WireGuard is a modern VPN (Virtual Private Network) software. It is designed to be cross-platform and run almost anywhere. Compared to other similar software, it is faster, more secure, and simpler.
In this tutorial, we show you how to use WireGuard to spin up a private mesh network to create a secure private connection between your different servers and Instances. A mesh network allows your devices to communicate with each other using a Virtual Private Network without the need for a central server:
We use two Ubuntu Instances, one located in the PAR-1 region, and the other located in the AMS-1 region, and create a virtual network between them.
To complete the actions presented below, you must have:
Log into each of your Instances using SSH:
Update and upgrade your system, install the kernel headers for your version, and install WireGuard using apt:
Run wg to make sure WireGuard is installed. You should get no output, indicating that WireGuard was correctly installed. You can run modprobe wireguard to check that the WireGuard kernel module has loaded. Depending on your system configuration, a reboot might be required to activate the wireguard module.
Generate the public and private keys for WireGuard:
Run cat privatekey and cat publickey for both Instances to retrieve their private and public keys. An output similar to the following displays:
Smaller VPNs can be configured using the wg0.conf configuration file of WireGuard. The following parameters are set in the configuration file:
192.168.1.1 is a randomly chosen private IP address for the VPN interface of the virtual Instances located in PAR-1.192.168.1.2 is a randomly chosen private IP address for the VPN interface of the virtual Instances located in AMS-1.Endpoint is the public IP address of every other Instance.52345 is a randomly chosen UDP port number used for the communication of the VPN.In this example, we assume that the Instance is the one we created in the PAR-1 region.
Create the directory in which you will save your file using the following command mkdir -p /etc/wireguard.
Create the file /etc/wireguard/wg0.conf using the following command: nano /etc/wireguard/wg0.conf and paste the following content. Replace the values in the brackets as necessary:
Your file should look like the following:
In this example, we assume that the Instance is the one we created in the AMS-1 region.
Create the directory in which you will save your file using the following command mkdir -p /etc/wireguard.
Create the file /etc/wireguard/wg0.conf using the following command: nano /etc/wireguard/wg0.conf and paste the following content. Replace the values in the brackets as necessary:
Enable and start WireGuard on both Instances using systemctl:
Test the VPN connection on each Instance using the ping command:
As you can see, each Instance responds to the ping command of the other peer, indicating that the VPN connection is active.
If you have problems with the ping, check the content of your wg0.conf files and then use the command systemctl restart wg-quick@wg0.
If you have problems with the ping, check the content of your wg0.conf files and then use the command systemctl restart wg-quick@wg0.service.
You can now transfer data between your Instances over a secure private network connection.
When managing a large number of machines in a WireGuard mesh network, configuring them manually can be time-consuming. Several projects facilitate the automated generation of WireGuard configurations to manage your mesh networks with ease. We will use a Python script called WireGuard Mesh Configurator to generate the configurations for our Instances.
You can carry out the following steps on your local machine, or any Instance:
Make sure git, python3-pip, and python3 are installed on your machine:
Clone the GitHub repository of the script you need for the configuration:
Enter the script’s directory and install the requirements for it:
Create a new configuration:
Type wg-meshconf addpeer <PEERNAME> --address=<SUBNET> to create a new peer. Make sure you replace the information between brackets as necessary.
Repeat this step for all peers in the mesh network.
Run wg-meshconf showpeers to make sure your peers have been added correctly.
Use the following command to generate the configuration files for all peers wg-meshconf genconfig. The configuration files will be named after the peers’ names. By default, all configuration files are exported into a subdirectory named output.
Access a specific configuration file using the following commands:
Copy the created WireGuard configuration files to each Instance using any method you like (SFTP, FTPS, plain copy & paste, etc.). Make sure to store the configuration at /etc/wireguard/wg0.conf to be able to use the wg-quick command for express configuration.
SSH into each of the Instance peers and configure WireGuard. We use the wg-quick command to create an interface using our generated configuration and make it a service, so the interface will be configured automatically during system boot. Repeat this step on any of the peers.
You have now configured a mesh network using WireGuard which allows your Instances to communicate between themselves via a private and encrypted connection. As there is no central server, the network will continue to work if one of the peers fails.
For more information about WireGuard, refer to the official documentation.
“WireGuard” is a registered trademark of Jason A. Donenfeld.