Wireguard is a next-generation open-source VPN connection protocol that claims to be faster and more secure than Open-VPN.
In this tutorial we will cover how to setup and configure a WireGuard VPN Server on a Debian Linux Distribution as well as how to get a Windows machine to route all traffic through that VPN using WireGuard’s Windows Client.
Step 0 : Install Un-Attended Updates
First, lets ensure we setup automated updates as we will want security patches and its likely that we wont be touching this VPS for a while.
KEYS PROVIDED HERE ARE JUST EXAMPLES, DO NOT USE THEM AS THEY ARE PUBLIC AND INSECURE NOW
wg genkey
It’s important to write this down somewhere safe and private it’ll look something like this
uDXR7FnTzGarLNj+E3ePv4gOwsbjumZ7M9YjcKAQ8WI=
Now its time to generate the corresponding VPN’spublic key using the private key we just generated
echo "uDXR7FnTzGarLNj+E3ePv4gOwsbjumZ7M9YjcKAQ8WI=" | wg pubkey
It’ll look something like this, write it down somewhere
9XIklpw4lGQ/I0S9L3gqTjwjJYsXJPluihomcCCrEzU=
Now its time to generate the User’s private and public key pair, note you will one for each user of the VPN (this essentially the same process as before)
wg genkey
Write down the User’s private key somewhere safe
0IoyeQyyWPYVGf4P4DosBGHHrl/T7k+2fqFc8JZRmGo=
Now lets generate the User’s public key
echo "0IoyeQyyWPYVGf4P4DosBGHHrl/T7k+2fqFc8JZRmGo=" | wg pubkey
Write this down somewhere
JoYcG0Bq5+dMrEAc8eSTG6QCFBjwUWxfXTy7LWmhC0k=
Step 2 : Configuration of WireGuard Server
First we need to find our active interface
ip l
Will show something like
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 53:55:00:91:36:5c brd ff:ff:ff:ff:ff:ff
Here eth0 is our interface, now lets check our public IP address
ip a show dev eth0
2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 53:55:00:91:36:5c brd ff:ff:ff:ff:ff:ff
inet 5.1.1.1/24 brd 5.188.238.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2103:90c0:186::20/48 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5058:ff:fe89:c66d/64 scope link
valid_lft forever preferred_lft forever
So here we can see our public IPv4 address is 5.1.1.1/24
Now lets create our configuration file
sudo nano /etc/wireguard/wg0s.conf
add the following, note where the User’s public/ VPN’s private keys go as well as our public IPv4 address and client’s public IPv4 address
In this tutorial we will be using Windows 10 64 bit so hit the button for downloading that version
Run through the installer and then open up the WireGuard Interface
Click Add Tunnel -> Add Empty Tunnel
Now add the following in, being careful to swap the keys with yours (note here we are providing the User’s Private Key followed by the VPN’s Public Key, and that the first Address is our local address)
Now to check that it’s working head over to https://www.dnsleaktest.com/ on your Windows 10 machine and you should now see your VPN’s IP Address as if it were your own
NOTE: I’ve yet to get this working myself over the internet, certain ISPs may block this protocol and there may be some bugs yet. This information was compiled from various sources over the internet, use at your own discretion.
