/nika-vpn

Easy to deploy and use private VPN server with ad blocker (Wirehole+wg-access-serve+wstunnel+installers)

Primary LanguageShellMIT LicenseMIT

Nika-VPN

It is an easy to deploy and use private VPN server with ad blocker and tunneling VPN traffic through via websocket.

This VPN service based on Wirehole + wg-access-server + wstunnel and provides a convenient and friendly installers for server and client side.

  1. Wirehole - WireHole is a combination of WireGuard, Pi-hole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities thanks to Pi-hole, and DNS caching, additional privacy options, and upstream providers via Unbound.
  2. wg-access-server - An all-in-one WireGuard VPN solution with a web ui for connecting devices.
  3. wstunnel - This tool uses the websocket protocol which is compatible with http in order to bypass firewalls and proxies. Wstunnel allows you to tunnel what ever traffic you want.

Winguard from Wirehole replaced with wg-access-server.

This VPN service has been developed and tesed for Oracle Cloud Free Tier on configurations:

  • Canonical-Ubuntu-20.04-Minimal, VM.Standard.E2.1.Micro (amd64)
  • Canonical-Ubuntu-20.04, VM.Standard.A1.Flex (aarch64)

Server side installation

This script is meant for quick & easy install via:

curl -sSL https://bit.ly/nika-vpn-install | sh
or:
wget -qO- https://bit.ly/nika-vpn-install | sh

Once it ends, you need to go to [server_public_ip_address]:[vpn_control_panel_port] to create VPN users.

To reinstall, or specify additional script execution arguments, you need to add the -s - key to sh, for example:

curl -sSL https://bit.ly/nika-vpn-install | sh -s - --force
or:
wget -qO- https://bit.ly/nika-vpn-install | sh -s - -f

Nika-VPN Server Installer CLI Overview

You can also see this information by running
curl -sSL https://bit.ly/nika-vpn-install | sh -s - --help
or
wget -qO- https://bit.ly/nika-vpn-install | sh -s - -h
from the command line.

Installing a personal private VPN server with ad blocker

Usage:
  nika-vpn-install.sh [-d <arg>...] [-q] [--logLevel <level>...] [options]
  nika-vpn-install.sh -h|--help

Options:
  -h, --help
        Displays current help for command line options
  -q, --quiet
        This tries its best to reduce output by suppressing the script's own
        messages and passing "quiet" arguments to tools that support them
  -f, --force
        Reinstalling the Nika-VPN service if it is already installed
  -d, --dest DEST
        Nika-VPn installation directory, default '${HOME}/nika-vpn'
  -tz, --time-zone TIME_ZONE
        Setting the time zone for Nika-VPN modules, by default 'Etc/UTC'
  -ss, --services-subnet SERVICES_SUBNET
        The IPv4 network range for Nika-VPN modules, default '10.43.0.0/24'
  -ul, --unbound-local-ip UNBOUND_LOCAL_IP
        IPv4 local address of the Unbound server DNS module, default '10.43.0.2'

  -pl, --pihole-local-ip PI_HOLE_LOCAL_IP
        IPv4 local address of the Pi-Hole ad blocker module, default '10.43.0.3'
  -pp, --pihole-password PI_HOLE_PASSWORD
        Password to access the Pi-Hole ad blocker control panel

  -wl, --wg-local-ip WG_LOCAL_IP
        IPv4 local address of wg-access-server VPN server module,
        default '10.43.0.4'
  -wpk, --wg-private-key WG_WIREGUARD_PRIVATE_KEY
        The wireguard private key. This value is required and must be stable.
        If this value changes all devices must re-register. If not defined,
        generated automatically.
  -au, --admin-username WG_ADMIN_USERNAME
        The admin account username for wg-access-server, default 'admin@vpn'
  -ap, --admin-password WG_ADMIN_PASSWORD
        The admin account password for wg-access-server.If not defined,
        generated automatically
  -pv, --port-vpn WG_WIREGUARD_PORT
        Wireguard server port (udp), for connecting VPN clients, default '51820'
  -pa, --port-admin WG_PORT
        Web interface port for administration VPN server wg-access-server (http)
        default '8000'
  -ll, --log-level WG_LOG_LEVEL
        The global log level for wg-access-server, possible values
        (trace|debug|info|error|fatal), default 'info'
  -ws, --wg-storage WG_STORAGE
        A storage backend connection string for wg-access-server,
        default 'sqlite3:///data/db.sqlite3'
  -dm, --disable-metadata
        Turn off collection of device metadata logging for wg-access-server.
        Includes last handshake time and RX/TX bytes only.
  -сf, --config-filename
        Change the name of the configuration file the user can download
        (do not include the '.conf' extension ), default 'NikaVpnClient'
  -wi, --wg-interface
        The wireguard network interface name, default 'wg0'
  -vc, --vpn-cidr WG_VPN_CIDR
        The VPN IPv4 network range. VPN clients will be assigned IP addresses
        in this range. Set to 0 to disable IPv4. Default '10.44.0.0/24'
  -vc6, --vpn-cidrv6
        The VPN IPv6 network range. VPN clients will be assigned IP addresses
        in this range. Set to 0 to disable IPv6. Defalt '0'
  -nd, --nat-disabled
        Disables NAT for IPv4 for wg-access-server
  -ne6, --nat-enable-v6
        Enable NAT for IPv6 for wg-access-server
  -ai, --allowed-ips
        Allowed IPs that clients may route through this VPN. This will be set
        in the client's WireGuard connection file and routing is also enforced
        by the server using iptables. Default '0.0.0.0/0,::/0'
  -dd, --dns-disabled
        Enable/disable the embedded DNS proxy server. This is enabled by default
        and allows VPN clients to avoid DNS leaks by sending all DNS requests to
        wg-access-server itself.
  -dn, --dns-domain WG_DNS_DOMAIN
        A domain to serve configured devices authoritatively. Queries for names
        in the format .. will be answered with the device's IP addresses.
  -eh, --external-host WG_EXTERNAL_HOST
        The external domain for the server (e.g. vpn.example.com)
  -ci, --client-isolation
        BLock or allow traffic between client devices (client isolation)
  -wf, --without_firewall
        Without installing 'firewalld' and opening ports
  -pw|--port-web-socket WSTUNEL_WS_PORT
        Port on which the websocket tunnel is open and listening. 
        Default by '443'
  -wd|--web-socket-disabled 
        Without installing and opening a websocket tunnel

