Set-up Wireguard VPN on Amazon EC2 and GCP
4 minute read
Configure WireGuard VPN server on free tier VM on Amazon EC2 and Google Cloud Platform. In this configuration the VPN network is 192.168.2.1/24.
Amazon EC2
Amazon offers one free VM for 12 months, i.e. 750 hours per month on its Elastic Cloud Compute (EC2) platform with its AWS Free TIer program.
- The Amazon EC2 management console allows you to configure your VMs
- The image must be of type t2.micro: 1 vCPU, 1Gb RAM
- It will be located in zone US-East-2
- Choose an Amazon Linux Image, e.g. Amazon Linux 2 AMI 2.0.20190823.1 x86_64 HVM
- Create a Key Pair, once you have it you can connect to your VM
$ ssh -i ~/.ssh/my_key_pair.pem ec2-user@yourpublic_dns_name.us-east-2.compute.amazonaws.com -
Create a Security Group to allow ssh (port 22/TCP) and WireGuard connections on port 51820 UDP/TCP
- Install Wireguard:
$ sudo yum update
$ sudo curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo;
$ sudo yum install epel-release wireguard-dkms wireguard-tools
$ sudo yum clean all
$ sudo yum install wireguard-dkms wireguard-tools iptables-services -y
$ sudo /sbin/modprobe wireguard
- Configure Wireguard:
$ sudo ip link add dev wg0 type wireguard
$ sudo ip address add dev wg0 192.168.2.1/24
$ sudo wg setconf wg0 myconfig.conf
$ wg genkey> private
$ wg genkey< private >public
$ sudo wg set wg0 private-key private
$ sudo ip link set wg0 up
- Create WireGuard configuration file:
$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.2.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = yourprivatekey
[Peer]
PublicKey = somepublickey
AllowedIPs = 192.168.2.2/32
$ sudo chown -v root:root /etc/wireguard/wg0.conf
$ sudo chmod -v 600 /etc/wireguard/wg0.conf
- Configure your kernel. Create a sysctl configuration file to enable IP forwarding at each boot then load it:
$ cat /etc/sysctl.d/98-wg.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1
$ sudo sysctl -p
- Configure the firewall on the VM to enable incoming connections as well as DNS connections:
$ cat iptables.rules
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
#Set up nat
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
- Start WireGuard:
$ sudo wg-quick up wg0
$ systemctl enable wg-quick@wg0.service
- You can check the status of WireGuard:
$ sudo wg
interface: wg0
public key: public_key
private key: (hidden)
listening port: 51820
peer: some_peer_public_key
endpoint: peer_ip_address:49539
allowed ips: 192.168.2.2/32
latest handshake: 61 days, 19 hours, 27 minutes, 40 seconds ago
transfer: 136.02 MiB received, 772.30 MiB sent
- Same thing once the 192.168.2.2 client is connected:
$ sudo wg
interface: wg0
public key: public_key
private key: (hidden)
listening port: 51820
peer: some_peer_public_key
endpoint: peer_ip_address:55029
allowed ips: 192.168.2.2/32
latest handshake: 50 seconds ago
transfer: 136.13 MiB received, 772.54 MiB sent
- Now you can do a tcpdump to this that traffic is going through your VPN:
$ sudo tcpdump -s0 -v port not ssh and port not ntp -i wg0
- or your can ping your endpoint or the VM itself:
$ ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=0.028 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=0.037 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.028/0.032/0.037/0.007 ms
$ ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=1 ttl=64 time=174 ms
^C
--- 192.168.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 174.724/174.724/174.724/0.000 ms
Google Cloud Platform
- https://console.cloud.google.com
- Instance type: f1-micro (1 vCPU, 0.6 GB memory)
- Image: debian-10-buster-v20191014
todo
Useful links
- https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/
- https://free-for.dev