Lets ensure we can access the included WebAdmin GUI for OpenLiteSpeed by running the initial configuration script
sudo /usr/local/lsws/admin/misc/admpass.sh
You will be asked to set a username and password, set them to something secure and be sure to write them down somewhere so you don’t forget
Now you can load and access the GUI from a browser at any time wish:
SERVER_IP_ADDRESS:7080
Note: That you may encounter a certificate error on some chromium browsers, its okay to ignore this at this point, and proceed anyway if your browser allows it, otherwise use a different browser
Now lets do the initial configuration for MariaDB
sudo systemctl start mysql && sudo mysql_secure_installation
Important! You will be asked for the MySQL root password by default this is empty so just hit enter at this point
Now press “y” to set a secure MySQL root database password, then answer “y” to all the remaining questions (remember to write it down somewhere)
Step 2 : Configuring OpenLiteSpeed
Lets create the directory for a virtual domains and setup the directory structure in such a way that we can easily add more domains to our server in the future (remember to replace website.com with whatever your domain name is)
mkdir -p /var/www/website.com/{conf,logs,html}
cd /var/www
chown -R lsadm:lsadm *
Now ideally we’d want our configuration files to all be in /var/www/website.com/conf
For some silly reason OpenLiteSpeed wont allow that so we have to do a bit of a Linux trick to get make it think we are actually under its directory of /usr/local/lsws/conf/vhosts
Lets first delete the existing directory located there (note if you have existing configuration files from a previous install, be sure to back them up; by default only an Example configuration is here)
rm -rf /usr/local/lsws/conf/vhosts
Now lets use a symlink to link our /var/www/ to /usr/local/lsws/conf/vhosts
ln -s /var/www /usr/local/lsws/conf/vhosts
Lets go login to WebAdmin (again located at SERVER_IP_ADDRESS:7080)
Now click on Virtual Hosts – > + Sign to add a Virtual Host
Now hit save and you’ll get an input error, click the link to create the file
Ensure the following radio buttons are selected and hit save again
Now lets hit the green graceful restart button on the top right to get rid of this warning (note you will have to do this again every-time you update something in your configuration, i will only mention it this once but be sure you remember to do so)
Now hit the magnifying glass to view our configuration again and go to the General tab and edit the Document Root to $VH_ROOT/html and hit save again
Now hit Listeners on the left-hand navigation bar
Delete the default 8088 configuration as we wont be using it
Now create a new Listener in a similar fashion that we made the Virtual Host earlier
Well call this listener HTTP
Set it up to listen on port 80
HTTP isn’t a secure protocol, so we set Secure to No
Now save and create another Listener
Well call this listener HTTPS
Set it up to listen on port 443
HTTPS is a secure protocol, so we set Secure to Yes
Now we need to add Virtual Host Mapping to our listeners , first click add on Virtual Host Mappings
Next put the following values, and save
Virtual Host: website.com
Domains: website.com
This needs to repeated for the HTTPS Listener as well
Step 2.1 : Updating DNS Records
Ensure that both the A record for @ and www are pointing to your SERVER_IP_ADDRESS
Step 2.2 : Continuation of Configuration
Now if we head over to website.com in a browser we should get the following 404 error screen since we don’t have anything in our html folder yet
Congratulations if you’ve gotten to this point you’ve successfully configured your OpenLiteSpeed installation
Step 3 : SSL/HTTPS Configuration & Automation of LetsEncrypt
Important Note: This part of the guide is something you should do after creating all your Virtual Hosts for your domain names, as there is a verification step that will fail if your DNS isn’t properly configured
First install the certbot package, this will handle the certification generation for you.
sudo apt-get install certbot
Now use the following command to generate a certificate for each of your domain name(s) (remember to replace website.com with your domain name)
Now enter your email address, and agree to the terms as needed
If all goes well you’ll get a Congratulations!
Note the following two file paths as they are important
Your certificate and chain have been saved at: /etc/letsencrypt/live/website.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/website.com/privkey.pem
Its time to configure our Virtual Host Configuration to utilize these, this time navigate to the SSL tab
Values to be set as follows:
TIP: You can use $VH_NAME in place of website.com but this trick wont work for the Listener section that is about to come
Private Key File :
/etc/letsencrypt/live/$VH_NAME/privkey.pem
Certificate File:
/etc/letsencrypt/live/$VH_NAME/fullchain.pem
Chain Certificate:
Yes
Now save and check all the Protocol Versions in the SSL Protocols section and save again
We do this to have broad compatibility with different browsers
Now we must repeat these steps for the HTTPS listener, as it will be the default mode (which then gets over-written by our specific Virtual Host Configuration)
Basically if no SSL certificate is found in the Virtual Host Configuration this one will be used
Currently it is mandatory to set this in OpenLiteSpeed
Note that here we cannot use $VH_NAME so we must use the domain name
Head over to https://website.com and now you should see a re-assuring SSL Lock indicator on the left which means everything was configured correctly
Optionally: Use this same Certificate and KeyFile for your OpenLiteSpeed WebAdmin (gets rid of the certificate error when using website.com:7080 instead of using SERVER_IP_ADDRESS:7080)
Now this certificate is only valid for next ~ 3 months, so to avoid an issue where users will get a certificate error in 4 months time, lets setup auto-renewal for our certificate(s)
First lets test that certbot is functioning correctly
sudo certbot renew --dry-run
Now assuming nothing went wrong lets create the cron-job to renew our certificates every month
Since we may want to access this same panel from various domains, lets create a symlink for our current domain instead of copying the folder over to the html folder
cd /var/www/website.com/html
ln -s /var/www/phpmyadmin phpmyadmin
Now lets configure it to use our MySQL root user
sudo mysql -u root
use mysql;
update user set plugin='' where User='root';
flush privileges;
\q
Some may tell you to create a separate user here for security reasons, but the fact is that phpmyadmin is most useful when run as root
We will address security concerns in the NinjaFirewall section
Now we need to generate a secret for the blowfish encryption, so just put any alphanumber character combination of length 32 here (May also grab one from https://www.random.org/strings/)
For example (DON’T USE THIS SAME STRING – MAKE YOUR OWN)
$cfg['blowfish_secret'] = 'csVH6hmV4_E5jNN7lVP8oWT_cY9avX_3'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Now head over to https://website.com/phpmyadmin/index.php and login with your MySQL root user
Important Note: Avoid using phpmyadmin over HTTP as it is vulnerable to a man-in-the-middle attack
Step 5 : Installation and Configuration of NinjaFirewall
Ninja Firewall is a Freemium Model General PHP Application Firewall that is most excellent in my experience at preventing exploitation of PHP Applications on your server
Again for easy management we can create a symlink in our virtual host directory
cd /var/www/website.com/html
ln -s /var/www/fw fw
We also need to set the correct permissions
cd /var/www/fw
chmod -R 0777 conf
chmod -R 0777 nfwlog
Now lets head over to https://website.com/fw/install.php to start the installation
You may have an error telling us our PHP configuration doesn’t have cURL support and to install it even though you already did
In this case simply do a complete server restart since there is some configuration nonsense for lsphp that doesn’t update when just the OpenLiteSpeed service is restarted
sudo reboot
Now they should all be green
Now hit the next until you get to the the setting an administrator username and password (pick a secure user-password and record it somewhere safe)
In the integration section, ensure the following is set
Protected Directory: /var/www
HTTP Server and PHP SAPI: Litespeed
Select the PHP Initialization file: php.ini
Now we need add our prepends accordingly
sudo nano /var/www/.htaccess
Put
# BEGIN NinjaFirewall
php_value auto_prepend_file /var/www/fw/firewall.php
# END NinjaFirewall
Then select next on the installer and hopefully you get no errors 🙂
Lastly we need to make our config file writable
chmod 0777 /var/www/fw/conf/options.php
You can now login and manage your Ninja Firewall at https://website.com/fw/ note should you have any issues installing/using applications later on, it is highly advised to check the firewall logs first!
Step 6 : Some Final Tweaks
It is a good idea to force HTTPS on your domains to ensure your login information isn’t snooped on
Lets go to the virtual host configuration again, this time on the Rewrite tab and do the following
Enable Rewrite : Yes
Auto Load from .htaccess : Yes (This setting will help with installation scripts later)
This notebook uses a misidentified SYNA3602 ; which in actuality is likely a Hantick Touchpad.
Problem One – Non-Working TouchPad
The first problem is that the i2c_hid portion of the Linux kernel expects this device to throw an interrupt after being reset, which it doesn’t do.
So for example in Clear Linux there may be failure to reset touchpad error messages.
Apparently this was patched later, pushed upstream and yet somehow is still breaking after reboots.
So in order to get a touchpad that is working between reboots you need to build/install the following package (note here I’m using Manjaro, but the code is simple enough you can build your own script for in other distros fairly easily):
This will usually get the touchpad to start working after a reboot (wait for the service to run before presuming it didn’t work).
To build and install under Manjoro:
pacman -S base-devel
makepkg -si
and be sure to Reboot
Important Note:
If your touchpad(or even the touchscreen) wasn’t working before, this may not fix it.
That’s because the touchpad, and even the touchscreen can lock-up completely if they are improperly initialized by Linux. Something to do with voltage spike maybe? I’m not sure.
In this scenario the only solution I’ve found is to install Windows 10 and then install the proper driver pack, reboot and then install Linux (a real pain to be sure). However to minimize this pain you can use Rufus to install Windows 10 onto a USB drive and then boot it as a Live-USB, which can help avoid the whole re-installing Linux part.
After booting Windows 10 (with the proper driver pack installed) the touchpad and the touchscreen should resume working in Linux. You can actually repeat this as necessary until you get a working installation in which case I highly recommend getting a full system image backup.
Note: It’s a good idea to disable driver updates in Administrative Templates in Windows if you plan on doing this, otherwise Windows may override your good drivers with bad ones from Windows Update.
Problem Two – The Touchscreen Rotation Issues
First lets install the sensor proxy :
sudo pacman -S iio-sensor-proxy
Next lets install the build requirements for GuLinux’s ScreenRotator (https://github.com/GuLinux/ScreenRotator)
git clone https://github.com/GuLinux/ScreenRotator
mkdir ScreenRotator/build
cd ScreenRotator/build
but wait there is a problem…
The orientations used do not match the Goodix TouchScreen orientations matrix.
If we build and run as is we will have the screen oriented in the wrong direction as we turn it around. Specifically the following needs to be interchanged:
RightUp <==> TopUp
LeftUp <==> TopDown
So lets be sure to update the /src/orientationsensor.cpp accordingly.
Sometimes it is necessary to have a graphical user environment on a remote machine. Windows server instances can sometimes be too expensive for the given usage scenario. This guide will walk through the process of setting a remote desktop environment on Debian Linux.
Optionally install sudo
apt-get install sudo
Update your apt-cache and packages using
sudo apt-get update && sudo apt-get upgrade
Install the following packages for a smooth desktop environment
To enable copy-paste functionality please also install
sudo apt install autocutsel
Now to create a VNC specific user, as some applications like Google Chrome may by default refuse to run under root
adduser vncuser
Optionally you may wish to remove the restriction on password-complexity for your system as at times it can enforce a set of password restrictions that are not compatible with our version of VNC
nano /etc/pam.d/common-password
Remove enforce_for_root
Now we need to add the new user to sudoers group
gpasswd -a vncuser sudo
Install TightVNCServer (I will avoid TigerVNC, and Vnc4Server for now as they both have their respective issues)
sudo apt-get install tightvncserver
Start the VNC server using the following command
vncserver
Now to setup both a regular password as well as a view-only password
Let’s kill the server using the following command
vncserver -kill :1
At this point we’ll want to do the same for our created user so
su vncuser vncserver vncserver -kill :1
Setup both passwords again for vncuser this time and kill it as we did last time
Either upload or via your favorite text editor create the files /root/.vnc/xstartup and /home/vncuser/.vnc/xstartup and add the following contents whilst ensuring that the files are owned by their respective users
#!/bin/sh #Uncomment the following two lines for normal desktop: unset SESSION_MANAGER #exec /etc/X11/xinit/xinitrc unset DBUS_SESSION_BUS_ADDRESS #Uncomment this line to enable copy-paste (note that VNC is not secure by itself!) #autocutsel -fork & startxfce4 & [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & gnome-panel & gnome-settings-daemon & metacity & nautilus & gnome-terminal & exec /home/vncuser/autostart/startup.sh
Note that if you want to make anything start up with the system simply place it into /home/vncuser/autostart/startup.sh
Now to make VNC server a system service, first create the directory for the config files
mkdir /etc/vncserver
Now upload or edit in the following as the file /etc/vncserver/vncservers.conf
Congratulations! You should now have a working VNC server and you can test it by connecting to the default VNC port and :1 :2 respectively. (eg: SERVER-IP:2 will connect you to vncuser‘s desktop)
A few important notes:
VNC is unencrypted by default and vulnerable to a man-in-the-middle attack (that means don’t send any important data over the link because it will be open for viewing to the public internet).
If you wish to make it secure you may need to tunnel using either OpenSSH/VPN/SOCKS5 or any other kind of tunneling.
A simple way to is to tunnel over SSH, this can be done on any Linux client by doing the following (where the 1 in the 5901 refers to the desktop number eg 1 for root, 2 for vncuser in our example):
ssh -L 5901:localhost:5901USER@REMOTE_IP
Now in order to connect to VNC you just need to point your VNC client to localhost:5901 and you will automatically be tunneled over ssh to your Remote IP!
Should you want to change the port VNC is running on (which I highly recommend unless you want to get spammed with bad logins by IP scanners), please change the following file on the line indicated by the command (and restart):
grep -n vncPort /usr/bin/vncserver
If you’re using Linux on your client machines; there is a far better alternative to VNC called X2Go that you may wish to look into.
Peerblock is a firewall application that acts to filter out communications between your system and a remote IP. Though being abandoned to my knowledge since 2014-2015 it still functions well and fills a niche roll as a customizable IP-Table that has automated remote update functionality as well as an easy way to enable and disable.
Some of you may remember this application as it was widely used back in the early days of P2P software though it has since fallen to relative obscurity.
I recently found it useful for my current needs, however it seems that it was built without the necessary SSL capability enabled in its version of libcurl. Essentially it could only update using HTTP links not HTTPs links.
I’ve taken the liberty to build the latest revision again but this time with an updated libcurl that allows the usage of HTTPs links for downloading.
