Skip to content

VPNs Explained -- Setup & Security Configuration

DodaTech Updated 2026-06-23 7 min read

In this tutorial, you'll learn about VPNs Explained. We cover key concepts, practical examples, and best practices.

A VPN creates an encrypted tunnel between your device and a remote server, masking your IP address and protecting traffic from interception on untrusted networks like public Wi-Fi.

What You'll Learn

You will learn to configure WireGuard and OpenVPN clients, set up a kill switch, prevent DNS leaks, implement split tunneling, and audit your VPN for leaks.

Why It Matters

46% of public Wi-Fi hotspots lack basic encryption. Without a VPN, credentials, cookies, and personal data travel in plain text that anyone on the same network can capture using tools like Wireshark.

Real-World Use

A remote worker connects from a coffee shop Wi-Fi. Their VPN encrypts all traffic, so the coffee shop owner running a packet sniffer sees only encrypted blobs instead of banking session cookies and API tokens.

How VPN Tunneling Works

flowchart LR
    A[Your Device] --> B[VPN Client]
    B --> C[Encrypted Tunnel]
    C --> D[VPN Server]
    D --> E[Internet]
    B --> F[Kill Switch]
    F -->|Tunnel Drops| G[Block All Traffic]
    style F fill:#f96,stroke:#333
    style G fill:#f96,stroke:#333

How it works: The device creates an encrypted tunnel to the VPN server. All traffic passes through this tunnel. A kill switch monitors the tunnel and blocks all network traffic if the connection drops, preventing data leaks.

WireGuard Configuration

WireGuard is the modern VPN protocol using Curve25519 for key exchange and ChaCha20-Poly1305 for encryption.

# Install WireGuard on Ubuntu/Debian
sudo apt update
sudo apt install wireguard

# Generate private and public keys
wg genkey | tee private.key | wg pubkey > public.key
chmod 600 private.key

# Expected output: no errors, two files created
# private.key contains: gJ5nF6c0Q8pL3mX1rV7b...
# public.key contains: fE2kR9tW4yU6i...
# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 9.9.9.9

[Peer]
PublicKey = <server-public-key>
Endpoint = vpn.dodatech.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Expected behavior: WireGuard creates interface wg0 with the assigned IP address. All traffic (0.0.0.0/0) routes through the VPN. Keepalive packets are sent every 25 seconds to maintain NAT/firewall mappings.

# Bring up the VPN interface
sudo wg-quick up wg0

# Verify connection
sudo wg show

# Expected output:
# interface: wg0
#   public key: gJ5nF6c0Q8pL3mX1rV7b...
#   private key: (hidden)
#   listening port: 51820
#
# peer: fE2kR9tW4yU6i...
#   endpoint: 203.0.113.5:51820
#   allowed ips: 0.0.0.0/0
#   latest handshake: 2 seconds ago
#   transfer: 1.2 MiB received, 3.4 MiB sent

OpenVPN Client Setup

# Install OpenVPN
sudo apt install openvpn

# Connect using client configuration
sudo openvpn --config client.ovpn

# Expected output:
# Thu Jun 23 10:00:00 2026 OpenVPN 2.5.8
# Thu Jun 23 10:00:01 2026 TCP/UDP: Preserving recently used remote address: 203.0.113.5
# Thu Jun 23 10:00:02 2026 TLS: Initial packet from 203.0.113.5:1194, sid=abc123
# Thu Jun 23 10:00:03 2026 VERIFY OK: depth=1, CN=DodaTech-VPN-CA
# Thu Jun 23 10:00:04 2026 Data Channel Encrypt: Cipher AES-256-GCM
# Thu Jun 23 10:00:04 2026 Initialization Sequence Completed

Expected behavior: The client negotiates TLS with the server, verifies the CA certificate, establishes an AES-256-GCM encrypted data channel, and the "Initialization Sequence Completed" message confirms the tunnel is active.

Kill Switch Implementation

#!/bin/bash
# WireGuard kill switch using iptables
# Blocks all non-VPN traffic when tunnel drops

# Allow traffic through WireGuard interface only
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

# Allow WireGuard interface (wg0)
sudo iptables -A OUTPUT -o wg0 -j ACCEPT
sudo iptables -A INPUT -i wg0 -j ACCEPT

# Allow DNS to VPN DNS servers via wg0
sudo iptables -A OUTPUT -o wg0 -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i wg0 -p udp --sport 53 -j ACCEPT

# Allow WireGuard UDP connection (pre-tunnel)
sudo iptables -A OUTPUT -p udp --dport 51820 -j ACCEPT
sudo iptables -A INPUT -p udp --sport 51820 -j ACCEPT

echo "Kill switch enabled. Only VPN traffic is allowed."

Expected behavior: The default policy drops all traffic. Only packets through the WireGuard interface or on the loopback interface are allowed. If the tunnel drops, all network traffic is blocked until the tunnel reconnects.

