Setting up a tiny friendly VPN using WireGuard∞
Recently, I wanted to play Stardew Valley with a friend. However, said friend lives a while away and thus we don’t have a LAN. But now I have a VPN, and we can play together, no matter where we are! (Sadly Stardew Valley co-op mode does not work on mobile, that would be even neater.)
With all of the things below, I mainly followed the instructions on the ArchLinux wiki. There was some fiddling required, but all-in-all this was the work of an afternoon to set up.
Setting up ufw
For some reason I did not have a firewall running on my server yet. That’s a bit irresponsible and was mentioned on the ArchLinux wiki, so I did set it up:
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip To Action From -- ------ ---- <REDACTED>/tcp LIMIT IN Anywhere # SSH port 443/tcp (WWW Secure) ALLOW IN Anywhere Anywhere ALLOW IN 192.168.0.0/24 <REDACTED>/udp ALLOW IN Anywhere # WireGuard 80/tcp (WWW) ALLOW IN Anywhere
<REDACTED> ports, those are non-standard ports for both SSH
and WireGuard, redacted for some security by obscurity here. Do be careful
with that SSH port though, because you can lock yourself out of your
own server. Luckily I did not.
However, my server needed a restart to make these settings take effect. Not sure why, but that’s what it needed.
Setting up the WireGuard server
As we only want to connect to each other, not provide a full VPN, this is the config file for WireGuard. The keys were generated using the instructions on the wiki.
$ sudo cat /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = SERVER_PRIVATE_KEY # if the server is behind a router and receives traffic via NAT, these # iptables rules are not needed PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE [Peer] # client1 PublicKey = CLIENT1_PUBLIC_KEY PresharedKey = SERVER_CLIENT1_PSK AllowedIPs = 10.0.0.2/32 [Peer] # client2 PublicKey = CLIENT2_PUBLIC_KEY PresharedKey = SERVER_CLIENT2_PSK AllowedIPs = 10.0.0.3/32
(Note that all values for PublicKey, PrivateKey and PresharedKey have been redacted, you’ll need to fit the actual values in if you want to replicated it.)
Setting up WireGuard clients
Network Manager has built-in support for WireGuard, which is pretty neat. Here’s how to connect a client.
First, set the network name (
wg0) and private key for your client that is used to encrypt all traffic to the VPN server:
Secondly, set your IP address in the VPN to
10.0.0.xand use network mask
Gateway will be marked yellow but works fine when left empty.
And finally configure the actual server (called “peer” here) you are connecting to. “Public key” is the public key of the VPN server, “Preshared key” is another secret you’ll get from the server for an additional layer of security.
“Endpoint” is the host and port of the VPN server, written as
You should then be able to save and activate the connection. You should now be in
the VPN and able to connect to other clients in the network using
10.0.0.x IP addresses.
Testing the setup
- ping the server with
- ping yourself using
- ping someone else in the VPN with
- try the Testing the tunnel steps from the wiki
And then your VPN should be ready!
Playing Stardew Valley!
And with that we could play Stardew Valley together! One player is hosting the farm and the game, and others connect to it using the game hosts IP address in the VPN.
![screenshot player join]()
(TODO: I know those screenshots are missing. I did play as pictured above, I just forgot to take the screenshots and then did not do it and now I want to get this post out.)
All in all this was much simpler to set up than expected! I am kind of amazed this is even possible to set up in a reasonable amount of time for someone who does not do sysadmin on a regular basis.