Oct 27, 2019

Tinkering with Global WireGuard Deployments

Hey there 👋 I'm building CodeTrail, which helps engineering teams document and share knowledge close to the codebase with no friction. If you're still using Notion, Confluence or Google Docs to document your engineering work, give it a try and let me know what you think!

Over the course of the last weeks and months, I've been looking into and comparing a variety of currently available solutions to building and hosting fast and cost-efficient network tunnels, mostly for getting the benefits like a dedicated IP regardless of where you are on the globe, but also to gain much-needed digital privacy in public areas which does sound like the classic You should use a VPN when you're using Starbucks' public WiFi example. In this post, I want to focus on two primary topics: my journey up to this point, of using different VPN solutions, and also on a brief outlook of some plans I'm investing my time into.

During the first weeks (roughly from August onward), I was looking merely for a zero-configuration managed service and went with a standard subscription of a popular provider which worked out completely fine but didn't quite meet the requirements of single-tenancy, which is no surprise since the whole reason for using those services is for third parties to not being able to identify you since you're behind an extra network layer together with lots of other people sharing the same IP address and having multiple servers in each region for the sake of scalability.

A few weeks in, I started thinking that I should probably check out the current options in terms of VPN software and projects available for self-hosting based on the situation of me still lacking a dedicated IP, which was completely worth for me to dismiss the "obscurity"-based privacy you get with multi-tenant VPN services, and I quickly decided to go with WireGuard.

Just to be clear up front, if you're only interested in using VPNs for daily tasks like media consumption (you're definitely not alone in this regard) and simple privacy gains based on using an encrypted tunnel in unsecure environments, all of which is absolutely fine and great, you should probably go with one of the leading VPN-as-a-service offers out there since self-hosting will most likely eliminate a lot of the benefits you'd otherwise get when it comes not just to hiding your origin but rather your identity since services you're using might just guess that's still you, although on a different IP, so no big wins there.

What's more, hosting your own VPN instance will be connected with a lot of trial and error until you've got all things right: If you want to access restricted services, most streaming providers and other places on the internet might have measures in place to cover the basic things like checking for your origin data center and common VPN IPs to block those, so running your WireGuard instance on a $5 droplet on DigitalOcean to access your favorite series, which would also make it able to bypass region-based content restrictions, won't always work.

I'll continue with a brief note about my decision to move forward with WireGuard and the experience throughout this process up next, followed by the obstacles I encountered on the way.

Going with WireGuard

Not only was WireGuard extremely straightforward to configure after I figured out the prerequisites, it has performed above all expectations with blazing fast throughput rates while keeping a low footprint resource-wise, mostly due to its architectural decision of running not in the user space and copying over packets from and into the kernel space, like OpenVPN does for example, but rather directly running in the kernel space as a virtual network interface.

For the actual experience of configuring things on the end-user device, I configured all clients while creating the deployment and used the official macOS and iOS apps available in the App Store which support dropping in your client configuration as a file, QR Code, or by hand. Everything from there was adjusting the config until everything started to work just fine, for example using a different DNS (1.1.1.1 in my case) and some other customizations.

Data centers, ASNs, CIDRs, etc.

When I first successfully connected to my shiny, new WireGuard instance, I thought "that's it. I just set up a personal VPN for less than a large coffee a month, why doesn't everybody do this?", and very soon I found the reasons first-hand. My first roadblock came up when trying to access a popular streaming site for some shows, it instantly detected that I was, in fact, using a VPN. Well, I heard that these things happen in some cases, but seeing my perfect little proxy box failing the first step was a real bummer.

It turns out that those VPN detection tools aren't very smart, though, and the provider most likely just blocked a range of IPs belonging to known VPN services or cloud providers used for hosting those. In some extreme cases, though, sites completely block ASNs, which means there's no way to connect without switching the region of your hosted instance or even switching the provider altogether.

After trying the biggest public clouds including DigitalOcean, Google Cloud and AWS, I found that depending on the use case each cloud offers advantages and its own set of blockers, including vendor-specific limitations when it comes to networking. This process also requires to think about potential costs arising from network traffic going through your instance, sometimes making it a bit more chaotic than using a VPN should be, in the long run using a managed VPN will definitely save your wallet's contents, especially if you're planning to set up multiple instances or even regions of your deployment.

Usage and global deployments

I set up, used and tore down probably ten to twenty deployments on different machines, cloud providers in different regions, most notably when traveling to the United States last week. And, although the seemingly-cool airplane network connection didn't work out, I had some time to get a look into the in's and out's not only of using a classic VPN-as-a-service but also learning about networking basics (how the internet works (tm)) and a lot of really interesting technologies. So for everyone out there interested in delving into this topic, I can highly recommend just tinkering around with those things, especially when it's for something as useful as self-hosting your VPN.

So What Now?

While writing the content above, my mind drifted through a plethora of related topics to this, so I'll definitely add more thoughts to this situation and write up more posts around my experience on the way, including potential projects and my learnings so far.

Thanks for reading this post 🙌 I'm building CodeTrail, which helps engineering teams document and share knowledge close to the codebase with no friction. If you're still using Notion, Confluence or Google Docs to document your engineering work, give it a try and let me know what you think!

Bruno Scheufler

At the intersection of software engineering
and management.

On other platforms