mainly using debian linux machines. clean install, first requiring to ‘su’ into root account and do an ‘apt install sudo -y’. from there we must add the user we created from the install process into the sudo group. command: ‘sudo usermod -aG sudo username’.

this is to prep the machine for removing root access through ssh and using a low privileged user. and now for the pivpn part, i have this service deployed in a debian lxc container. the install was very easy and i follow jeff geerling’s video. there will be port forwarding, so make sure that your router supports this as well as ensuring that you have a public ip address. you can go to ‘icanhazip.com’ and it will show if you have a public ip address or not.

this is mainly to document how to configure wireguard hosts since i was able to set it up on a debian machine beforehand, but forgot to document the steps. so first things first, we have to create a new client in pivpn, using this command:
sudo pivpn -a.

this will prompt to type in a name for the configuration file. copy the contents of this file and save it for later. now you can install wireguard on the server or device that you want to connect. if you are using a phone, you can generate a qr code from pivpn and scan that. command is: ‘sudo pivpn -qr’ and enter which configuration to show. otherwise if you are using the windows app, you can import the .conf file and it will populate with the configurations.

but this is for debian/linux systems, so ensure that wireguard is installed with a ‘sudo apt install wireguard -y’. next you want to install ‘resolvconf’ if not already installed, this is to ensure that dns servers are properly configured. to do this, use this command:
sudo apt install resolvconf -y && sudo reboot

now from here you can paste in the configuration file to the server however you like, in my case i created a new .conf file in the wireguard directory (/etc/wireguard) and named it ‘wg0.conf’. use this command to apply the configurations:
sudo wg-quick start wg0

this command will automate the process of creating the wg0 interface and applying the configurations to that wireguard interface for you. it also uses resolvconf to update the name servers of the machine to match the ones found in the wg0.conf file. be sure to have this since without it, it will not be able to properly configure dns. a reboot after installing the package is required, hence why i included it.

upon running this wg-quick command, be sure to check your ip address with ‘ip a’. look for the wg0 interface that was created and run a, ‘curl icanhazip.com’. if curl is not installed, do this:
sudo apt install curl -y

this should return the public ip address where your pivpn server is being hosted from. and i believe i made this process easy for myself since i have a debian machine running a desktop environment. by going into the sudo file, you can enter which commands can be run without using sudo. using these commands:
sudo visudo
*scroll to the bottom*
username ALL=(ALL) NOPASSWD: /usr/bin/wg-quick up wg0
username ALL=(ALL) NOPASSWD: /usr/bin/wg-quick stop wg0

i do these specific commands since i can use these for a shell script, which can then be used to create a basic launcher. the idea is two shell scripts for each command starting and stopping the wg0 interface. so do this:
nano startwg0.sh
sudo wg-quick up wg0
crtl-x then press y
nano stopwg0.sh
sudo wg-quick down wg0
ctrl-x then press y

these scripts will then be attached to a launch that is created on the desktop. note, i put these script files in a folder of my non root user’s home directory. from there you can create a launcher, whether through the gui or command line.
nano start-wg0.desktop
[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Name[en_US]=wg0
Exec=/home/user/wg-folder/startwg0.sh
Name=start-wg0
ctrl-x then press y

this will essentially create a desktop app that links to the shell script, when double clicked on, it will run the ‘wg-quick up wg0’ command. this makes it more easier to turn on the wireguard vpn through a gui instead of opening a new terminal window and typing. you can make this more fancy and add a jpg file to it so it appears as a ‘normal’ app.

now if you are looking for a split tunneling configuration, look no further than tweaking a bit of the client side configuration. the idea is to split the tunneled traffic on the client side. meaning that if i wanted my cloud server to access my home network, but still have public services still available, this would work.

in my case, i am looking for my cloud server to be tunneled to my home network so that i can run sync tasks and backup my minecraft server .zip files. by default, it routes all traffic through the wireguard vpn, which is a no no since i still want my minecraft server and other web services still available on its public ip address. the way to do it is to restrict the client side configuration. where it says ‘AllowedIPs”, change this to the subnet you need the client to access. this will be in cidr notation.

so if you were to only need vpn access to your cloud server’s local network for management, adding the pivpn network would suffice. ensure that when you access your cloud server through the vpn, you are accessing it through wg0’s ip address and from your pivpn server.

if your cloud server were to need more access, you can specify certain ip address’ with a /32. or optionally just allow your home network’s local ip range. then from the home network side, you would have to create new routing rules in your router if you were to want to access the vpn network outside of the pivpn server.

this configuration can be confirmed by entering, ‘ip route show’.