Set Up Your Own Wireguard VPN Server with 2FA in 5 Minutes!

Set Up Your Own Wireguard VPN Server with 2FA in 5 Minutes!

Set Up Your Own Wireguard VPN Server with 2FA in 5 Minutes!

The playbook https://github.com/notthebee/ansible-
LowEndStock https://lowendstock.com
DuckDNS https://duckdns.org

Follow me:
Mastodon https://mastodon.technology/web/@nott
GitHub https://github.com/notthebee
Twitch https://twitch.com/notthebeee
TikTok https://tiktok.com/@notthebeee

Support the channel:
Patreon https://patreon.com/WolfgangsChannel
PayPal (one time donation) https://www.paypal.com/donate/?hosted

Music:
Mansij – Life With Myself
Kitrano – Slow Evening
Liquidy – Afternoon

Videos are edited with Davinci Resolve Studio. I use Affinity Photo for thumbnails and Ableton Live for audio editing.

Video gear:
Camera https://amzn.to/3gfcQYo
Main lens https://amzn.to/3cvCozn
Microphone https://amzn.to/3pAARgI
Key light https://amzn.to/2TK374E
Softbox https://amzn.to/3v6mBxt
Secondary light https://amzn.to/3w7KLJg

Other stuff that I use:
Monitor https://amzn.to/36zNekk
Standing desk https://www.amazon.de/-/en/Infinitely
Monitor arm https://amzn.to/3ASFKXD
Laptop stand https://amzn.to/3eahdDJ
Keyboard https://www.amazon.de/HHKB-PD-KB401W-
Mouse https://amzn.to/2Vp6NcU
Audio interface https://amzn.to/3AS6Jmm

As an Amazon Associate, I earn from qualifying purchases

Timestamps
00:00 Introduction
01:29 Choosing and buying a VPS
04:21 Logging in and running the playbook
08:05 Setting up two-factor authentication
09:18 Connecting to the VPN on mobile and desktop
10:51 Outro


Content

0.24 -> Hey everyone!
1.28 -> In this video, we’re going to set  up our own VPN server from scratch,
4.56 -> with a nice web UI for managing clients, two-factor-authentication and automatic updates
9.44 -> And we’re gonna do all of  that in less than 5 minutes.
12.4 -> How, you might ask? Well, magic of Ansible, of course!
15.52 -> If you already have a VPS and want to skip  right to the tutorial, here’s the timecode.
20 -> I’ve made a video two years ago in which I showed you guys  
22.64 -> how to set up your own VPN, and it was long and pretty complicated.
27.28 -> So I decided to automate and  optimize a lot of things, 
30.24 -> and this is what came out of it.
31.92 -> This is an Ansible playbook that I wrote,
33.68 -> and unlike some of the  popular VPN scripts out there 
36.32 -> that only handle the VPN  functionality itself, it also:
39.84 -> Configures automatic updates on your system 
42.24 -> Creates a non-root user
43.364 -> Hardens SSH access and even generates SSH keys for you if you don't have any
47.76 -> Sets up fail2ban and UFW And finally, configures wg-easy,  
52.08 -> Authelia and Bunkerweb for a secure Wireguard  WebUI protected by two-factor-authentication
57.28 -> So it’s basically an all-in-one  solution that automates the whole  
60 -> process of setting up your VPN from scratch,
62.64 -> and the only thing that you’ll need to do is fill  in your own data before running the playbook.
67.12 -> Now I do want to mention one thing before we start  – this is going to be a purely practical guide.
72.8 -> I don’t care what you're going to be doing with  your VPN and I trust that you’re smart enough  
76.88 -> to know why you’d want to use a VPN and in  which cases you probably don’t need one.
80.96 -> But just in case you want to know more,  
82.72 -> the first part of my 2020 video still  holds true, so go and check it out.
87.2 -> With that out of the way, let’s get started!
89.2 -> Let’s start with choosing a VPS. There are a lot  of popular VPS providers out there, like Linode,  
94 -> Digital Ocean or Hetzner. And even though the  big players definitely have their own advantages,  
98.88 -> the servers they offer cost a lot compared  to a VPN service subscription. Instead, we’re  
104.24 -> going to take a look at some cheaper options,  and for that we’re gonna use a website called  
108 -> [lowendstock.com](http://lowendstock.com)  . Here, you can rent a VPS for the same  
111.2 -> price per year as you would pay for  a month of Digital Ocean or Linode.
115.04 -> But before we start searching for our dream VPS,  
117.2 -> we need to filter out offers  that are not gonna work for us.
120.48 -> First of all, we **need** a dedicated IPv4  address. A lot of cheaper VPSes only offer  
125.36 -> a “NAT” IPv4 address, which basically means that  you’ll be sharing your IP with multiple people.  
129.92 -> And while that might sound good in terms  of privacy, it’s pretty much guaranteed  
133.92 -> that when you try to use your VPN for  torrenting completely legal Linux ISOs,  
138.48 -> you’ll realise that your IP  is banned on most trackers.
141.44 -> Second, virtualization technology. I won’t get  into details here, just know that OVZ is bad  
146.88 -> and KVM is good. Everything else is  probably goin to be too costly anyway.
151.12 -> Third, bandwidth. That’s how  much traffic, in gigabytes,  
154.48 -> you’re allowed to push through your server per  month. Some servers will have unlimited bandwidth,  
158.88 -> which is good, and some might have as little  as 500 gigs. Depending on how intensively  
163.84 -> you plan to use the server, you might want  to go for unlimited bandwidth, if possible
168.4 -> Last but not least, location. Don’t pick  Germany or Austria, obviously, unless you  
172.88 -> want to get slapped with a fine for torrenting.  Also probably don’t pick Russia, since there’s  
177.2 -> always a risk of FSB seizing all 10 terabytes  of your hand-picked shrek rule 34 content.
182.88 -> Now let’s sort by price and see what we can pick.
185.28 -> This server in Romania looks pretty  good. It costs 12 dollars a month,  
188.72 -> has one and a half gig of RAM but only has a  100 megabit uplink. At the moment of filming,  
193.44 -> there was an even cheaper offer on a VPS  from RackNerd, with 768 megabytes of RAM, a 1  
199.04 -> gigabit uplink and a terabyte of monthly traffic,  which is what I ended up getting for this video.
203.28 -> By the time you’re watching this, the  list would definitely be different,  
206.24 -> so just go through it by yourself, and see  what makes sense for you. For what it’s worth,  
210.8 -> no VPS provider has paid to be featured  in this video or sponsored it in any way.
215.36 -> So after adding our VPS to the shopping cart and  choosing the latest version of Ubuntu as the OS,  
220.64 -> we need to enter our obviously  very real name and address.
224.16 -> Keep in mind though that some  providers will literally ask  
226.64 -> for a copy of your ID before you  can even start using the server  
