Wireguard Extras - barkwoofdog/howtowithdog GitHub Wiki

Configuring Your SSH config File on Windows

As stated previously, Windows utilizes OpenSSH. This means that you can input a configuration file much like you would on *nix systems. I included a sample configuration file for you to download and add to your user folders .ssh\ directory. Here is a quick rundown of the variables.

host this is the name you give the connection. so if i name it "dog" any time I enter ssh dog it will utilize the parameters for this connection.
HostName This can be the FQDN or the IP address of the connection
IdentityFile the private key for the connection. should match the public key we added to the Forwarding Host
IdentitiesOnly utilize only the identity file for this connection. No passwords.

Redhat-Like Configuration Notes

This section is not as well thought out as the guide. I use a Fedora host as my personal VPN. The host also utilizes pihole so that I have adblocking on the go. In the configuration of this here are a few notes that I took in order to get this working. No promises it will be great!

I included a sample sshd config file due to my lack of good notes, so copying that should get the expected results.
The notes I have say that one of the only things i had to do was comment out the usePAM value and modify the .ssh/ directory in my home directory to 0700 and the authorized_keys file to 0600

Along with this are a few changes you need to make to firewalld. Firewalld plays a lot nicer with forwarding than iptables does. The following commands should produce good results.

firewall-cmd --permanent --zone public --add-masquerade
firewall-cmd --permanent --zone public --add-port=wgListenPort/udp
firewall-cmd --reload

A Few Wireguard Things

MTU and YOU

My recommended MTU for your Interface is 1280. A fellow on a website I frequent stated he found this to be most effective when traversing both nationwide backbones and cellular networks. I also find this to be true and I will give you an example of how it improved my life.

My original MTU was set to 1500 (AKA default) and my xfer rate was around 12Mb/s which is pretty slow considering the equipment both server hardware and network wise in place. Even my VPS has a beefier CPU to support routing and Wireguards encryption. When I set it to 1280, this increased to an average of 110Mb/s. You can try 1280 or there is an awesome tool here that can help automate that process.

Denying Access to Services

If you use the script then you are forwarding all ports EXCEPT for SSH. If you are running services like NGINX Proxy Manager, Portainer, Rancher, or some other Administrative Service, then you probably don't want them accessible to the whole world. It is best practice to have these services only accessible while you are connected to the VPN. In order to deny access, we need to make these changes.

On the firewall rule definition inside of the tunnel interface file (/etc/wireguard/wg1.conf if you used the script) wherever it says
--dport 22 change it to --dports 22,9443 and any other ports that you wish to deny access to from the Internet. Be sure to bring the tunnel down and back up with wg-quick to apply these changes.

Just for kicks, we will block traffic on these ports (block just drops the traffic, a reject rule will alert the host connecting that they are in fact being rejected) on UFW. You can use this template for making these changes. I always like to comment my rules as well.

ufw deny 9443/tcp comment 'deny portainer access'

As always, run a quick ufw reload to apply your changes.

MotD message

A simple little display of your tunnels status on MotD displaying.
Add this file to the /etc/update-motd.d/ directory and be sure to make it executable with chmod +x 40-tunnelstatus.sh Remember, the MotD update goes in order of the directory, so changing the number in the filename to something higher or lower will make it display higher or lower in the MotD.

DNS & Wireguard

You can change what DNS service your Wireguard interface will use by adding DNS = 8.8.8.8 under the Interface definition in the Interface configuration file found within the /etc/wireguard/ directory. You will also need to make sure that resolv.conf is installed on the system. This means that you can even run Unbound on your host and use your own DNS service!