Screenshots

Wireguard Access Portal

Wireguard Access Porta

Pi-hole dashboard

Pi-hole dashboard

Client side installation

Installing and configuring the client for Windows

To install and configure the client side, first download and install the Wireguard client for Windows In the Wireguard client, import the configuration file that you received earlier through the Wireguard Access Portal

After that, you can already establish a VPN connection, but it will not be obfuscated, and it can be blocked quite easily if you are in the territory of any authoritarian/totalitarian state.

In order to make your VPN tunnel very difficult to block, you need to configure traffic tunneling through websockets.

To do this, run the configuration script for the client part of tunneling through websockets. First, launch a PowerShell terminal as an administrator and run a command that will download and run the script:
(new-object net.webclient).DownloadFile('https://bit.ly/nika-vpn-install-client-windows','install.ps1'); ./install.ps1
During the execution of the script, you will be asked for the public IP address of your VPN server.

You can specify it right away when you run the script (replace the address '10.10.10.10' with the address of your server)
(new-object net.webclient).DownloadFile('https://bit.ly/nika-vpn-install-client-windows','install.ps1'); ./install.ps1 10.10.10.10

After the successful execution of the script, an instruction will be displayed with further actions.

It will be necessary through the Wireguard client interface to manually edit the VPN tunnel configuration file with the values ​​specified in the instructions.
An example VPN tunnel configuration file:

[Interface]
PrivateKey = <censored>
Address = 10.44.0.2/32
DNS = 10.44.0.1
PreUp = powershell.exe -File "c:\Users\<censored>\.wireguard\wstunnel.ps1" -PreUp
PostUp = powershell.exe -File "c:\Users\<censored>\.wireguard\wstunnel.ps1" -PostUp
PreDown = powershell.exe -File "c:\Users\<censored>\.wireguard\wstunnel.ps1" -PreDown
Table = off

[Peer]
PublicKey = <censored>
AllowedIPs = 0.0.0.0/0, ::/0, 10.44.0.1/32
Endpoint = 127.0.0.1:9999

Nika-VPN Windows Client Installer CLI Overview

You can set other parameters of the websocket tunnel configuration script.

Script for setting up the client part of tunneling via websockets for Windows

Usage:
  install-windows-client.ps1 [VpnHost] [VpnPort] [-LocalPort <port>...] [options]

Options:
  -VpnHost "<VpnHost>"
        Public IPv4 address of the VPN server, required. Can be set 
        without using the -VpnHost key if you specify its value as the 
        first parameter
  -VpnPort <VpnPort>
        Wireguard server port (udp), for connecting VPN clients. 
        Default by '51820'. Can be set without using the -VpnHost key if you 
        specify its value as the second parameter
  -TunnelPort <TunnelPort>
        Server port on which the websocket tunnel is open and listening. 
        Default by '443'
  -LocalPort <LocalPort>
        The port on the client's local machine on which the web socket tunnel is 
        open and listening. Default '9999'
  -Timeout <Timeout>
        UDP forward timeout in seconds after which the connection is closed, 
        by default -1 (no timeout)
  -VpnDns "<VpnDns>"
        Local IP address of the docker container where the PI-Hole ad blocker 
        service is deployed. By default '10.43.0.3'
  -DestanationDir "<DestanationDir>"
        Path to install additional files required to install websockets tunnel. 
        Default by '${HOME}\.wireguard'

Health check

To check the correct installation and operation of Nika-VPN, use the services:

TODO

  • Obfuscate VPN traffic with Shadowsocks or WebSocket Tunneling
  • Secure traffic via tls (https) and use ODIC authorization for Wireguard Access Server using Traefik and Authelia