How to install and configure your own VPN server in GCP with Wireguard

ivanmoreno

Iván Moreno

Posted on August 16, 2020

How to install and configure your own VPN server in GCP with Wireguard

Security is one of the most important things now days specifically in enterprise environments, a vpn helps to encrypt traffic from client to internet. Wireguard is a vpn protocol than works on the kernel side and acts like a network interface, is one of the most modern vpn protocols it’s based in public and private key exchange just like ssh does. A vpn can connect different host with encrypted connection throught internet, this topology can connect a simple client in an android app or even connect different hosts across datacenters, for example to connect workers in Kubernetes/swarm cluster in different datacenters regions with encrypted connection without open any public API on internet, wireguard also can be used to connect different home based host across internet only opening one UDP port and use the vpn server as encrypted bridge between clients.
In this tutorial we focus on implementation of vpn server on Google Cloud Platform (GCP) with wireguard, this setup will use a centos 8 on the server-side, and the configuration of one client in android device.

Server-side setup

In the server side we will use CentOS 8 in GCP, the steps are:

Create virtual host in GCP

In this step we need to have an account in Google Cloud Platform and create a vm instance in compute engine. In this step you need to select the vm resource of you preference, in my case I choose a general purpose virtual machine with E2 series processor, I select the e2-small configuration with 2 vCPU and 2GB of ram, finally I choose centos 8 with 20 GB of ssd storage, the configuration is showed in next image.

gcp-vm

Setup ssh keys

In order to access to our virtual machine, we need to create a ssh key, the ssh key are create with this command

ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]
Enter fullscreen mode Exit fullscreen mode

And, restrict the access of the key

chmod 400 ~/.ssh/[KEY_FILENAME]
Enter fullscreen mode Exit fullscreen mode

Get public ssh key and copy
Copy directly from command line output

cat ~/.ssh/[KEY_FILENAME].pub
Enter fullscreen mode Exit fullscreen mode

Copy with xclip from command line

cat ~/.ssh/[KEY_FILENAME].pub | xclip -selection c
Enter fullscreen mode Exit fullscreen mode

Paste the public key in GCP. Go to Compute Engine -> Metadata -> SSH keys -> Edit -> Add item, then paste generated public ssh key
Then paste in GCP and test ssh connection

ssh -i ~/.ssh/[KEY_FILENAME] [USER]@[PUBLIC_IP_ADDRESS]
Enter fullscreen mode Exit fullscreen mode

Install Wireguard

Before install wireguard we need to update the system

sudo dnf update
Enter fullscreen mode Exit fullscreen mode

Then, we need to install some repositories

sudo yum install elrepo-release epel-release
Enter fullscreen mode Exit fullscreen mode

Finally, install wireguard kmod and wireguard tools

sudo yum install kmod-wireguard wireguard-tools
Enter fullscreen mode Exit fullscreen mode

Configure Wireguard Server

Before creating the wireguard config file is necessary to generate public and private key
First change to root user

sudo su -
Enter fullscreen mode Exit fullscreen mode

Go to /etc/wireguard directory

cd /etc/wireguard
Enter fullscreen mode Exit fullscreen mode

Limit default file permission of root user

umask 077
Enter fullscreen mode Exit fullscreen mode

Generate public and private key

wg genkey | tee private-key | wg pubkey > public-key
Enter fullscreen mode Exit fullscreen mode

Create a wireguard config file in /etc/wireguard/wgserver.conf and add the following lines

[Interface]
Address = 10.50.0.1/24
SaveConfig = true
PostUp = firewall-cmd --zone=public --add-port 50555/udp && firewall-cmd --zone=public --add-masquerade && firewall-cmd --zone=trusted --add-interface=wgserver && firewall-cmd --zone=trusted --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 50555/udp && firewall-cmd --zone=public --remove-masquerade && firewall-cmd --zone=trusted --remove-interface=wgserver && firewall-cmd --zone=trusted --remove-masquerade
ListenPort = 50555
PrivateKey = <private key>
Enter fullscreen mode Exit fullscreen mode

