Avatar
Linux, plaintext & minimalism
November 20, 2019

How I got started with WireGuard in Gentoo Linux

My VPN-provider Integrity VPN recently rolled out their support for WireGuard. If you don’t know what it is, I highly recommend you checking out their website.

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

For me this was happy news! I have been using OpenVPN for years now and while it’s okay, it’s far from perfect. I have spent countless of hours trying to get it to work the way I want it to and sometimes just to make it work at all. And let’s not get into the performance issues.. Pushing my 100 Mbit Internet connection through OpenVPN uses a lot of processing power.

I haven’t used Wireguard for that long, but so far I’m very pleased with how easy it was to set up and how well it has performed. I’m currently running it on both my desktop computer and my 4 year old Android phone, the trusty Nexus 5X. When I used OpenVPN on my phone it used so much battery that I instead avoided using the phone on networks that I didn’t trust rather than using OpenVPN due to how much battery it required.

With Wireguard the battery impact is rather small on my phone. Even though I’m running the application in the userspace rather than the kernel module that’s not available for my version of Lineage OS.

Another thing that impressed we is that I no longer need my custom script for pm-utils to restart the VPN-connection every time I wake up my computer, with WireGuard it just works.

Installing WireGuard

The package for WireGuard is still marked as unstable and I needed to whitelist it it by adding the following line to the file /etc/portage/package.accept_keywords:

net-vpn/wireguard ~amd64

I then installed the package:

# emerge -av net-vpn/wireguard

WireGuard isn’t in the kernel sources yet, so I then had to rebuilt the module myself:

# emerge -av @module-rebuild

I also want the module to load when my system starts, so I added the following line in the file /etc/conf.d/modules:

modules="wireguard"

I then needed to make sure that the modules-service is set to run in the boot runlevel:

# rc-update add modules boot

Configuring WireGuard

All I had to do was to download a premade configuration file from my VPN-provider. It was named integrity_vpn.conf and it looked like this:

[Interface]
PrivateKey = <Key>

Address = <IPv6 and IPv4 adresses>
DNS = <IPv6 and IPv4 adresses>

[Peer]
PublicKey = <Key>
Endpoint = <Adress>
AllowedIPs = 0.0.0.0/0, ::/0

I copied the file to the folder /etc/wireguard:

# cp integrity_vpn.conf /etc/wireguard

And I also made sure to set strict permission for it:

# chmod 600 /etc/wireguard/integrity_vpn.conf

And that’s it!

Using WireGuard

I could now connect to my VPN-provider with the command:

# wg-quick up integrity_vpn

And to disconnect:

# wg-quick down integrity_vpn

To make it connect to my VPN-provider automatically at start I added the previous start command to the file /etc/conf.d/local.start.

Feedback

I don't have a commenting system simply because I haven't found a solution that I like. If you want to leave any feedback and/or have any questions, feel free to contact me either via e-mail, fediverse, XMPP or IRC (I'm Hund at freenode.net).