Deploying WireGuard through the Linode Marketplace

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $100 credit.
This credit will be applied to any valid services used during your first 60 days.

WireGuard® is a simple, fast, and modern virtual private network (VPN) which utilizes state-of-the-art cryptography. It aims to be faster and leaner than other VPN protocols such as OpenVPN and IPSec, and it has a much smaller source code footprint.

Configuring WireGuard is as simple as configuring SSH. A connection is established by an exchange of public keys between server and client, and only a client whose public key is present in the server’s configuration file is considered authorized. WireGuard sets up standard network interfaces which behave similarly to other common network interfaces, like eth0. This makes it possible to configure and manage WireGuard interfaces using standard networking tools such as ifconfig and ip.

The WireGuard Marketplace App will create a Linode instance and set up a WireGuard network device named wg0 on it. This device will have a simple configuration which can send and receive traffic to/from a single WireGuard peer (which will also be referred to as your WireGuard client).

Note

The peer configurations provided by the Marketplace App and this guide will allow you to directly connect your WireGuard server and client. This configuration will not enable forwarding of all of your client’s traffic through the WireGuard server to the public Internet (though that arrangement is possible with WireGuard).

Your WireGuard configuration can be adjusted after you first set up your Marketplace App; review the WireGuard man page for more information about the options that are available.

Deploying the WireGuard Marketplace App

The Linode Marketplace allows you to easily deploy software on a Linode using the Linode Cloud Manager.

  1. Log in to the Cloud Manager and select the Marketplace link from the left navigation menu. This displays the Linode Compute Create page with the Marketplace tab pre-selected.

  2. Under the Select App section, select the app you would like to deploy.

  3. Fill out all required Options for the selected app as well as any desired Advanced Options (which are optional). See the Configuration Options section for details.

  4. Complete the rest of the form as discussed within the Getting Started > Create a Linode.

  5. Click the Create Linode button. Once the Linode has provisioned and has fully powered on, wait for the software installation to complete. If the Linode is powered off or restarted before this time, the software installation will likely fail. To determine if the installation has completed, open the Linode’s Lish console and wait for the system login prompt to appear.

  6. Follow the instructions within the Getting Started After Deployment section.

Software installation should complete within 2-5 minutes after the Linode has finished provisioning.

Configuration Options

WireGuard Options

The WireGuard Marketplace form includes fields for your WireGuard client’s public key and for your client’s endpoint IP (which is your client’s public IP address). If you have already set up your client and installed the WireGuard software on it prior to setting up your WireGuard Marketplace App, then you may already have this information. If you do have the key and the endpoint IP for the client, you can enter them into the app’s creation form, and your server’s configuration will be pre-populated with those values.

Note
Please note that a public key generated by WireGuard will not resemble a public key that you might use for SSH connections; when in doubt, leave the form’s Public Key (Client) field blank.

If you do not have the values for these fields, you can leave them empty. After the app is deployed, visit the Configure and Connect your WireGuard Client and Server section to set up your client and generate a key. The instructions in that section will also show you how to insert the key and the endpoint IP for your client into your server’s configuration.

FieldDescription
PortSet your WireGuard server’s listening port number. The default is: 51820. Advanced Configuration.
Tunnel IPYour WireGuard server’s tunnel IP address and subnet in CIDR notation. The default is: 10.0.1.1/24. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. Advanced Configuration.
WireGuard Public Key (Client)Your WireGuard client’s public key. Advanced Configuration.
Tunnel IP (Client)Your WireGuard client’s tunnel IP address and subnet in CIDR notation. The default is: 10.0.1.2/24. This is not the same as a private IP address that Linode can assign to your Linode instance; instead, this address is managed by the network that WireGuard creates. Advanced Configuration.
Endpoint IP (Client)The Internet address of your WireGuard client. If your WireGuard client is another Linode, then the Endpoint IP is the public IP of that Linode, which is visible in the Linode’s dashboard in the Linode Cloud Manager. Advanced Configuration.

General Options

For advice on filling out the remaining options on the Create a Linode form, see Getting Started > Create a Linode. That said, some options may be limited or recommended based on this Marketplace App:

  • Supported distributions: Debian 9
  • Recommended minimum plan: All plan types and sizes can be used. The plan that you select should be appropriate for the amount of data transfer, users, and other stress that may affect the performance of your VPN.

Getting Started after Deployment

Configure and Connect your WireGuard Client and Server

After your Marketplace App has provisioned your WireGuard server, you can proceed with setting up your WireGuard client and establishing a connection to the server.

If you did not provide a public key for WireGuard when you first set up your Marketplace App, you will need to follow the next set of steps. These instructions will set up your client and inform your server of your client’s public key. If you did provide a public key when deploying the Marketplace App and have set up your client, skip to the second collection of steps in this section.

  1. Follow the WireGuard Client section of our WireGuard guide to generate a public/private keypair for your client, and to set up the WireGuard network interface configuration on your client.

  2. Connect to your Marketplace App’s Linode via SSH.

  3. Bring down the wg0 interface on the server:

    wg-quick down wg0
    
  4. Open the /etc/wireguard/wg0.conf file in a text editor ( nano, for example).

  5. You will see a line that reads PublicKey = under the [Peer] section. Append your client’s public key to this line.

  6. You will also see a line that reads Endpoint = . Append your client’s Internet address to this line and then save the file. If your WireGuard client is also a Linode, user your Linode’s public IP. If your client is on your home computer, visit a site like whatismyip.com to get your address.

  7. Bring the wg0 interface back up on the server:

    wg-quick up wg0
    
    Note
    wg-quick is a convenient wrapper for many of the common functions in wg. To learn more about all the available commands for each utility, issue the wg --help and wg-quick --help commands from your Linode’s command line.

You should now have your server configuration completed. At this point, you still need to complete your client’s configuration; specifically, you need to add your server as a peer to the client:

  1. Connect to your Marketplace App’s Linode via SSH.

  2. Just like your client, your server also has a public/private keypair of its own. The Marketplace App script leaves a copy of these keys in the root user’s home folder:

    ls /root
    
    wg-private.key	wg-public.key
  3. Use the cat command to get the value of the server’s WireGuard public key:

    cat /root/wg-public.key
    
  4. You should see a random string similar to:

    FngGVypEJ13KU8+OeBGG1sOd2i+aazsj7qPL3ZxacG8=
  5. Copy the output of your server’s public key, then use it to complete steps 1 and 2 of the Connect the Client and Server section of our WireGuard guide. These steps will tell you to append [Peer] section to your client’s existing WireGuard configuration and then how to enable the service on your client.

    Enter your server’s WireGuard tunnel IP (using the /24 CIDR notation) as the value for the AllowedIPs setting, and set the server’s public IP address and WireGuard port to be the Endpoint. Here’s an example template for a completed client configuration:

    1
    2
    3
    4
    5
    6
    7
    8
    
    [Interface]
    PrivateKey = <Your client WireGuard private key>
    Address = 10.0.1.2/24
    
    [Peer]
    PublicKey = <Your server WireGuard public key>
    AllowedIPs = 10.0.1.1/24
    Endpoint = <Your WireGuard server public IP>:51820

    After you complete steps 1 and 2 from that section, you will have established the server as the client’s peer.

Test your WireGuard Client’s Connection

This test should be performed once you have configured a WireGuard client and updated your WireGuard server to include the client’s peer information:

  1. Access your WireGuard client and ping the WireGuard server. Replace 10.0.1.1 with the tunnel IP address you assigned to the WireGuard server in the Marketplace App creation form:

    ping 10.0.1.1
    
  2. Use the WireGuard utility to verify your client’s latest handshake:

    wg show
    

    The last two lines of the output from running the wg command should be similar to:

    latest handshake: 1 minute, 17 seconds ago
    transfer: 98.86 KiB received, 43.08 KiB sent

Software Included

SoftwareDescription
WireGuardVPN software.
UFW (UncomplicatedFireWall)Firewall utility. The Port assigned during the WireGuard Options step of the deployment will allow outgoing and incoming traffic.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on


Your Feedback Is Important

Let us know if this guide made it easy to get the answer you needed.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.