WireGuard is a modern, high-performance VPN protocol designed to be faster, simpler, and more secure than traditional VPN technologies like OpenVPN and IPsec. It is implemented in the Linux kernel and is known for its efficiency and ease of setup. In this article, we will walk through the steps to set up a WireGuard VPN on a Google Cloud Compute instance.
Before beginning, ensure that you have the following:
A Google Cloud account with access to Google Cloud Compute Engine.
Basic understanding of terminal commands and SSH access to Google Cloud.
A Linux-based Google Cloud Compute instance (e.g., Ubuntu, Debian, etc.) running.
Administrative (root) access to the Compute instance.
Step 1: Creating a Google Cloud Compute Instance
To start, you’ll need to create a Compute instance in Google Cloud if you don’t have one already. Here are the steps:
Log in to your Google Cloud Console.
Navigate to the “Compute Engine” section.
Click on “Create Instance” and select a machine type that suits your needs (e.g., n1-standard-1).
Choose a region and zone that fits your requirements.
Under the “Firewall” section, check both “Allow HTTP traffic” and “Allow HTTPS traffic” if necessary.
Click on “Create” to launch the instance.
Once the instance is up, note its external IP address, as you will need it to connect via SSH.
Step 2: Installing WireGuard on the Compute Instance
After the instance is running, SSH into it using the following command:
ssh -i /path/to/your/private-key username@your-external-ip
Next, update the package list and install WireGuard by running:
sudo apt update
sudo apt install wireguard
This will install WireGuard and the necessary dependencies on your server.
Step 3: Configuring WireGuard
Now that WireGuard is installed, you need to configure it. First, generate the public and private keys for your server.
wg genkey | tee server_private.key | wg pubkey > server_public.key
Store these keys in a secure location, as they are needed for the WireGuard configuration.
Next, create the WireGuard configuration file for the server. Open the configuration file using a text editor:
sudo nano /etc/wireguard/wg0.conf
Add the following content to the configuration file:
ini
[Interface]
PrivateKey =
Address = 10.0.0.1/24
ListenPort = 51820
SaveConfig = true
[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/32
Replace with the content of the server’s private key and with the public key generated for the client, which we’ll create later.
Step 4: Enabling IP Forwarding
To ensure that the server forwards traffic properly, enable IP forwarding by editing the sysctl configuration:
sudo nano /etc/sysctl.conf
Find the line:
ini
#net.ipv4.ip_forward=1
Uncomment it by removing the “#” symbol:
ini
net.ipv4.ip_forward=1
Save and close the file, then apply the changes by running:
sudo sysctl -p
Step 5: Configuring Firewall Rules
To allow VPN traffic through the firewall, configure Google Cloud’s firewall rules:
Go to the “VPC network” section of Google Cloud.
Select “Firewall rules” and click “Create firewall rule”.
Set a name for the rule, such as “allow-wireguard”.
Choose “Ingress” for direction, and “0.0.0.0/0” for the source IP range.
Under “Protocols and ports”, select “Specified protocols and ports” and input “UDP:51820” to allow WireGuard traffic on port 51820.
Click “Create” to apply the firewall rule.
Step 6: Starting WireGuard
To bring up the WireGuard interface, use the following command:
sudo wg-quick up wg0
To ensure the WireGuard interface starts automatically upon boot, run:
sudo systemctl enable wg-quick@wg0
Step 7: Generating Client Configuration
Next, generate the client’s public and private keys:
wg genkey | tee client_private.key | wg pubkey > client_public.key
Create a WireGuard configuration file for the client, using the following command:
nano /wg-client.conf
Add the following configuration:
ini
[Interface]
PrivateKey =
Address = 10.0.0.2/32
[Peer]
PublicKey =
Endpoint = :51820
AllowedIPs = 0.0.0.0/0
Replace with the client’s private key, with the server’s public key, and with the server’s external IP address.
Step 8: Testing the VPN Connection
To test the VPN connection from the client, use the following command:
sudo wg-quick up wg0
Once the connection is established, you should be able to ping the server’s VPN address (10.0.0.1) from the client.
ping 10.0.0.1