229.92 -> – so make sure to read the terms and  services before actually paying money.
233.44 -> At this point some servers will  also let you set a root password,  
236.88 -> which means that you won’t have to set  your password after the first login.
240.08 -> When it comes to payment,a lot of providers  let you pay with cryptocurrency, which is nice,  
244.24 -> but keep in mind that oftentimes crypto  transactions can still be traced back to you,  
248.8 -> so don’t do anything stupid, dangerous or illegal.
251.6 -> So after you’ve paid for your  server, you’ll get an email  
254 -> from the provider with the login information.  Most of the time, this process is automated,  
258.8 -> but sometimes it can take a few  hours for the email to arrive.
261.76 -> Now we have to login to our server, and for  that we’ll need to open a terminal application. 
266.08 -> On macOS and Linux-based operating systems  you can do that by opening your application  
270 -> launcher and searching for “Terminal”, and on Windows you can open the start  
273.68 -> menu and search for PowerShell. I’m gonna be using iTerm
277.04 -> Now let’s log in to the server  by typing ssh root@ip-address.
281.84 -> Answer yes to the fingerprint question, 
283.92 -> and after that It will ask us for the  password, so let’s copy paste that… 
287.6 -> By the way, the actual symbols  won’t be shown as you type, 
290.08 -> and that’s going to be the case for pretty  much all passwords in this tutorial.
293.84 -> Also, tech tip:  
294.88 -> on Windows, you can paste into PowerShell  by right clicking in the terminal window. 
298.96 -> Once you’re done, press Enter, and you’re  going to be presented with a command shell.
302.4 -> First thing we need to do IMMEDIATELY  is change the root password. 
305.6 -> There are thousands of Chinese bots scanning the  
307.68 -> entire Internet for open SSH  servers with common passwords, 
310.72 -> and unless you want to become a  part of the great Xi Jinping botnet, 
316.96 -> type `passwd` and enter your password of choice  twice, pressing Enter after each password. 
322.24 -> If you’ve already set your password while  buying the VPS, you can skip this step.
326.64 -> That was basically the most  difficult part of this tutorial.
329.92 -> Now we need to execute the installation script. For that, just go to the GitHub page that I’m  
334.08 -> gonna link in the description,  and copy paste this command.
337.36 -> Now, running random untrusted scripts from  the Internet is probably not the best idea, 
341.68 -> so be sure to read the script  or have somebody else read it. 
344.56 -> I’ve tried to add a lot of comments  though, so hopefully it’s not too cryptic
348.08 -> After that’s done, we can copy and  paste this command and press Enter.
351.92 -> This is going to update all  the packages on your system, 
354.4 -> install Ansible and clone the  repository containing the playbook.
357.92 -> Depending on your Internet  speed, this might take a while, 
360.32 -> but eventually you should see this screen.
362.96 -> Before actually running the playbook,  we need to fill in some information, 
365.76 -> starting with our username of choice. I’m gonna go with `notthebee`, as usual
370.32 -> Then a password – we’ll need to enter it twice
373.12 -> Next the installer is going  to ask us for a domain name. 
376.08 -> If you don’t already have  a one, you can use DuckDNS. 
378.72 -> It’s a free dynamic DNS  server, very simple to use –  
381.44 -> you just log in with your GitHub account, create a domain and point it to  
384.88 -> the IP address of the VPS, which you can find either in the  
388.24 -> email that you got from the provider, or in the control panel of the VPS.
392.08 -> If you’re using your own domain instead, 
394.08 -> make sure that it points at  the correct IP address –  
397.28 -> this will be important for  generating certificates.
399.68 -> Next, the installer is gonna ask us  whether we already have an SSH key  
403.12 -> that we’d like to use. I’m gonna say...
408.4 -> Last but not least, we need to choose  whether to set up the e-mail functionality. 
412.56 -> Now this is completely optional, 
413.92 -> but if you want to get e-mail notifications  about automatic updates, banned IPs and such, 
418.72 -> you can set it up now. We’re not gonna do it though.
420.96 -> And that’s it! Now we just have to  enter our desired Vault password –  
424 -> Vault is basically an encrypted  file storing your passwords. 
427.2 -> Once you’ve entered it twice, you should  be good to go, so let’s press y and Enter.
431.6 -> The script is going to set up the VPN now,  
433.68 -> which once again, might take a few minutes. If you’re setting this up on Ubuntu 22.04,  
438.08 -> you might see a big scary error in between, don’t worry about it, this is completely normal.
442.88 -> After that’s done, you’re  going to see this screen.
445.52 -> First thing we need to do is copy the  generated SSH key to our host machine.
449.36 -> I’m gonna copy this command right here, open  a new terminal window and paste the command. 
