Setting Up a VPN Using WireSock with Ubuntu and Windows

In this guide, we will walk you through setting up a VPN using WireSock, with Ubuntu as the server and Windows as the client. This setup will also configure SOCKS5 and WireGuard on Ubuntu. Each command and configuration step is clearly explained to ensure a smooth process. Special thanks to Vadim Smirnov, the creator of WireSock (https://www.wiresock.net/).

Prerequisites

Ubuntu Server: Ensure you have an Ubuntu server up and running.
Windows Client: Prepare a Windows machine that will connect to the VPN.

Downloads

WireSock on Windows (Client)

Additional Resources

WireGuard Installation Options

While the step-by-step guide for setting up WireGuard is very detailed, it might be easier for most users to use this script: WireGuard Install. If the script fails for any reason, you can revert to the detailed guide provided below.

Step-by-Step Guide

Step 1: Update and Install Necessary Packages

First, update your package list and upgrade the existing packages.

sudo apt update
sudo apt upgrade

Next, install the necessary tools: nano for editing files, net-tools for networking tools, and wireguard for the VPN.

sudo apt install nano net-tools wireguard

Step 2: Determine Network Interface

Identify your network interface name, which is often ens3 on many systems. Use ifconfig to find it:

ifconfig

Look for the interface connected to the internet (often named ens3 or similar).

Step 3: Generate WireGuard Keys

Create a directory to store your WireGuard keys.

sudo mkdir /etc/wireguard/keys
cd /etc/wireguard/keys

Switch to the root user to generate the keys.

sudo su

Generate the public and private keys.

wg genkey | tee privatekey | wg pubkey > publickey

You should also generate a preshared key.

wg genpsk > presharedkey

Store these keys securely.

Step 4: Configure NAT Routing

Create a helper script to add NAT routing. This will enable forwarding traffic from your VPN to the internet.

sudo mkdir -p /etc/wireguard/helper
sudo nano /etc/wireguard/helper/add-nat-routing.sh

Add the following content to the script:

#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.66.66.0/24"          # WG IPv4 sub/net aka CIDR
WG_PORT="51820"                  # WG udp port
SUB_NET_6="fd42:42:42::/64"      # WG IPv6 sub/net

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

## IPv6 (Uncomment) ##
# $IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
# $IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
# $IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
# $IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT

Make the script executable:

sudo chmod +x /etc/wireguard/helper/add-nat-routing.sh

Create a script to remove NAT routing.

sudo nano /etc/wireguard/helper/remove-nat-routing.sh

Add the following content:

#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"

IN_FACE="ens3"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.66.66.0/24"          # WG IPv4 sub/net aka CIDR
WG_PORT="51820"                  # WG udp port
SUB_NET_6="fd42:42:42::/64"      # WG IPv6 sub/net

# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

# IPv6 rules (uncomment) #
# $IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
# $IPT6 -D INPUT -i $WG_FACE -j ACCEPT
# $IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
# $IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT

Make this script executable as well:

sudo chmod +x /etc/wireguard/helper/remove-nat-routing.sh

Step 5: Enable IP Forwarding

Enable IP forwarding to allow traffic to be forwarded from your VPN clients to the internet.

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -w net.ipv6.conf.all.forwarding=1
echo "net.ipv6.conf.all.forwarding = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Step 6: Configure WireGuard

Create the main WireGuard configuration file.

sudo nano /etc/wireguard/wg0.conf

Add the following content, replacing the placeholder keys with your generated keys:

[Interface]
PrivateKey = YOUR_PRIVATE_KEY_HERE
Address = 10.66.66.1/24
ListenPort = 51820
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh

[Peer]
PublicKey = YOUR_PEER_PUBLIC_KEY_HERE
AllowedIPs = 10.66.66.2/32
PresharedKey = YOUR_PRESHARED_KEY_HERE

Start WireGuard:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Verify the iptables rules:

sudo iptables -t nat -L
sudo iptables -L

Check the status of WireGuard:

sudo systemctl status wg-quick@wg0

Step 7: Install and Configure Dante SOCKS Proxy

The use of a SOCKS5 proxy can be beneficial for specific network requirements or constraints. Install the Dante SOCKS proxy server:

sudo apt install dante-server

Create a user for Dante:

sudo su
useradd -r -s /bin/false danteuser
passwd danteuser

Edit the configuration file:

sudo nano /etc/danted.conf

Add the following configuration:

logoutput: /var/log/socks.log
internal: ens3 port = 1080
external: ens3
clientmethod: none
socksmethod: username
user.privileged: root
user.notprivileged: nobody

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error connect disconnect
}
client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        udp.portrange: 40000-45000
        log: error connect disconnect
}
socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

Allow the required ports through the firewall:

iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 1080 -j ACCEPT
iptables -I INPUT -p udp --dport 40000:45000 -j ACCEPT
iptables-save > /etc/iptables/rules.v4

Enable and start the Dante service:

sudo systemctl enable danted
sudo systemctl start danted

Step 8: Install and Configure WireSock Client on Windows

To set up the WireSock client on your Windows machine, follow these steps:

Download and Install WireSock: Download the appropriate WireSock client from the downloads section and install it on your Windows machine.
Configure WireSock: Open/Create the configuration file, typically located at C:\Program Files\WireSock VPN Client\bin\wg0.conf, and add the following configuration, replacing the placeholder keys with your generated keys:

[Interface]
PrivateKey = YOUR_PRIVATE_KEY_HERE
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 1.1.1.1,1.0.0.1
MTU = 1240

[Peer]
PublicKey = YOUR_PEER_PUBLIC_KEY_HERE
PresharedKey = YOUR_PRESHARED_KEY_HERE
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 900
DisallowedIPs = 192.168.1.0/24
Socks5Proxy = YOUR_SERVER_IP:1080
Socks5ProxyUsername = danteuser
Socks5ProxyPassword = YOUR_PASSWORD_HERE
Socks5ProxyAllTraffic = true

Run WireSock: Open a command prompt and run the following command to start WireSock with the specified configuration:

wiresock-client.exe run -config "C:\Program Files\WireSock VPN Client\bin\wg0.conf" -log-level info

Alternatively, you can use the WireSock UI application, which is available on GitHub for easier management of the VPN connection.

Conclusion

By following these steps, you have set up a WireGuard VPN with a SOCKS5 proxy on an Ubuntu server, allowing a Windows client to connect securely. This configuration enables private and secure internet access through your VPN.

Feedback and Questions

We’d love to hear your feedback on this tutorial! If you have any questions or suggestions for improvement, please don’t hesitate to reach out. You can leave a comment below, or you can contact us through the following channels: