Oddbean new post about | logout
 # Why wireguard?

If you are already sold on why you need this, skip to the next section.

## A motivational story

The year is 2025. You're at the small coffeshop you found on [btcmap](https://btcmap.org/map) and want to pay for your morning double expresso.

A LN invoice flashes before your sleepy eyes, you pull out your phone and try to open your Zeus wallet connected to your sovereign self-custodial LN node running in your basement.

You wait for Zeus to load. And you wait. And you wait. And you wait some more. The barista gets impatient, there is a line of NPCs behind you rushing to get to their fiat mines.

Finally you curse, pay with your slave VISA CBDC card and uninstall Zeus as you walk out.

## The Issue

You used Tor to connect to your node. Tor was being DDOSed by some state-level actors.

You're using Tor because either it was the easiest thing to setup, or it was just the default in your node distribution.

Have you stopped to wonder if it really makes sense to **use an anonymity network designed to be censorship resistant just to connect to your own home server**?

You obviously don't want to expose your node to the public internet (which would expose what you are using as well as make you vulnerable to attacks).

## The Solution

The best solution (as far as I'm aware of) is to connect to your home node using an **encrypted VPN point-to-point tunnel** using something called [WireGuard](https://www.wireguard.com/).

The only information you leak to potential traffic sniffers is encrypted UDP packets (which are already hard to sniff) to your home IP address, which is pretty harmless information.

## The (not ideal) Alternative

Many people find Wireguard hard to setup on its own (don't worry, that is why I wrote this guide) and prefer a more seamless corporate solution based on Wireguard called [Tailscale](https://tailscale.com/).

Tailscale has 2 major drawbacks:

* It's an additional **third party** that knows every encrypted packet you send over it as well as all your public IPs.
* It's **permissioned** and requires setting up an account, **not very sovereign**
# Setup

## Requirements

* Access to your home **router admin page**: if your node is behind a NAT (usually that is the case when it's behind a home router), you're going to need to **forward a port to your node LAN IP**. If you don't know how to do this, you can try to follow the guide for your router model at [portforward.com](https://portforward.com/).
* Either a **fixed home public IP address**, or a **domain name** that points to your dynamic home IP address. Even if you don't have this, you can still follow the guide and manually update your home IP in the configuration file.
* Shell **root** access in your node.

## Node setup

### Gather network information

Find your node's LAN IP address:

```bash
$ ip -human --brief address show
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0            UP             192.168.1.2/24 metric 1024
```

In this case, the your node's LAN IP is `192.168.1.2`.

Find your home public IP address:

```bash
$ curl ipecho.net/plain
```

 ### Install wireguard tools

The wireguard module is actually built into any modern linux kernel by default, what we actually need to install is the tooling to generate valid wireguard cryptographic keys.

For debian/ubuntu based distros:

```bash
$ sudo apt install wireguard
```
For other distros, check [wireguard.com/install](https://www.wireguard.com/install/).

### Generate keys

You manually need to generate 1 keypair for each device (called peer) that will use your wireguard VPN (including your home node).

To generate a keypair for your node (let's call it `node`):

```bash
$ wg genkey | (umask 0077 && tee node.key) | wg pubkey > node.pub
```

This will create 2 files: `node.key` and `node.pub` containing your private and public keys, respectively. Keep these files safe and **after** being done configuring wireguard **you can even delete them**.

Create extra keypairs for your other devices, e.g.:
* Your phone:
```bash
$ wg genkey | (umask 0077 && tee phone.key) | wg pubkey > phone.pub
```
* Your laptop:
```bash
$ wg genkey | (umask 0077 && tee laptop.key) | wg pubkey > laptop.pub
```
Create as many as you wish.

### Configure the tunnel

Using a text editor create and edit the file `/etc/wireguard/mytunnelname.conf` with the content:

```
[Interface]
Address = 10.0.0.1/24
ListenPort = 50000
PrivateKey = <NODE_PRIVATE_KEY>

[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = <LAPTOP_PUBLIC_KEY>
AllowedIPs = 10.0.0.3/32
```

Subsitute `*_KEY` with the relevant keys found in the files you generated earlier (which you can see the contents using `cat node.key` for instance).

### Generate configurations for the other peers

For your phone/laptop, create a files (can be anywhere, does not matter) with the contents:
* `phone.conf` 
```
[Interface]
Address = 10.0.0.2/24
PrivateKey = <PHONE_PRIVATE_KEY>

[Peer]
PublicKey = <NODE_PUBLIC_KEY>
AllowedIPs = 10.0.0.1/32
Endpoint = <HOME_PUBLIC_IP>:50000
```

* `laptop.conf` :

```
[Interface]
Address = 10.0.0.3/24
PrivateKey = <PHONE_PRIVATE_KEY>

[Peer]
PublicKey = <NODE_PUBLIC_KEY>
AllowedIPs = 10.0.0.1/32
Endpoint = <HOME_PUBLIC_IP>:50000
```

Now you need to either **transfer** these files to their respective devices (how you do it is your business) **or generate an easy to use QR code** to use to configure your phone.

#### Optional: generate QR code for the phone configuration

Install `qrencode`

```bash
sudo apt install qrencode
```

Print the QR code on your terminal:

```bash
$ qrencode -r phone.conf -t ansiutf8
```

Or save it (and transfer) as png image:

```bash
$ qrencode -r phone.conf -o phone.png
```

### Run wireguard the wireguard tunnel

```bash
$ sudo systemctl enable --now wg-quick@mytunnelname.service
```

Now when you do `ip -human --brief address show` you should see an extra interface:

```
lo                   UNKNOWN        127.0.0.1/8 ::1/128
eth0                 UP                      192.168.1.2/24 metric 1024
mytunnelname         UNKNOWN        10.0.0.1/24
```

### Open UDP wireguard port

If your node has a firewall, we need to open our chosen UDP port (50000).

If using `ufw`:

```bash
$ sudo ufw allow 50000/udp
```

if just using iptables:

```bash
$ sudo iptables -A UDP -p udp -m udp --dport 50000 -j ACCEPT
```

## Home router setup

Forward port 50000 UDP to your node's LAN IP. If you don't know how to do this, you can try to follow the guide for your router model at [portforward.com](https://portforward.com/).

## Phone setup

1- Install the wireguard app, you can find links in [wireguard.com/install](https://www.wireguard.com/install/).

2 - Open the app
3 - Click on the `+` button
4 - Choose if you want to import the `phone.conf` configuration file, the your generated QR or input everything manually.
5 - Activate the tunnel by tapping the switch

You should have a working tunnel between your node and your phone. You can try pinging your phone wireguard IP (`10.0.0.2`) from your node's terminal (`ping 10.0.0.2`) to check that it is working.

Now on every app you connect to your node (e.g. Zeus), instead of using the onion address, you can just use your node's wireguard IP (`10.0.0.1`).

## Laptop setup

If it's a linux laptop: place (and rename) `laptop.conf` to `/etc/wireguard/mytunnelname.conf` and do:

```bash
$ sudo systemctl enable --now wg-quick@mytunnelname.service
```

Ping your node wireguard IP `ping 10.0.0.1` to make sure it's working.

Now you can use that IP instead of the onion address to connect to your node (e.g. in Sparrow).


# Help

If you have questions feel free to contact me (NIP-05: sommerfeld@strisemarx.com).
 
 Test reply 
 Regarding your ".. two drawbacks of...", what do you think of [Headscale](https://github.com/juanfont/headscale) ?