of promoting themselves. You can get most of the help through forums or their official mailing lists..
On a previous video he did mention many OpenBSD channels like
The OpenBSD guy (also on Odysee)
Root BSD (also on Odysee)
Zaney
dude that fade is SHARP!
If drake had a smart, programming, long lost gym bro brother...
I love how OpenBSD has most things that are needed preinstalled as part of the base installation, all of which is audited line by line several times a year.
It has unbound and nsd for DNS, httpd for web server, a standard dhcpd server, e-mail server code, and more. It doesn't have a database system like mysql or postgresql, etc but that can be added.
Yeah, I like the fact OpenSMTP for emailing is part of the base system as well as a bunch of other userspace programs and their daemon counterparts.
@@Elhamidi0249 It makes it easy and convenient to use nothing but a base install for a network device like a firewall or DHCP, and/or DNS server, etc. I like using my t as an ad and/or domain blocker without the need to install something like pi-hole.
@@adrianfisher3349 It also makes a good desktop OS thanks to X11 and 3 window managers to choose from coming preinstalled with a default config.
@@Elhamidi0249 I've been using it as my daily driver for years now. It's good for productivity because it doesn't allow me to waste time on Netflix or Prime Video, etc :D I wish it had better support for Latex though.
@@adrianfisher3349 I also plan to daily drive it as I am doing this right now mainly to move away from GNU/Linux because even something like GNU/Linux comes with add-on features and apps you really don't want to have on your daily driver. Sure, they make your life easier on your desktop but here's the thing: You don't need them at all, at least 99.9% of the time and if you do then it's the 0.1% of the time you actually need it. But I also want to learn and understand computers and operating systems in general better and that's a thing I personally struggle with GNU/Linux. Sure, GNU/Linux gives you the foundational knowledge of how an OS built off from which components but it feels like a salad bowl of tools smashed together and forceably mixed into one pot expecting everything works OOTB everything magically being very well integrated. That's also my little nit pick with FreeBSD too but on FreeBSD the devs put actually a good amount of work into the OS to make everything work together and fine-tune the base system components. The only thing is when you install apps from the ports tree they don't integrate very well into your FreeBSD install. Docs aren't so well integrated into the base system as in form of man pages but you got the FreeBSD Handbook which is your Arch Linux Wiki, only just for FreeBSD instead for Arch Linux.
But nonetheless both operating systems are top-notch, I used to use NomadBSD, a desktop FreeBSD derivative for USB flash drives with a custom Openbox setup and a carefully selected suite of everyday needed desktop applications, before switching over to OpenBSD and they made a really good job bringing FreeBSD to the mobile desktop computing market, everything works OOTB with everything you (don't) need (depends on how you view it), installation was remarkably easy thanks to their custom installer, hell, you could even choose you favorite apps right on while you installing your system like your favorite graphical file managers, browsers, both command-line and graphical text editors and more. Another cool thing is, since you sacrifice only a USB flash drive you don't touch your hard drives/(NVMe) SSDs installed into your computer. And NomadBSD is free and open source like every BSD out there. Of course I could also install FreeBSD on a flash drive and build my custom desktop from there, which I will definitely do at some point, but NomadBSD is an OOTB solution as I mentioned before and for exploring what FreeBSD could look and feel like it on a daily driven desktop is fantastic. I highly recommend it over other ready-to-go desktop BSD options like GhostBSD, derived from TrueOS and PC-BSD, both of which are defunct FreeBSD forks aiming at desktop users - GhostBSD is the only fork who has survived bringing a pleasant desktop experience thanks to their custom software repos and MATE as the default DE - and MidnightBSD, a fork of FreeBSD v4.4 to bring FreeBSD to the desktop user masses.
Really liked how you clearly said that the link vultr link is an affiliate link.
Only TH-camr I religiously follow now, never feel like he's out there to milk his subscribers for all they're worth and that just makes me want to support him more.
@Mental Outlaw Great content! I think the community would love if you'd build on this how to add Pi-hole and Unbound on top of this server!
