×
Community Blog How to Create a VPN with WireGuard and Alibaba Cloud

How to Create a VPN with WireGuard and Alibaba Cloud

This tutorial outlines how to establish a point-to-point VPN connection with WireGuard on Alibaba Cloud ECS instances installed with Ubuntu 16.04.

By Sajid Qureshi, Alibaba Cloud Community Blog author.

WireGuard is a free and open-source application tool that implements VPN to establish secure point-to-point connections bridged configurations. WireGuard serves as a modern and high-performance VPN which is also easy to use. Popular VPN technologies such as OpenVPN and IPSEC are often complex to set up so, WireGuard aims to provide a VPN that is both simple and highly effective. WireGuard creates a point-to-point connection between two machines without mediation by a central server.

In this tutorial, we will learn how to establish a point-to-point VPN connection with WireGuard using Alibaba Cloud ECS of two Ubuntu 16.04 servers.

Prerequisites

  1. You must have two Alibaba Cloud Elastic Compute Service (ECS) instances activated and have verified your valid payment method. If you are a new user, you can get a free account in your Alibaba Cloud account. If you don’t know about how to set up your ECS instance, you can refer to this tutorial or quick-start guide. Your ECS instance must have at least 1GB RAM and 1 Core processor.
  2. You have a domain name registered from Alibaba Cloud. If you have already registered a domain from Alibaba Cloud or any other host, you can update its domain nameserver records.
  3. You have a non-root user with sudo privileges on each server.

Procedure

Follow the stpes outlined below to learn how to establish a point-to-point VPN connection with WireGuard on Alibaba Cloud ECS instances.

Installing WireGuard

We will need to install WireGuard software on each server before we can continue. First of all, you will need to add the WireGuard PPA to the system using the following command on each server.

sudo add-apt-repository ppa:wireguard/wireguard

You'll be asked to add the new package source, hit the ENTER button to continue. Now, upgrade all the available packages using the sudo apt-get update command.

Next, you will need to install the WireGuard kernel module with the required components. Execute the following command on each server and it'll do the job for you.

sudo apt-get install wireguard-dkms wireguard-tools

Configuring WireGuard

After the WireGuard is installed then you can proceed further to the configuration. You will need to generate a private key and write it directly to a WireGuard configuration file. Execute the following command on each server to write the initial contents of a configuration file to:

/etc/wireguard/wg0.conf`. 
   (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)

Next, create a private key using the following command.

wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Next, you will need to open the configuration file using any editor. You can do so with the sudo nano /etc/wireguard/wg0.conf command.

You will find your generated key in this file under '[Interface]' section. This section contains all the configuration details for the local side of the connection.

You will have to add the port number that it will listen on for connections from peers. Simply just add the ListenPort and SaveConfig line below the PrivateKey line under [Interface] section like this:

[Interface]
PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = true

Set the ListenPort on each host to the port you've selected. SaveConfig = true line will tell the 'wg-quick' service to automatically save its active configuration when you shut down.

Next, you will need to address the definition to each server. Here we will use a subnet as the address space for VPN, you can choose any unique address within its range. We will use the 10.0.0.0/24 subnet as the address space so its range will be (10.0.0.1 to 10.0.0.254), you can pick any address within this range and specify the address and subnet using CIDR notation.
For example, the address of our first server is 10.0.0.1, which is represented as 10.0.0.1/24 in CIDR notation. So, add a new line in the configuration file like this:

[Interface]
PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = true
Address = 10.0.0.1/24

Similarly, for second server the configuration will be like this:

[Interface]
PrivateKey = generated_private_key
ListenPort = 5555
SaveConfig = true
Address = 10.0.0.2/24

Next, save and close the configuration file of First Server only.
You will need to create and define [Peer] section in the second server's configuration file.
Now add the following content into the configuration file under the [Interface] section and replace the values with the actual ones.

[Peer]
PublicKey = public_key_of_first_server
AllowedIPs = 10.0.0.1/32
Endpoint = public_IP_of_first_server:5555

Please replace the value of PublicKey. You can find the value of PublicKey using the cat /etc/wireguard/publickey command on your first server. Now we know the specific address of the first server so, replace the value of AllowedIPs followed by /32 to define the range of Allowed IP value.
Finally, replace the value of Endpoint with the Public IP address of the first server and the port number that WireGuard is listening on and then save the configuration file of the second server and exit from the editor.

Starting the VPN

WireGuard is installed on your servers and everything is configured now we are ready to start the VPN and establish a connection between our two servers. Open the WireGurad port in Firewall on each server. Execute the sudo ufw allow 5555 command on each server to do so.

Next, you will need to start the wg-quick service using the sudo systemctl start wg-quick@wg0 command.

You can check the active configuration of the VPN using the sudo wg command. On the first server, you should see the following output:

interface: wg0
  public key: public_key_of_this_server
  private key: (hidden)
  listening port: 5555

On the second server, the output will also contain the peer configuration details like this:

interface: wg0
  public key: public_key_of_this_server
  private key: (hidden)
  listening port: 5555

peer: public_key_of_first_server
  endpoint: public_IP_of_first_server:5555
  allowed ips: 10.0.0.1/32

Now you will need to add the peer configuration details of your second server to the first server. Run the following command on your first server and please replace the values of public key and public IP of the second server.

sudo wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips 10.0.0.2/32

Now run sudo wgcommand again on your first server to confirm this configuration. You should see the following output on your first server.

interface: wg0
  public key: public_key_of_this_server
  private key: (hidden)
  listening port: 5555

peer: public_key_of_second_server
  endpoint: public_IP_of_second_server:5555
  allowed ips: 10.0.0.2/32

Our point-to-point connection between these two peers is available now. You can try to ping the VPN address of the second server from the first server by using ping -c 3 10.0.0.2.

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.635 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.615 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.841 ms

--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.615/0.697/0.841/0.102 ms

If nothing goes wrong then you can save the configuration on the first server using the sudo systemctl restart wg-quick@wg0 command.

If you wish to start the tunnel at boot then you will need to enable the service on each server using the sudo systemctl enable wg-quick@wg0 command.

Conclusion

In this tutorial, you installed WireGuard on two Alibaba Cloud ECS installed with Ubuntu 16.04, and you also configured each host as a server and established a secure point-to-point connection to its peer. WireGuard is a great option for establishing these kinds of connections due to its flexibility, light-weight implementation. We hope now you have enough knowledge to work with WireGuard.

0 0 0
Share on

Alibaba Clouder

1,866 posts | 378 followers

You may also like

Comments