By Sajid Qureshi, Alibaba Cloud Community Blog author.
WireGuard is a free and open-source application tool that implements VPN to establish secure point-to-point connections bridged configurations. WireGuard serves as a modern and high-performance VPN which is also easy to use. Popular VPN technologies such as OpenVPN and IPSEC are often complex to set up so, WireGuard aims to provide a VPN that is both simple and highly effective. WireGuard creates a point-to-point connection between two machines without mediation by a central server.
In this tutorial, we will learn how to establish a point-to-point VPN connection with WireGuard using Alibaba Cloud ECS of two Ubuntu 16.04 servers.
Follow the stpes outlined below to learn how to establish a point-to-point VPN connection with WireGuard on Alibaba Cloud ECS instances.
We will need to install WireGuard software on each server before we can continue. First of all, you will need to add the WireGuard PPA to the system using the following command on each server.
sudo add-apt-repository ppa:wireguard/wireguard
You'll be asked to add the new package source, hit the ENTER button to continue. Now, upgrade all the available packages using the
sudo apt-get update command.
Next, you will need to install the WireGuard kernel module with the required components. Execute the following command on each server and it'll do the job for you.
sudo apt-get install wireguard-dkms wireguard-tools
After the WireGuard is installed then you can proceed further to the configuration. You will need to generate a private key and write it directly to a WireGuard configuration file. Execute the following command on each server to write the initial contents of a configuration file to:
/etc/wireguard/wg0.conf`. (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
Next, create a private key using the following command.
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Next, you will need to open the configuration file using any editor. You can do so with the
sudo nano /etc/wireguard/wg0.conf command.
You will find your generated key in this file under '[Interface]' section. This section contains all the configuration details for the local side of the connection.
You will have to add the port number that it will listen on for connections from peers. Simply just add the
SaveConfig line below the PrivateKey line under [Interface] section like this:
[Interface] PrivateKey = generated_private_key ListenPort = 5555 SaveConfig = true
ListenPort on each host to the port you've selected.
SaveConfig = true line will tell the 'wg-quick' service to automatically save its active configuration when you shut down.
Next, you will need to address the definition to each server. Here we will use a subnet as the address space for VPN, you can choose any unique address within its range. We will use the 10.0.0.0/24 subnet as the address space so its range will be (10.0.0.1 to 10.0.0.254), you can pick any address within this range and specify the address and subnet using CIDR notation.
For example, the address of our first server is 10.0.0.1, which is represented as 10.0.0.1/24 in CIDR notation. So, add a new line in the configuration file like this:
[Interface] PrivateKey = generated_private_key ListenPort = 5555 SaveConfig = true Address = 10.0.0.1/24
Similarly, for second server the configuration will be like this:
[Interface] PrivateKey = generated_private_key ListenPort = 5555 SaveConfig = true Address = 10.0.0.2/24
Next, save and close the configuration file of First Server only.
You will need to create and define [Peer] section in the second server's configuration file.
Now add the following content into the configuration file under the [Interface] section and replace the values with the actual ones.
[Peer] PublicKey = public_key_of_first_server AllowedIPs = 10.0.0.1/32 Endpoint = public_IP_of_first_server:5555
Please replace the value of
PublicKey. You can find the value of PublicKey using the
cat /etc/wireguard/publickey command on your first server. Now we know the specific address of the first server so, replace the value of
AllowedIPs followed by /32 to define the range of Allowed IP value.
Finally, replace the value of Endpoint with the Public IP address of the first server and the port number that WireGuard is listening on and then save the configuration file of the second server and exit from the editor.
WireGuard is installed on your servers and everything is configured now we are ready to start the VPN and establish a connection between our two servers. Open the WireGurad port in Firewall on each server. Execute the
sudo ufw allow 5555 command on each server to do so.
Next, you will need to start the
wg-quick service using the
sudo systemctl start wg-quick@wg0 command.
You can check the active configuration of the VPN using the
sudo wg command. On the first server, you should see the following output:
interface: wg0 public key: public_key_of_this_server private key: (hidden) listening port: 5555
On the second server, the output will also contain the peer configuration details like this:
interface: wg0 public key: public_key_of_this_server private key: (hidden) listening port: 5555 peer: public_key_of_first_server endpoint: public_IP_of_first_server:5555 allowed ips: 10.0.0.1/32
Now you will need to add the peer configuration details of your second server to the first server. Run the following command on your first server and please replace the values of public key and public IP of the second server.
sudo wg set wg0 peer public_key_of_second_server endpoint public_IP_of_second_server:5555 allowed-ips 10.0.0.2/32
sudo wgcommand again on your first server to confirm this configuration. You should see the following output on your first server.
interface: wg0 public key: public_key_of_this_server private key: (hidden) listening port: 5555 peer: public_key_of_second_server endpoint: public_IP_of_second_server:5555 allowed ips: 10.0.0.2/32
Our point-to-point connection between these two peers is available now. You can try to ping the VPN address of the second server from the first server by using
ping -c 3 10.0.0.2.
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.635 ms 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.615 ms 64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.841 ms --- 10.0.0.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.615/0.697/0.841/0.102 ms
If nothing goes wrong then you can save the configuration on the first server using the
sudo systemctl restart wg-quick@wg0 command.
If you wish to start the tunnel at boot then you will need to enable the service on each server using the
sudo systemctl enable wg-quick@wg0 command.
In this tutorial, you installed WireGuard on two Alibaba Cloud ECS installed with Ubuntu 16.04, and you also configured each host as a server and established a secure point-to-point connection to its peer. WireGuard is a great option for establishing these kinds of connections due to its flexibility, light-weight implementation. We hope now you have enough knowledge to work with WireGuard.
Alibaba Clouder - January 23, 2018
Alibaba Clouder - August 2, 2019
Alibaba Clouder - August 20, 2018
Sabith - July 27, 2018
Alibaba Clouder - August 2, 2019
Alibaba Clouder - August 17, 2018
An online computing service that offers elastic and secure virtual cloud servers to cater all your cloud hosting needs.Learn More
VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.Learn More
An on-demand database hosting service for MySQL, SQL Server and PostgreSQL with automated monitoring, backup and disaster recovery capabilitiesLearn More
More Posts by Alibaba Clouder