There are many config mistakes that are easy to make when adding DNS routing from one service to another and especially Pi-hole is cool but can be a bit quirky with the others.
Anyway, thanks for the work you put in to help people with opsec. If you'd create scripts for the setup it would be quicker to replicate but ofc can be a bit more work.
@endofsummer Really? Why is that? Some dependencies missing or some configs that the OS doesn't allow you to touch?
Bro I never new what you looked like. Kettlebell brother! Turkish get ups are my favorite.
If you're going to such great lengths for security as using OpenBSD, then maybe you should consider hosting the services on your own hardware and software image. The cloud provider (or whoever hacked them) could have placed backdoors in any software, maybe even in the hardware.
Explain what you mean? I want to make my own VPN , can I spoof location to the North Pole? Can I make the ISP name say anything I want?
@@unreleasedjuicewrld9792 If you only care about spoofing your location, then security probably isn't a great concern, other than preventing your server to become a part of a botnet, or do nasty things. You can use a cloud provider to buy a VPS on the North Pole, and install whatever OS and VPN software you want. The ISP name will be whatever ISP is used for your server though.
My point is that if you're so security conscious that you choose OpenBSD over say Linux, then you probably have extremely high privacy expectations (e.g. investigative journalism, activism, or criminal activity), and can't afford to trust any cloud provider. In that case you probably also want to fully control both the hardware and the software stack, and not use VPS or OpenBSD images from your cloud provider.
@@szaszm_ why do I actually need to buy a VPS at the North Pole? How does it know it’s at the North Pole? Surly it can be spoofed? When I used Tor one time I looked at my IP, and it was in the middle of the ocean and the ISP name was also custom & the IP numbers seemed somewhat customized too.
@@unreleasedjuicewrld9792 Geoip. When using a VPN, you're masking your own IP address by routing your traffic through the VPN. The other endpoint therefore only sees the VPN server connecting to it, not your home IP address. Tor is a different story, there you use the exit node's IP address in a similar way, except there are more hops inside the network, and it's less traceable.
We need a video on DDOS PROTECTION!
on God
EZ...
Just block port 69 and port 420
And don't forget to press ALT-F4 when you are done!
@@Reth_Hard Funny
its amazing to me that people are willing to commit a felony just to inconvenience someone. what a world we live in today.
@@kulled I've killed for less.
Love your videos mental outlaw, maybe you could give us some cool pfsense or openwrt videos too! Keep up the good work!
0:15 indeed our guy
An ironclad server by a deepfake gigachad. This is highly impressive stuff! 👊😁
2:40 Wireguard is a UDP only protocol anyway so blocking that is fairly easy by resticting outbound UDP. DPI firewalls can tell if your UDP 443 traffic is using QUIC or Wireguard and decide if it wants to drop or pass that traffic. If you want to hide the fact that your using a VPN is an obfuscation proxy of some sort. I was using a guest network that doesnt allow VPNs for some damn reason. I tried using Wireguard and that failed to connect. I then tried my backup openVPN server on 443 and the handshake completes and the connection established but it immediately disconnects. Ive looked into what was going on and I found that they are using a PaltoAlto firewall does a TCP reset attack against my open VPN connection. To get around this I've reconfigured openVPN to sit behind Stunnel proxy to mask the openVPN handshake by wrapping it in an TLS tunnel. Works flawlessly for me.
Looking jacked, man! Great vid.
I can assure that wire guard is one the best line encryptions available, wireshark can only identify the protocol and no info other than that.
You're joking, right? Identifying the protocol means that it can be easily blocked by overzealous sysadmins.
@@KutAnimus Better to be blocked than cucked
He looks different from what I imagined
@@cool-soap I thought he was a anime girl
Have you considered ever doing a video on pfSense? It's an open source modem OS based on freebsd, you can buy modems with it pre-installed or you can build a cheap PC with a nice NIC card and install it on there. The security features are really extensive, it's a huge upgrade for anyone using standard modems to manage their network.
Listen to your gut as far as your title and thumbnail ....I'm watching like and commenting no matter what my bro.