Split Tunneling

Route only specific traffic through the VPN while sending everything else through the regular internet connection.

# /etc/wireguard/wg0.conf split tunnel configuration
[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server-public-key>
Endpoint = vpn.dodatech.com:51820
# Only route traffic for internal company networks through VPN
AllowedIPs = 10.0.0.0/8, 172.16.0.0/12

Expected behavior: Only traffic destined for 10.x.x.x and 172.16.x.x networks routes through the VPN. All other traffic uses the default internet connection. This preserves bandwidth for streaming and downloads while securing corporate access.

DNS Leak Prevention

DNS leaks occur when DNS queries bypass the VPN tunnel, revealing your browsing activity to your ISP.

# Verify DNS is using VPN
resolvectl status

# Expected output should show DNS servers from VPN config:
# Global
#     DNS Servers: 1.1.1.1 9.9.9.9
#     Domains: ~.
#
# Link 3 (wg0)
#     DNS Servers: 1.1.1.1 9.9.9.9
#     Domains: ~.

# Test for DNS leaks
curl -s https://ipleak.net/json/

# Expected output:
# {"ip":"203.0.113.5","country":"Netherlands","dns":"1.1.1.1","dns_country":"United States"}

Expected behavior: The IP address shown is your VPN server IP, not your real IP. The DNS servers shown are your VPN-configured DNS servers, not your ISP's. If your real IP appears, a DNS leak is present.

Common Errors

  1. Kill switch not active before connection -- Without a kill switch, a brief window exists between starting the VPN client and tunnel establishment where traffic leaks. Activate the kill switch firewall rules before initiating the VPN connection.

  2. MTU mismatch causing packet fragmentation -- WireGuard default MTU of 1420 bytes causes fragmentation on networks with lower MTU (like PPPoE at 1492 minus 80 overhead). Set MTU = 1280 in the Interface section to avoid fragmentation.

  3. DNS leak from systemd-resolved overriding VPN DNS -- systemd-resolved may ignore VPN-pushed DNS servers. Configure PostUp = resolvectl dns wg0 1.1.1.1 in the WireGuard config to explicitly set DNS.

  4. Handshake timeout on NAT-heavy networks -- Some networks drop idle UDP packets. Set PersistentKeepalive = 25 to send keepalive packets, maintaining the NAT mapping on the router.

  5. Split tunnel DNS resolution failure -- When using split tunneling, DNS queries for internal domains fail because the VPN DNS server cannot resolve them. Add internal domain routes in the DNS configuration.

Practice Questions

  1. What is the difference between full tunnel and split tunnel VPN routing? Full tunnel routes all traffic through the VPN. Split tunnel routes only specified traffic through the VPN and the rest through the regular internet connection. Full tunnel provides more privacy but uses more bandwidth.

  2. Why does WireGuard use PersistentKeepalive and what value is recommended? PersistentKeepalive sends periodic packets to maintain the NAT/firewall mapping. A value of 25 seconds is recommended for most networks. Lower values (5-10 seconds) are needed on restrictive networks.

  3. How do you verify a VPN is not leaking DNS queries? Check the DNS server IP shown by resolvectl status against your VPN DNS configuration. Use a DNS leak test tool like ipleak.net. If the DNS server is not your VPN-configured DNS, a leak exists.

  4. What is the security difference between WireGuard and OpenVPN? WireGuard uses modern cryptography (Curve25519, ChaCha20-Poly1305, BLAKE2) with a smaller codebase (~4,000 lines vs ~100,000 lines). OpenVPN supports more configuration options but has a larger attack surface and slower connection establishment.

  5. Challenge: Set up a WireGuard VPN on a cloud VPS. Configure the server with iptables forwarding and NAT. Connect from a client. Verify the tunnel works with wg show. Create a kill switch script that activates before the connection starts.

Mini Project

Deploy a self-hosted WireGuard VPN server on a $5/month VPS. Configure split tunneling for selected applications. Set up a kill switch using iptables. Verify no DNS leaks using ipleak.net. Monitor the connection with wg show and set up automated restarts with systemd. Test the kill switch by restarting the WireGuard service.

FAQ

Is a VPN necessary if I only use HTTPS websites?

HTTPS encrypts the payload between your browser and the website, but the destination IP address remains visible. A VPN encrypts the entire connection, including the DNS lookup, and hides your IP address from the destination server. Use a VPN on untrusted networks even with HTTPS.

Can VPN providers see my traffic?

Yes, the VPN provider operates the exit server and can theoretically see unencrypted traffic. Choose a provider with a verified no-logs policy, third-party audits, and RAM-only servers. Combine VPN usage with HTTPS to ensure end-to-end encryption.

Does a VPN protect against malware?

No, a VPN encrypts network traffic but does not scan files or block malicious downloads. Use dedicated antivirus software like Durga Antivirus Pro alongside a VPN for comprehensive protection.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro