Setting up a tiny friendly VPN using WireGuard

Recently, I wanted to play Stardew Valley with a friend. However, said friend lives a while away and thus we don’t have a LAN. But now I have a VPN, and we can play together, no matter where we are! (Sadly Stardew Valley co-op mode does not work on mobile, that would be even neater.)

With all of the things below, I mainly followed the instructions on the ArchLinux wiki. There was some fiddling required, but all-in-all this was the work of an afternoon to set up.

Setting up ufw

For some reason I did not have a firewall running on my server yet. That’s a bit irresponsible and was mentioned on the ArchLinux wiki, so I did set it up:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
<REDACTED>/tcp             LIMIT IN    Anywhere                   # SSH port
443/tcp (WWW Secure)       ALLOW IN    Anywhere
Anywhere                   ALLOW IN    192.168.0.0/24
<REDACTED>/udp             ALLOW IN    Anywhere                   # WireGuard
80/tcp (WWW)               ALLOW IN    Anywhere

Note the <REDACTED> ports, those are non-standard ports for both SSH and WireGuard, redacted for some security by obscurity here. Do be careful with that SSH port though, because you can lock yourself out of your own server. Luckily I did not.

However, my server needed a restart to make these settings take effect. Not sure why, but that’s what it needed.

Setting up the WireGuard server

As we only want to connect to each other, not provide a full VPN, this is the config file for WireGuard. The keys were generated using the instructions on the wiki.

$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

# if the server is behind a router and receives traffic via NAT, these
# iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
# client1
PublicKey = CLIENT1_PUBLIC_KEY
PresharedKey = SERVER_CLIENT1_PSK
AllowedIPs = 10.0.0.2/32

[Peer]
# client2
PublicKey = CLIENT2_PUBLIC_KEY
PresharedKey = SERVER_CLIENT2_PSK
AllowedIPs = 10.0.0.3/32

(Note that all values for PublicKey, PrivateKey and PresharedKey have been redacted, you’ll need to fit the actual values in if you want to replicated it.)

Setting up WireGuard clients

Network Manager has built-in support for WireGuard, which is pretty neat. Here’s how to connect a client.

1. First, set the network name (wg0) and private key for your client that is used to encrypt all traffic to the VPN server:

   

2. Secondly, set your IP address in the VPN to 10.0.0.x and use network mask 32.

   Gateway will be marked yellow but works fine when left empty.

   

3. And finally configure the actual server (called “peer” here) you are connecting to. “Public key” is the public key of the VPN server, “Preshared key” is another secret you’ll get from the server for an additional layer of security.

   “Endpoint” is the host and port of the VPN server, written as host:port.

   

You should then be able to save and activate the connection. You should now be in the VPN and able to connect to other clients in the network using 10.0.0.x IP addresses.

Testing the setup

• ping the server with ping 10.0.0.1!
• ping yourself using ping 10.0.0.2
• ping someone else in the VPN with ping 10.0.0.3
• try the Testing the tunnel steps from the wiki

And then your VPN should be ready!

Playing Stardew Valley!

And with that we could play Stardew Valley together! One player is hosting the farm and the game, and others connect to it using the game hosts IP address in the VPN.

![screenshot host]()

![screenshot player join]()

(TODO: I know those screenshots are missing. I did play as pictured above, I just forgot to take the screenshots and then did not do it and now I want to get this post out.)

Conclusion

All in all this was much simpler to set up than expected! I am kind of amazed this is even possible to set up in a reasonable amount of time for someone who does not do sysadmin on a regular basis.