454 -> Keep in mind that it’s already  going to have the actual username  
456.72 -> and the IP address of your server here, so there’s no need to replace that.
460.4 -> I’m gonna enter my password, and as  you can see, the key has been copied.
463.76 -> Next, we’re going to test if the key works. 
466.16 -> Let’s copy the next command, go to the  other terminal window and paste it. 
470 -> As you can see, the prompt says “Enter passphrase  for key”, and we’re able to log in succesfully.
475.2 -> Now let’s go back to our server,  
476.48 -> and as we can see it says “Return to  this terminal window and press [Enter]. 
480.08 -> Your system will reboot to  install kernel updates”. 
482.4 -> So let’s press Enter and  wait for a couple of minutes.
486.56 -> Okay, so the two mintues have passed, and  now we can try logging back into our server. 
490.4 -> I’m gonna copy this command, paste  it over here and press Enter. 
493.92 -> And after entering your password, you  should see this command prompt. That’s good.
497.2 -> Now let’s navigate to this URL in the browser. This is going to take us to the log in screen. 
501.92 -> Just use the same credentials  that you use for logging into SSH…
505.36 -> And now we have to set up our second factor. Let’s press Register Device,  
509.28 -> and Authelia is gonna tell us that “An  email has been sent to your address”. 
513.04 -> That’s a bit misleading, because we  didn’t set up the e-mail functionality.
516.64 -> Let’s go back to our terminal and type show_2fa. 
520.48 -> You’ll see a link. Let’s go to that  link, and here you’ll see a QR code.
524.4 -> To scan the code, we’ll need a  phone and a TOTP application. 
527.76 -> Now if you already know how to use TOTP,  you probably have an app that you like, 
531.44 -> but if you don’t, you can just use  Aegis on Android or OTP Auth on iOS. 
535.76 -> The workflow is going to be very similar for  
537.52 -> all apps and I’m going to be  using OTP Auth on my phone.
540.64 -> So I’m gonna open the app, click on the Plus  button, “Scan Barcode with Camera”, and that’s it!
545.6 -> Now we just need to press “Done” in the WebUI  and enter the 6-digit code from the phone. 
549.84 -> After that’s done, you should be automatically  redirected to the Wireguard WebUI.
553.68 -> And that’s pretty much it when  it comes to the server part! 
555.92 -> Now I’m gonna show you how to  configure the VPN on your devices.
559.12 -> I’m gonna explain how to set up the VPN on iOS, 
561.44 -> but the process is going to be  pretty similar for Android devices
564.4 -> First off, we need to create  a new peer in the WebUI. 
567.2 -> Press on the “New client” button  and enter a name for your peer, 
569.84 -> I’m gonna call it “wolfgangs_iphone”.
571.84 -> Then we’re gonna click on the QR button and  that’s pretty much it for the server part.
575.92 -> Now let’s switch to our phone
577.6 -> First, we need to install the Wireguard app from  the app store or Google Play if you’re on Android.
581.68 -> Once the app is installed, I’m gonna  open it, tap on “Add tunnel” and then  
585.52 -> choose “Create from QR code”. Once the code is scanned,  
588.4 -> we’re gonna need to name it – I’m gonna call it wolfgangsvpn. 
591.68 -> And finally we need to allow the Wireguard app to  set up the VPN tunnel by entering our passcode. 
596.56 -> This is a one time process.
598.72 -> And that’s it. Now let’s connect to  the VPN and check our IP address. 
602.24 -> As you can see, it worked and  my phone now has an American IP address
606 -> On desktop, the process is  going to be slightly different. 
608.56 -> Let’s go back to the WebUI and add another peer. I’m gonna call this one wolfgangsmac. 
613.36 -> Now instead of pressing on the QR  button I’m gonna press on this button, 
616.32 -> and that’s gonna download the  VPN config on my computer.
619.68 -> Just like on the mobile, to use the VPN  config we’ll need to install the app, 
623.28 -> and you can check out the instructions for your  platform on the official Wireguard website, 
627.36 -> wireguard.com/install
629.44 -> Since I’m on Mac, I’m gonna press  on “Download from App Store”. 
632.24 -> Since I already have it installed,  I’m just gonna click on “Open”.
634.8 -> Here, we can import our config  by pressing on the Plus button  
637.76 -> and clicking “Import tunnel from file”. 
639.6 -> I’m gonna choose the config  file that we just downloaded, 
642 -> and now I’m gonna press on Activate.  We’re now connected to the VPN!
645.68 -> Once again, I’m gonna go back  to the browser and check my IP.
648.4 -> As you can see, it matches the  IP of my VPS, so we’re all set.
652.16 -> So that’s it! We just set up our own  VPN server with automatic updates, 
655.76 -> two-factor authentication and a super  easy WebUI for managing clients.
659.36 -> If you have any issues or questions about  the playbook – leave a comment below 
663.12 -> or better yet, submit an issue on GitHub,  and I’ll try to answer as soon as I can.

Source: https://www.youtube.com/watch?v=SMF301vQqJo