Yet another “build a WireGuard VPN” guide! This setup here is mostly automated with scripts and Infrastructure as Code. It is meant to be quick temporary VPN setup; you spin it up in a few minutes, do whatever and destroy after use. There’s only about 50 lines of bash to put everything together.
This guide is a little technical; guardrails not included.
Infrastructure
My setup is simply an AWS t2.micro
EC2 instance created using CloudFormation. You can get the stack YML here.
The stack pulls the latest Ubuntu image, sets a static public IP address, sets up session manager, whitelists UDP port 51820
, then runs the following setup script:
Lastly, it adds a
executable which we will get to later. wg-addclient
To connect to the instance, use session manager. The URL is under “SSMURL” under the “Outputs” tab:
Just click on the link and you get remote access to the instance via your browser window.
If you don’t use AWS, you just need to run wg-setup.sh
as root
user in a publicly accessible Ubuntu server. Make sure to white list UDP port 51820
from any firewall.
This setup will cost you 0.01 USD per hour (us-east-1
region), or 0.24 USD a day; you can explore lighter instances for more cost savings by changing the “InstanceType” parameter of the stack.
I’ve also gotten this running with an Amazon ARM server (since they are having a free trial now for t4g.small
until Dec 2023) with the following parameters to the CloudFormation stack:
- InstanceType:
t4g.small
- LatestAmiId:
/aws/service/canonical/ubuntu/server/jammy/stable/current/arm64/hvm/ebs-gp2/ami-id
Adding Clients
In the VPN server, execute
as wg-addclient
root
user:
sudo -iu root
wg-addclient
Here is wg-addclient
for your perusal:
You will get an output that looks like this:
To add more clients, simply rerun wg-addclient
.
Adding Client in iOS
Download the official WireGuard iOS app. Tap the “+” icon and select “Create from QR code” then scan the QR code generated from wg-addclient
.
Follow the instructions that follow.
Adding Client in Windows
Download the official WireGuard Windows app. Go to “Add Tunnel” > “Add empty tunnel…”:
Give the tunnel a name and copy-paste the text contents from wg-addclient
and click “Save”
Monitor Clients
Use the wg
command:
# wg
interface: wg0
public key: XSYfQReJui9ZYaLykAifNCaA5dn6MIHJjckl/nRkV0Y=
private key: (hidden)
listening port: 51820
peer: YEMGteQuySmdXCvwBlqIBIvGX/p4D32LbfE21nYLkm8=
endpoint: 93.184.216.34:54114
allowed ips: 10.10.0.3/32, fd86:ea04:1111::3/128
latest handshake: 14 seconds ago
transfer: 106.50 KiB received, 660.57 KiB sent
peer: DvLpEHPP5cFoX4nlFg0Jehq2RLZ0dBua/tEtRpXQvTI=
endpoint: 93.184.216.34:53107
allowed ips: 10.10.0.2/32, fd86:ea04:1111::2/128
latest handshake: 1 minute, 4 seconds ago
transfer: 721.85 KiB received, 3.46 MiB sent
In the example above, I have 2 clients (my phone and my laptop) connected. Your devices can only be referenced by their public key – there’s no built-in way to put a name to these devices.
Removing Clients
Internally, all wg-addclient
does is append to /etc/wireguard/wg0.conf
something like:
[Peer]
PublicKey = DvLpEHPP5cFoX4nlFg0Jehq2RLZ0dBua/tEtRpXQvTI=
AllowedIPs = 10.10.0.2/32, fd86:ea04:1111::2/128
And so to remove a client you remove the corresponding entry from wg0.conf
and reload the WireGuard service:
systemctl reload wg-quick@wg0
Destroying the VPN
As mentioned earlier, this is meant to be a temporary VPN setup. Leaving this running long-term will probably cost you more and you should consider just paying for a VPN service.
Destroying the VPN is as easy as deleting the CloudFormation stack. All the corresponding resources (EC2, security group, EIP, IAM etc) will be cleanly removed and no further charges will be incurred.
Closing Remarks
- Though I haven’t tried it, you could get WireGuard running with a nice admin UI similar to OpenVPN. See “Web UIs for WireGuard That Make Configuration Easier” for some good picks, though they will likely conflict with the setup here.
- There’s a fully featured Wireguard install script by Nyr that works for multiple Linux distributions; has like 10x the amount of bash code.
- This is not meant for production use.
- You can probably only add 200 clients (why would you need so many??)
- I don’t think any of the IPv6 stuff here is really needed; the EC2 instance I spun up does not even have an IPv6 address.
- None of the keys you see here are going to be usable once this post is up.
- You should not share your generated keys or VPN QR codes on the internet.
- You should thoroughly understand any script you execute from some random blogger on the internet 😉.
References: