Overview

WireGuard is the most elegant and popular VPN solution within the tech community, and for good reason. It has very little network overhead, minimal CPU usage, and strong encryption. This is coupled with a relatively tiny codebase compared to heavier protocols such as OpenVPN or IPSec which makes WireGuard highly-performant.

WireGuard uses a peer-based (as opposed to server-client based) architecture; so a “tunnel” in the traditional sense isn’t created – rather packets are encapsulated on the fly.

nextdns is the “first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet”, according to their website.

In a nutshell, nextdns provides a DNS service that:

  • blocks ads, malware, and trackers via dozens of selectable lists
  • encrypts DNS queries with DNS-over-HTTPS (DoH) support
  • provides analytics, stats, and disabling of logs
  • resolves private IPs (and custom domains) via rewrites
  • has user-configurable whitelist/blacklist filtering
  • supports multiple DNS profiles in a single account

Setup WireGuard

WireGuard has official clients for Linux, Windows, macOS, Android, and iOS. The WireGuard server can be setup on a $5 DigitalOcean droplet (Ubuntu 18.04 LTS recommended).

First, ensure you do some housekeeping by updating packages and repositories. I personally use the following command to achieve this:

apt-get update && apt-get upgrade -y; apt-get install curl gnupg zip unzip apt-transport-https dnsutils -y; dpkg-reconfigure tzdata

Once updating is done, we can now install WireGuard. For this guide I’ll be using a “road warrior” script to setup WireGuard on a VPS which is easier and faster than a manual installation. You can find the script HERE if you need to take a look.

The following command will pull and execute the install script:

cd /opt;wget https://raw.githubusercontent.com/oedmarap/wg-install/master/wg-install.sh -O wg.sh;chmod +x wg.sh;bash wg.sh

Below are some screenshots of the prompts that the script produces, confirming the IP address (you can use a floating IP instead), setting preferred DNS servers (Cloudflare is recommended as the fallback here), and also confirmation of the IPv4/IPv6 routes:

Once the installation is complete, you’ll be shown a QR code which represents a default WireGuard configuration that was generated. This is meant to be easily scanned in the WireGuard mobile app on Android/iOS, the actual .conf file being stored in the home directory. You can use this configuration, or delete it and create new configurations with more logical names to your liking.

But first, reboot the server to apply all changes.

Once you’ve rebooted, SSH back into the server and run the script again (command is bash /opt/wg.sh) to create a new WireGuard configuration. An example of the process is below:

You can generate as many WireGuard .conf files as you like. I personally have separate ones for my phone, Windows machine, Linux laptop, etc.

If you’re using Windows/Linux/macOS you can simply copy the contents of the .conf file that you created and save it locally for the native WireGuard application to consume. If you’re using the official WireGuard apps on Android/iOS then the QR code displayed comes in very handy when adding a profile (after which you can edit the DNS of the configuration from within the app).

Lastly, make a note of the Endpoint’s port under the [Peer] section.

[Peer]
PublicKey = XXxxXXxxXXXXxxXXxxXXXXxxXXxxXXXXxxXXxxXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 67.205.176.90:62623 <<<< this mofo right here
PersistentKeepalive = 25

This port is chosen at random by the script (in this example, Port 62623) and you’ll need to allow UDP inbound connections on that port in your server’s firewall. I recommend doing this both in DigitalOcean via their droplet firewall config, and also using ufw locally on the server (in case DO has an infrastructure failure).

For reference, the ufw commands are:

ufw allow 62623/udp
ufw allow ssh
ufw enable

Setup nextdns

First, ensure you’re connected to the WireGuard VPN tunnel. This is important since nextdns will bind a configuration to an IP address, effectively handling (and filtering) all DNS traffic that arrives from the WireGuard server’s IP.

Once you’re connected to WireGuard, head over to www.nextdns.io and create a free account.

After logging in you’ll be in the Setup tab. You’ll notice that “Currently Linked IP” is shown as the IP of the VPN server which represents the IP address that will be associated with your configuration. Nextdns will provide the DNS IP addresses for you to use, as well as instructions for advanced configurations and devices.

Below is an example of what this page looks like, with a green check mark indicating my VPN’s address (redacted) under the “Linked IP” section:

Please Note that you don’t need to configure any other interface on your local machine to use these addresses, as the adblocking will only work if you’re connected to the VPN.

Thus all that’s needed as this point is to configure the WireGuard clients to use the provided nextdns IP addresses as the DNS. To do this, edit the WireGuard .conf file under the [Interface] section and replace Cloudflare’s IP addresses with those provided by nextdns. For example:

[Interface]
PrivateKey = XXxxXXxxXXXXxxXXxxXXXXxxXXxxXXXXxxXXxxXX
Address = 10.9.0.5/24
DNS = 45.90.28.133, 45.90.30.133 <<<< these mofos right here

Now, all traffic that uses the VPN server’s IP address as the egress point (i.e. all tunneled traffic) will benefit from the adblocking settings that you’ve configured within nextdns. This has a few benefits such as:

  • simplifying adblocking across all devices via a single IP address and ruleset
  • reducing computing needs for adblocking by making CPU-heavy browser addons redundant
  • enabling faster browsing since adblocking rulesets aren’t parallel processed in-browser while rendering pages
  • enabling zero configuration since any device that connects to the VPN will automatically have adblocking enabled

Now’s a good time to remove uBlock Origin and the like from your browser. Browser adblocking plugins have a far smaller blocklist and a much higher CPU overhead than DNS-based adblocking solutions (coupled in this case with the security and privacy of a VPN).

As an aside, below are some screenshots of nextdns showing the kinds of configurable options they offer:


Resources