Just finishing up my Peers on my own few WG installs, great timing! Looking great btw, looks like you've really made some impressive gains!
For those who are concerned about tracking, my major American state university still has not blocked Tailscale or WireGuard VPNs on the student network, so most IT people probably do not know about it.
This never made any sense to me, why do they do this? Doesn't this impair learning for CS students?
@@subnumeric they do not really care. if you get your gear, you are good.
hey dude, just want to tell you that i love you and your videos ! keep going
watched the first 10 seconds on the thumbnail and immediately clicked. +1 for the GOAT
Vultr is also my go-to place for a VPS
wow you've gained a lot of muscle since i last saw you in one of your videos, maybe you can start doing fitness videos too.
Damn the deepfake is getting immensely buff 💪💪💪 keep it up
90% of comments about Mental Outlaw surprising appearance
10% about self-hosting a VPN
Well thats a first for seeing what MentalOutlaw looks like
looking jacked af
Man's looking jacked
I appreciate the good content you produced. Keep up the great work.
Guacamole moment
Definitely gonna do something like this although I’ve got the musks latest starlink, which has no support for a static IP, so I’ve gotta do some black magic to figure that out.
Dynamic DNS
For self hosting services?
Only the wireguard server requires a static, so in outlaws example, the vps server should be the wireguard server.
This's what I've been thinking of. Verry good
Should we expect to see you sponsoring every TH-camrs very soon?
:P
Honestly idk where the deep fake meme came from, but it's still a classic. Honestly your channel is pretty different than Luke's
In 10 years maybe we'll see black luke walking in the woods ranting about God and linux, I can only hope.
love the retro pc in the background
TH-cam didn't recommend this to me. had to find it in your recent uploads.
never know he is a giga chad all along
bruh was just searching how to setup a vpn on linode. Thanks man!!!
Please make a video about Element and the Matrix protocol, and hosting a home-server with Synapse and Coturn. You have to use SSL for TLS connections and it's overall a really solid messaging platform. Check it out!
I self host WireGuard using docker. It’s easy, simple and secure.
Used this to setup an openbsd box, thanks Kenny!
Linode’s AUP is much better. “Abuse. The Services may only be used for lawful purposes. You shall not use any Service to engage in, foster, or promote illegal, abusive, fraudulent, or irresponsible behavior, including without limitation:
Creation or distribution of unsolicited bulk email and mailing lists;
Creation of an account after being previously terminated by Linode without our prior written permission;
Disruption or interference of any data system or network, computer or communications system, software application, or network or computing device;
Monitoring data or traffic on any network or system without the express authorization of the owner of the system or network etc.”
Happy Canada day guys!
It would be cool to see a tutorial for Bitwarden, NextCloud, and email servers on OpenBSD.
Bros looking like a giga Chad meme person
ChadBSD content! Good job brother!
Fr thought this was Jayson Tatum for a sec
love the hair. very clean cut.
watch out for that bicycle on the window, thing looks spooky af
Oh Jason Tatum got a beard now damn
BSD mania!
Will definitely do this once I have time. I have a spare raspberry pi lying around I think its gonna be perfect for this.
that spare raspberry Pi is worth gold right now.
@@tanmaypanadi1414 bro wtf just checked their price. Didn't know they got this expensive. Might have to go for those chinese alternatives if I ever need one.
Thanks for your wonderful videos. The Vultur AUP is very poor and says you can’t post anything that is “Offensive Content. Content that is harmful to minors in any way, defamatory, libelous, obscene, abusive, threatening, discriminatory, harassing, invasive of privacy, false, intentionally misleading, patently offensive, or otherwise objectionable” Which I think is bogus. I like to work with hosting companies who just say you can’t do anything illegal or that tries to bypass their policies. The “offensive” thing opens you up to having them shut you down for any reason.
The like and comment to hack the algorithm is very important
The source code of your diet... that’s the key to success & an impenetrable mind
👊💪
thanks for this video, helped guide me along with hardening my box
OpenBSD gaming next(? XDDD
See his video: OpenBaSeD desktops are for hackers
I was hoping to get a wireguard video based on open bdsm but this will have to do
based xfce terminal user
Excellent tutorial Luke 👌
Unimportant question out of curiosity: Why it shows Belgium when you borrowed New Jersey server? Just an incorrect info from the ip check site?
