Wireguard

Wireguard is a quick and dirty VPN.  It's easy to set up, mostly universal.  It's not as robust or mature as OpenVPN.  

Generate key pairs.

cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

enable the following in /etc/sysctl.conf

net.ipv4.ip_forward = 1

to reload settings

sysctl -p

create /etc/wireguard/wg0.conf

[Interface]
Address = 192.168.9.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE KEY
[Peer]
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.9.2/32
[Peer]
PublicKey = OTHER_CLIENT_PUBLIC_KEY
AllowedIPs = ...

Test server:

ip link set up wg0
ip a show wg0

On server, restrict access to local network

PostUp = iptables -I FORWARD -i %i -d 0.0.0.0/0 -j DROP && iptables -I FORWARD -i %i -d 192.168.1.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i %i -d 0.0.0.0/0 -j DROP && iptables -D FORWARD -i %i -d 192.168.1.0/24 -j ACCEPT

 

Source Links
WireGuard - Debian Wiki
Tags
VPN