The high level steps are as follows:
- Reserve an external IP address
- Configure a firewall to allow all traffic
- Create a VM
- Set up the WireGuard server
- Set up the WireGuard client(s)
Reserve an external IP address
Go to the IP address page in GCP, and click “Reserve static IP address”.
In order to receive the free 200GB/mo, select “Standard” network service tier.
The region you choose here will be what websites will think your location is based on the IP address.
Configure a firewall
Next, go to the firewall page and create a new “firewall rule”.
Use the following configuration:
- Direction: ingress
- Targets: All instances in the network
- IP Range: “0.0.0.0/0” (allow all traffic)
- Protocols and ports: click “Specified protocol and ports”, tick “UDP” and set the port to 51820
Create a VM
Go to the compute engine page, create a new instance.
Use the following config:
- For the machine, select N1, then choose f1-micro. This is the cheapest machine
- In “Boot disk”, change this to Ubuntu. Should be version 20.04 LTS
- In the networking, make sure to configure the following two things:
- Select the external IP address to be the one created earlier
- Tick “IP forwarding”
Set up WireGuard server
Next, SSH into the VM. Run the following commands:
1. Update the system
sudo apt update && sudo apt upgrade
2. Check if a reboot is required:
cat /var/run/reboot-required
If the response is “*** System restart required ***”, reboot the VM instance.
3. Turn on IP forwarding for IPv4
Edit the file /etc/sysctl.conf and uncomment this line:
net.ipv4.ip_forward=1
Then apply changes by running
sudo sysctl -p
4. Install WireGuard
sudo apt install wireguard
5. Create server keys
sudo mkdir -p /etc/wireguard/keys; wg genkey | sudo tee /etc/wireguard/keys/server.key | wg pubkey | sudo tee /etc/wireguard/keys/server.key.pub
This will create a public and private server key. You can use this command to see the contents:
cat /etc/wireguard/keys/server.key
6. Check your default network interface
Keep note of this:
ip -o -4 route show to default | awk '{print $5}'
This is used in the next step as the “YOUR_NETWORK_INTERFACE” variable.
7. Create a config file for WireGuard server
Edit this file:
sudo nano /etc/wireguard/wg0.conf
Fill it with the below content:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE
SaveConfig = true
8. Set permissions for the server files to be accessible only by root
sudo chmod 600 /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/keys/server.key
sudo chmod 600 /etc/wireguard/keys/server.key.pub
9. Turn on wg0 WireGuard interface:
sudo wg-quick up wg0
Make sure wg0 already running, and it’s public key is equal to content of server.key.pub:
sudo wg show wg0
10. Set wg0 to be started at boot
sudo systemctl enable wg-quick@wg0
11. Open WireGuard port through firewall
sudo ufw allow 51820/udp
Open port for SSH as well
sudo ufw allow 22/tcp
12. Turn on firewall
sudo ufw enable
13. Check firewall status, make sure the port for WireGuard and SSH are opened.
sudo ufw status verbose
14. Set MTU size to 1360 due to limitation in Google Cloud Platform.
sudo ip link set dev wg0 mtu 1360
Set up WireGuard clients
The steps here include:
- Create keys
- Create a config
- Create a QR code based on the config
1. Create keys
For each client, new keys need to be created, run these commands:
sudo mkdir -p /etc/wireguard/clients; wg genkey | sudo tee /etc/wireguard/clients/mobile.key | wg pubkey | sudo tee /etc/wireguard/clients/mobile.key.pub
In this example, the client is called “mobile”.
2. Create a config / interface for the client
Create a new config file:
sudo nano /etc/wireguard/clients/mobile.conf
The contents of the file should be:
[Interface]
PrivateKey = <CLIENT’S-PRIVATE-KEY>
Address = <PRIVATE-IP-OF-WIREGUARD-SERVER>/24
DNS = 1.1.1.1, 1.0.0.1
MTU = 1360
[Peer]
PublicKey = <YOUR-SERVER'S-PUBLIC-KEY>
AllowedIPs = 0.0.0.0/0
Endpoint = <STATIC-IP-OF-GCP-INSTANCE>:51820
Variable definitions:
- CLIENT’S-PRIVATE-KEY will be from /etc/wireguard/clients/mobile.key
- PRIVATE-IP-OF-WIREGUARD-SERVER will be for example: 10.0.0.2/24, for each new client, just bump the last number, i.e. 10.0.0.3/24
- YOUR-SERVER'S-PUBLIC-KEY will be from /etc/wireguard/keys/server.key.pub
- STATIC-IP-OF-GCP-INSTANCE is the static IP address that was reserved at the start
To get key values you can run:
cat /etc/wireguard/keys/server.key.pub
3. (optional) Use a DNS server that filters ads
To have ad filtering installed, you can change the value of DNS to be one of the options from AdGuard’s DNS servers. See below:
Default servers
AdGuard DNS will block ads and trackers.
94.140.14.14
94.140.15.15
Non-filtering servers
AdGuard DNS will not block ads, trackers, or any other DNS requests.
94.140.14.140
94.140.14.141
Family protection servers
AdGuard DNS will block ads, trackers, adult content, and enable Safe Search and Safe Mode, where possible.
94.140.14.15
94.140.15.16
4. Add the client to the server interface
sudo wg set wg0 peer <YOUR_CLIENT_PUBLIC_KEY> allowed-ips <YOUR_CLIENT_VPN_IP>
Variable definitions:
- YOUR_CLIENT_PUBLIC_KEY will be from /etc/wireguard/clients/mobile.key.pub
- YOUR_CLIENT_VPN_IP will be what you defined in the previous step, i.e. 10.0.0.2 or 10.0.0.3
Once you’ve run this, you can verify that the client has been added to the server by running:
sudo wg show wg0
You can also run this command to see the data usage by client.
5. Create QR codes
First, make sure the library is installed:
sudo apt install qrencode
Temporarily make the relevant files accessible:
sudo chmod 777 /etc/wireguard/
sudo chmod 777 /etc/wireguard/clients/
sudo chmod 777 /etc/wireguard/clients/mobile.conf
Create the QR code:
qrencode -t ansiutf8 < /etc/wireguard/clients/mobile.conf
Then change access back to root (IMPORTANT):
sudo chmod 600 /etc/wireguard/
sudo chmod 600 /etc/wireguard/clients/
sudo chmod 600 /etc/wireguard/clients/mobile.conf
Once you have the QR code, open the WireGuard app on the phone, tablet, computer, etc, add a tunnel and just scan the QR code.
References
https://dhanangw.medium.com/setup-wireguard-vpn-in-google-cloud-platform-67ddb692b2d8