Config explained

  • Address: the address of subnet in wireguard interface, it must be a private ip address class a, b or c
  • SaveConfig: Update the config file when it added more users
  • PostUp: This setting is executed when the interface initializes, in this case configure the firewall
  • PostDown: This setting is executed when the interfaces shutdown, in this case remove firewall configuration
  • ListenPort: The port where wireguard is listen (wireguard only listen udp ports)
  • PrivateKey: Wireguard private key, this key was generated one step above in /etc/wireguard/private-key copy and paste in /etc/wireguard/wgserver.conf

Add firewall rules in GCP

Go to VPC network -> Firewall -> Create new firewall rule
To grant access to wireguard server add in source IP ranges 0.0.0.0/0, in protocols and ports add udp port on 50555 (ListenPort) then create the rule

Enable wireguard server at boot with systemd

systemctl enable --now wg-quick@wgserver
Enter fullscreen mode Exit fullscreen mode

Check the status

systemctl status wg-quick@wgserver
Enter fullscreen mode Exit fullscreen mode

The output will be like this

wg-status

Configure clients

To create peers, we need to create a folder wgclients and one template for all clients
The ~/wgclients/template.conf file will be like this

[Interface]
PrivateKey = <client_private_key>
Address = 10.50.0.xxx/32
[Peer]
PublicKey = <server_public_key>
Endpoint = <server_public_ip_address>:<server_listen_port>
# to route all traffic through wireguard server 
# AllowedIPs = 0.0.0.0/0, ::/0
# to route only wireguard server subnet
AllowedIPs = 10.50.0.0/24
Enter fullscreen mode Exit fullscreen mode

Then create a directory for each client, generate private and public key, copy template and replace client private key and address
Create client directory

mkdir ~/wgclients/client1
Enter fullscreen mode Exit fullscreen mode

Copy template

cp ~/wgclients/template.conf ~/wgclients/client1/client1.conf
Enter fullscreen mode Exit fullscreen mode

Generate client keys

wg genkey | tee private-key | wg pubkey > public-key
Enter fullscreen mode Exit fullscreen mode

Copy client private key and paste in client config file

cat private-key | xclip -selection c
Enter fullscreen mode Exit fullscreen mode

Edit ~/wgclients/client1/client1.conf and copy and paste client private key, the file will be like this

[Interface]
PrivateKey = QWERTfvCAJ5WgIqpCxOz9e7yYIzxOmB/PE1GBGNGJ29=
Address = 10.50.0.100/32
[Peer]
PublicKey = QWERTYvCAJ5WgIqpCxOz9e7yYIzxOmB/QWERTYNGJ20=
Endpoint = 32.54.69.87:50555
AllowedIPs = 10.50.0.0/24
Enter fullscreen mode Exit fullscreen mode

Then add client public key to /etc/wireguard/wgserver.conf after Interface config add the following lines

[Peer]
PublicKey = QWERTYvCAJ5WgIqpCxOz9e7yYIzxOmB/QWERTYNGJ20=
# if client have static ip address put here, else omit the field
# Endpoint = 32.54.69.87:50555
AllowedIPs = 0.0.0.0/0, ::/0
Enter fullscreen mode Exit fullscreen mode

Then reload config file in server-side

sudo su -c "wg addconf wgserver <(wg-quick strip wgserver)"
Enter fullscreen mode Exit fullscreen mode

Check wireguard config status, will appers the new client

sudo wg show wgserver
Enter fullscreen mode Exit fullscreen mode

Then test connection, in this case with an android app. First download wireguard android app on google play store, generate QR from client config file and load from app

Generate QR code from terminal

qrencode -t ansiutf8 < ~/wgclients/testclient/testclient.conf
Enter fullscreen mode Exit fullscreen mode

Example of QR code generated from command line

wg-qr

If everything works fine, type ifconfig.me in android browser, it will appear the wireguard server address, from command line will appear the latest handshake and transfer data summary.

Check connection in the server-side

sudo wg show wgserver
Enter fullscreen mode Exit fullscreen mode

wg-show

Now you can add more android clients with the same method, for desktop clients I highly recommend to add PersistentKeepalive option in server and client side, in the desktop you can use NetworkManager to import a connection or use systemd based service, also you can implement client config in OpenWrt router.

💖 💪 🙅 🚩
ivanmoreno
Iván Moreno

Posted on August 16, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related