New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
WireGuard doesn't include logging capabilities by default.
It doesn't matter if the server itself saves logs or not, a VPN is not a tool to provide anonymity. Nord keeps logs too, and they'll never publish an independent audit proving the opposite, only marketing speak. Logs are needed to run their business, same as any other hosting service, and are needed so they don't get shut down when someone makes a bomb threat or uploads child porn.
Anyway commercial VPN providers use upstream ISPs which also keep logs of what's going in their network, so even in the very rare case of a VPN provider which really doesn't log their customer's activities, whoever did something bad will be identified anyway.
"something bad" != "downloading a torrrent"
@Nyr
Yeah. May be you're right.
I just looked in my nordvpn and they call it nordlynx.
https://nordvpn.com/blog/nordlynx-protocol-wireguard/
How we made it work
We needed to find a way for the WireGuard protocol to work without posing a risk to our customers’ privacy.
And we found it. We developed something called a double NAT (Network Address Translation) system.
To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.>
I see. Again, it's mostly PR speak:
"the user's identity". That's very vague. I wouldn't say that an internal IP address is "the user's identity". The only information which a WireGuard server stores is:
They are maybe referring to the fact that one website could, using some tricks, obtain the internal IP address of a VPN-connected client. One could argue that this can be used to fingerprint their customers.
In personal my opinion, this just serves as a reason to push their proprietary "NordLynx" protocol which is not compatible with standard WireGuard clients and never will be.
I just wanted to say, @Nyr I've used this many times in the past (I discovered it off Github, not here) and it's great. Thanks for taking the time to maintain and write this package.
I implemented it with the pihole docker. It works fine. As a suggestion, can you allow manually selecting what DNS server you want to use? I had to edit the client config to point it to the pihole docker internal IP because the tunnel would not come up with 127.0.0.1 as the DNS (which is what was set when I selected the "Current system resolvers" option)
The "current system resolvers" option selects just that, the resolver which is present in the system's resolv.conf. Letting the user provide a custom resolver requires a little bit of work on the input validation part, but it's something which I'll consider, so thanks for the feedback.
Hi @Nyr , does this script work on Nat IPv6 VPS?
Yes, but not in OpenVZ, yet.
Container support is coming very soon, probably will be released during next week
That's awesome.
)
So I can install this on all my Nat vps too.
I would recommend PiVPN (supports wireguard and openvpn) for distros that use apt as package manager, running it myself at the moment over at Netcup, management of the configs is also pretty easy with PiVPN.
https://linuxconfig.org/command-not-found-missing-path-to-sbin-on-debian-gnu-linux
I fixed this by logging into root using su -l instead of just su
OpenVZ support is here!
FAQ:
Does it work with other container technologies?
Very likely, as long as they have full iptables/nftables support.
Does it work with just 128 MB of RAM?
Yes but avoid CentOS if you don't have SWAP, because yum/dnf are memory hungry.
Does it work with NAT servers?
Yes.
Why are you using BoringTun instead of wireguard-go?
It is the best WireGuard user space implementation currently available. I have my "political" opinions and you can too, but at this time BoringTun is technically a great choice and I see no reason to avoid it.
Why aren't you signing the binaries?
Because Cloudflare is not going to, and when they make them available I'd like to use their official binaries instead of my own. They are a modern company with great engineers for new and shiny languages, but it seems like GPG is too old school for them. My initial idea was to provide full deb and rpm repositories for the community, but that ended up being an unattainable ammount of work if I wanted to do it properly.
Code quality could be better/cleaner
That's not a question, but I know. I wanted to get working OpenVZ support out and then polish the minor stuff. I have a limited amount of time available and the implementation is working correctly, so no need to wait.
Would help if you an also list some good VPN client apps for Windows / Mac / Android & iOS.
Also mentioning how we can use setup split tunneling if possible with WireGuard. It is helpful in many occasions.
Thanks
Working PERFECTLY, many thanks @Nyr!
For Android and windows official apps work perfectly.
On Android you could activate magisk modeule too.
Always better to use the official software. In this case, they are very good.
I've added a check for this.
To tell the truth, I still didn't move to WireGuard myself, so can't speak from experience.
There are official clients with different grades of maturity for almost any platform and then there is TunSafe too which was a promising alternative developed by the creator of uTorrent, but seems to be getting abandoned.
For most platforms I'd probably go with the official client based on what I've seen, but ask me in two weeks if you are curious about what I ended up using.
Can be configured client-side with the
AllowedIPsdirective.Naming something BoringTun sounds like they want to pick a fight with Musk.
It is actually an homage to BoringSSL IIRC
Due to a bug in BoringTun, adding users after the first one would result in WireGuard breaking for those using the script in OpenVZ.
I have addressed that on my side with the latest commit. Affected users can download and use the latest version, no need to reinstall.
Non-container installations are not affected.
Thanks @NanoG6 and @ThracianDog for reporting this.
@Nyr can i request a feature please. Can we get the ability to choose our own DNS resolver IP instead of only being able to select the one given
for windows i prever tunsafe
Yes, this is something which I'm seriously considering. Probably will be implemented soon.
Been using it for the last day and I do too. More performant and feature complete at this time. A shame that it hasn't seen a release in more than a year and is starting to look abandoned.
It works great!
I am wondering Is there any way to add a client with one command? For example: using preset (or random) username and default dns, instead of echoing option 1, then type in username and then select dns. It would be great in the case of creating multiple users.
Thank you!
Not at the moment, sorry. Maybe if I have time in the future for this.
Yeah, I think the creator is done with it. Originally he didn't want to open-source TunSafe and hinted that he wanted to make money off it. Unsurprisingly, especially given what he did with μTorrent, he got a lot of flak for that. After the pushback he did open-source TunSafe, but seems to have not touched it since.
I was failing to install on Proxmox host, but I was able to do it using buster backports.
Freakin good work boss. You the man. Thanks for the hard work and generously sharing in the community
Can this script be used to link multiple servers into its own private lan?
I'm just beginning to educate myself on VPS management, so please forgive this basic question.
After I start fresh with Ubuntu 20.04 on a VPS, I'll "apt update && apt upgrade". Then should I proceed to harden the VPS using one of the many online tutorials, and then run this wireguard script?
Or, does the script not only install wireguard, but also harden the server so I don't have to do any of that server security such as ufw firewall, etc?
The script only install wireguard and creates a client config. You have to harden the server yourself.