By Sajid Qureshi, Alibaba Cloud Community Blog author.
WireGuard is a free and open-source application tool that implements VPN to establish secure point-to-point connections bridged configurations. WireGuard serves as a modern and high-performance VPN which is also easy to use. Popular VPN technologies such as OpenVPN and IPSEC are often complex to set up so, WireGuard aims to provide a VPN that is both simple and highly effective. WireGuard creates a point-to-point connection between two machines without mediation by a central server.
In this tutorial, we will learn how to establish a point-to-point VPN connection with WireGuard using Alibaba Cloud ECS of two Ubuntu 16.04 servers.
Follow the stpes outlined below to learn how to establish a point-to-point VPN connection with WireGuard on Alibaba Cloud ECS instances.
We will need to install WireGuard software on each server before we can continue. First of all, you will need to add the WireGuard PPA to the system using the following command on each server.
sudo add-apt-repository ppa:wireguard/wireguardYou'll be asked to add the new package source, hit the ENTER button to continue. Now, upgrade all the available packages using the sudo apt-get update command.
Next, you will need to install the WireGuard kernel module with the required components. Execute the following command on each server and it'll do the job for you.
sudo apt-get install wireguard-dkms wireguard-toolsAfter the WireGuard is installed then you can proceed further to the configuration. You will need to generate a private key and write it directly to a WireGuard configuration file. Execute the following command on each server to write the initial contents of a configuration file to:
/etc/wireguard/wg0.conf`.
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)Next, create a private key using the following command.
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickeyNext, you will need to open the configuration file using any editor. You can do so with the sudo nano /etc/wireguard/wg0.conf command.
You will find your generated key in this file under '[Interface]' section. This section contains all the configuration details for the local side of the connection.
You will have to add the port number that it will listen on for connections from peers. Simply just add the ListenPort and SaveConfig line below the PrivateKey line under [Interface] section like this:
[Interface]
PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = trueSet the ListenPort on each host to the port you've selected. SaveConfig = true line will tell the 'wg-quick' service to automatically save its active configuration when you shut down.
Next, you will need to address the definition to each server. Here we will use a subnet as the address space for VPN, you can choose any unique address within its range. We will use the 10.0.0.0/24 subnet as the address space so its range will be (10.0.0.1 to 10.0.0.254), you can pick any address within this range and specify the address and subnet using CIDR notation.
For example, the address of our first server is 10.0.0.1, which is represented as 10.0.0.1/24 in CIDR notation. So, add a new line in the configuration file like this:
[Interface]
PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = true
Address = 10.0.0.1/24Similarly, for second server the configuration will be like this:
[Interface]
PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = true
Address = 10.0.0.2/24Next, save and close the configuration file of First Server only.
You will need to create and define [Peer] section in the second server's configuration file.
Now add the following content into the configuration file under the [Interface] section and replace the values with the actual ones.
[Peer]
PublicKey = public_key_of_first_server
AllowedIPs = 10.0.0.1/32
Endpoint = public_IP_of_first_server:5555Please replace the value of PublicKey. You can find the value of PublicKey using the cat /etc/wireguard/publickey command on your first server. Now we know the specific address of the first server so, replace the value of AllowedIPs followed by /32 to define the range of Allowed IP value.
Finally, replace the value of Endpoint with the Public IP address of the first server and the port number that WireGuard is listening on and then save the configuration file of the second server and exit from the editor.
WireGuard is installed on your servers and everything is configured now we are ready to start the VPN and establish a connection between our two servers. Open the WireGurad port in Firewall on each server. Execute the sudo ufw allow 5555 command on each server to do so.
Next, you will need to start the wg-quick service using the sudo systemctl start wg-quick@wg0 command.
You can check the active configuration of the VPN using the sudo wg command. On the first server, you should see the following output:
interface: wg0
public key: public_key_of_this_server
private key: (hidden)
listening port: 5555On the second server, the output will also contain the peer configuration details like this:
interface: wg0
public key: public_key_of_this_server
private key: (hidden)
listening port: 5555
peer: public_key_of_first_server
endpoint: public_IP_of_first_server:5555
allowed ips: 10.0.0.1/32Now you will need to add the peer configuration details of your second server to the first server. Run the following command on your first server and please replace the values of public key and public IP of the second server.
sudo wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips 10.0.0.2/32Now run sudo wgcommand again on your first server to confirm this configuration. You should see the following output on your first server.
interface: wg0
public key: public_key_of_this_server
private key: (hidden)
listening port: 5555
peer: public_key_of_second_server
endpoint: public_IP_of_second_server:5555
allowed ips: 10.0.0.2/32Our point-to-point connection between these two peers is available now. You can try to ping the VPN address of the second server from the first server by using ping -c 3 10.0.0.2.
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.635 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.615 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.841 ms
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.615/0.697/0.841/0.102 msIf nothing goes wrong then you can save the configuration on the first server using the sudo systemctl restart wg-quick@wg0 command.
If you wish to start the tunnel at boot then you will need to enable the service on each server using the sudo systemctl enable wg-quick@wg0 command.
In this tutorial, you installed WireGuard on two Alibaba Cloud ECS installed with Ubuntu 16.04, and you also configured each host as a server and established a secure point-to-point connection to its peer. WireGuard is a great option for establishing these kinds of connections due to its flexibility, light-weight implementation. We hope now you have enough knowledge to work with WireGuard.
2,605 posts | 747 followers
FollowAlibaba Clouder - August 19, 2020
Alibaba Clouder - January 23, 2018
Alibaba Clouder - August 2, 2019
Dikky Ryan Pratama - May 9, 2023
Alibaba Clouder - August 20, 2018
Sabith - July 27, 2018
2,605 posts | 747 followers
Follow
ECS(Elastic Compute Service)
Elastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn More
VPN Gateway
VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.
Learn MoreLearn More
More Posts by Alibaba Clouder