Note: Old directions can be found here (they don't work): https://www.thinkpenguin.com/gnu-linux/old-static-ip-vpn-directions-dont...
Notes: The server directions have been tested on an Ubuntu 24.04 server. The client side was tested on Linux Mint 22.1 live media (used toram).
Notes: Your going to have to click the edit button for the wiki for this page as some content may not otherwise work when you copy and paste it or it might otherwise not be seen
Server directions:
https://clients.mivocloud.com
Services > My Services and select your VPS (click Active button next to VPS)
Click the Stop button
Click the Rebuild button
Select Ubuntu 24.04 x86
Click the Start button
Grab the primary IP of the machine so you can ssh in
ssh root@5.252.177.203
# Setup your additional static IP addresses
mv /etc/netplan/50-cloud-init.yaml /etc/netplan/01-netcfg.yaml
# Under eth0: addresses: add any additional assigned IPs not shown like "94.158.244.150/32"
nano /etc/netplan/01-netcfg.yaml
# Apply the changes/bring up the new IPs
sudo netplan apply
Save the following to a script named setup-wireguard.sh:
nano setup-wireguard.sh
#!/bin/bash
sudo ufw disable
apt install -y wireguard iptables iptables-persistent
# Configuration
WIREGUARD_INTERFACE=wg0
PRIVATE_SUBNET=10.0.0.0/24
MASQUERADE_INTERFACE=eth0
# Generate keys for the server
SERVER_PRIVATE_KEY=$(wg genkey)
SERVER_PUBLIC_KEY=$(echo $SERVER_PRIVATE_KEY | wg pubkey)
# Generate keys for clients
CLIENT1_PRIVATE_KEY=$(wg genkey)
CLIENT1_PUBLIC_KEY=$(echo $CLIENT1_PRIVATE_KEY | wg pubkey)
# Write server configuration to /etc/wireguard/wg0.conf
cat < /etc/wireguard/$WIREGUARD_INTERFACE.conf
[Interface]
PrivateKey = $SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
EOF
# Enable IP forwarding immediately
echo 1 > /proc/sys/net/ipv4/ip_forward
# Uncomment and set the IP forwarding parameter in /etc/sysctl.conf to make permanent
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
# have wireguard start up on boot automatically
systemctl enable wg-quick@wg0
# Set the script's permisions to executable and run the setup script
chmod a+x setup-wireguard.sh
./setup-wireguard.sh
Save the following to a script named add-wireguard-clients.sh:
#!/bin/bash
WIREGUARD_INTERFACE=wg0
MASQUERADE_INTERFACE=eth0
# Prompt for client's name/order info
read -p "Please enter the client's name and order number: " CLIENT_NAME_ORDER_NUM
echo "You entered: $CLIENT_NAME_ORDER_NUM"
echo "The following IPs are already assigned"
grep Client /etc/wireguard/wg0.conf
echo "The following IPs are on the system"
ip addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'
# Prompt the user for the primary server IP address
read -p "Please enter the primary server IP address: " SERVER_MAIN_IP
# Prompt the user for the public IP they want to use for the wireguard client
read -p "Please enter the public IP for the wireguard client: " PUBLIC_IP1
CLIENT_NUM=`ls -1q client*.conf | wc -l`
((CLIENT_NUM++))
PRIVATE_IP_NUM=$((CLIENT_NUM + 1))
PRIVATE_IP1=10.0.0.$PRIVATE_IP_NUM
echo "Your private IP is $PRIVATE_IP1"
SERVER_PRIVATE_KEY=`grep PrivateKey /etc/wireguard/wg0.conf | cut -d' ' -f 3`
SERVER_PUBLIC_KEY=$(echo $SERVER_PRIVATE_KEY | wg pubkey)
CLIENT1_PRIVATE_KEY=$(wg genkey)
CLIENT1_PUBLIC_KEY=$(echo $CLIENT1_PRIVATE_KEY | wg pubkey)
cat <> /etc/wireguard/$WIREGUARD_INTERFACE.conf
# Client $CLIENT_NUM for $CLIENT_NAME_ORDER_NUM assigned pubic IP $PUBLIC_IP1
[Peer]
PublicKey = $CLIENT1_PUBLIC_KEY
AllowedIPs = $PRIVATE_IP1/32
EOF
cat < client$CLIENT_NUM.conf
[Interface]
PrivateKey = $CLIENT1_PRIVATE_KEY
Address = $PRIVATE_IP1/24
DNS = 8.8.8.8
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
Endpoint = $SERVER_MAIN_IP:51820
AllowedIPs = 0.0.0.0/0
EOF
# Load WireGuard module
modprobe wireguard
if [ "$CLIENT_NUM" != 1 ]; then
wg-quick down /etc/wireguard/$WIREGUARD_INTERFACE.conf
fi
wg-quick up /etc/wireguard/$WIREGUARD_INTERFACE.conf
# Add DNAT rule
iptables -t nat -A PREROUTING -d $PUBLIC_IP1 -j DNAT --to-destination $PRIVATE_IP1
# Add SNAT rule
iptables -t nat -A POSTROUTING -s $PRIVATE_IP1 -o eth0 -j SNAT --to-source $PUBLIC_IP1
if [ "$CLIENT_NUM" -eq 1 ]; then
echo "First time being run so allow related and established traffic"
# Allow related and established traffic
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
echo "First time being run so allow traffic to and from the WireGuard interface"
# Allow traffic to and from the WireGuard interface
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -o wg0 -j ACCEPT
# Ensure the /etc/iptables directory exists
mkdir -p /etc/iptables
fi
# Save iptables rules
iptables-save > /etc/iptables/rules.v4
echo "WireGuard and iptables configuration completed."
# Output client configurations
echo "Client $CLIENT_NUM configuration (client$CLIENT_NUM.conf):"
cat client$CLIENT_NUM.conf
# Set the script's permisions to executable and run the add-wireguard-clients script
chmod a+x add-wireguard-clients.sh
./add-wireguard-clients.sh
# Copy the output of Client 1 configuration (client1.conf): to a text file like test.conf on the computer you want to connect to the VPN with
# On Linux Mint 22.1 click on the network applet in the right hand corner
# Go to Network Connections and click the + button, select Import a saved VPN configuration... from the drop down and click the Create... button, select test.conf, then the Open button, then the Save button
# To test this open up Firefox and go to infosniper.net, it should report your client's public IP
#
# To further test bi-directional support sudo nano /etc/apt/sources.list and comment out the cdrom line
# Then run: sudo apt update; sudo apt install apache2
# On another computer like your phone attempt to access http://public_ip_of_wireguard_client and you should see an apache configuration page
# Don't forget to turn the wifi or cellular intenret on if you use your phone
# (note: if it fails you need to clear the storage/cache on the browser or you may get missleading results as to whether or not this is working)