Finally, more OpenBaSeD content on this channel.
@MentalOutlaw Great work!
never new he was a face youtuber, *cough cough* giga chad.
Im not gonna lie, we look extremely similar
ayo my man got a fresh cut
What I want to know is are the rooms of every American always painted light grey with white woodwork?
Thanks for the Video!
These deepfakes are getting really good. Good job M8!!!
6:57 it says you have an intel cpu, but you selected an amd cpu
amd64 stands for the x86 or x64 architecture itself, it doesn't mean that its running something made for amd
I should try this, I've been using wireguard for years but I use a CentOS vps to host my vpn
When linux will be popular i will switch to openbsd
Very similar of what i use, good stuff
Thank you dollar store luke smith
his head movements and body language in general is very AI-like ngl, gpt4?
I believe the PS4 operating system is based off of OpenBSD
Orbis OS uses various FreeBSD components such as the kernel, TCP/IP network stack and other stuff.
Also a webkit-based web browser and they're restricted to only use MIT/BSD licensed software due to them not wanting to contribute anything back which is something the GPL required you to do so. Same thing with other mega corpo's software like Apple's macOS/iOS, Nintendo's Horizon OS, Google's Android/Chrome OS (the only GPL licensed software bundled with Android and Chrome OS is the linux kernel, obviously that's an exception but they're forced to contribute anything back they do to it).
No OpenBSD involved in there.
Also, why did you and lucky stopped collaborating together? it has been fun watching the onetap vods
@@crossetta I confused open BSD With FreeBSD
@@crossetta we still talk I just haven’t been in a TH-cam scene For a little bit
Jason Tatum got into IT
😂
damn u got some waves today
U mention that u think its a good protocol. Just curious do u have any security background, not asking to be rude or anything, just realized i dont know were you doing before youtube?
Network engineering, so yeah I have some security background but not as much as penetration testers (although one of my good friends is a pen tester)
@@MentalOutlaw oh cool i didnt know that
I've gotten in the habit of randomizing user names in the same way you would want to randomize your passwords for additional security. Paranoid? Maybe. Secure? Yes.
I do the same thing, I also give admin panels on sites I build random alphanumeric names and setup a honeypot panel at example.com/admin
I wanted to do an fpga device that sits between your modem and isp that silently analyzes your traffic and connects to your pc with an expansion slot to verify traffic but I'm really not a hardware guy
Disadvantage over OpenVPN is for some LAN games which require Layer 2 connection, which Wireguard cannot do.
quality content but please fix your microphone. good video might do this some day :)
We need a video on the recent kungfu panda bear and winnie the pooh scandal!
Good stuff
Isn't there something lacking (generally) from a VPN solution that only you are using? Glowies can see that you talking to the IP of your VPS instance, then they just have to see what requests are being made from the IP of that VPS instance. Maybe enough to fool passive ISP surveillance and torrent some stuff, but against feds you're not getting much more than HTTPS.
Part of what I like about using a VPN service also shared by other people is that the requests leaving the provider are pseudo-anonymized simply by the fact that the provider has a large number of clients at any given time, meaning requests leaving the provider cannot be 1-1 traced to a single client. Of course there is the logging issue, but that's just why you have to go with something like Mullvad and hope it's not a hyper-sophisticated honeypot.
I'm wondering if I'm missing something here because otherwise this solution really appeals to me.
Did we just watch a 26 minute long Vultr advertisement?
Didnt understood a thing, might need to rewatch, but great job
Didn't he deploy an AMD box? Why neofetch says Intel?
👍
thanks for the video! any plans making one on split tunneling with regards to self hosted wireguard VPN?
*Bought an AMD VPS*
AMD VPS CPU: Intel
6:07
most goated channel
You look like Jason Tatum bro
Would something like this be sufficient coverage for torrenting if self hosted, or would it be better to use something in a different country?