How To Build Your Own Wireguard VPN Server in The Cloud

Forum post with instructions
forums.lawrencesystems.com/t/getting-started-building-your-own-wireguard-vpn-server/7425
⏱ Timestamps ⏱
0:00 Wireguard Intro
1:24 What is Wireguard
1:42 Wireguard Formal Cryptography Verification
2:08 Known Limitations of The Wireguard VPN
4:09 Tailscale Commercial Wireguard VPN Solution
4:48 Wireguard Deep Packet Inspection and Obfuscation
6:00 Wireguard & Hardware Crypto
6:48 Creating the Digital Ocean Wireguard Droplet
8:30 Preparing the Ubuntu 20.10 Wiregaurd Server
8:54 Enable IP Forwarding
9:48 Installing Wireguard
10:10 Creating the Public & Private Keys
11:12 Creating the Wiregaurd interface wg0 on the Server
14:06 Configure Clients & Peer Settings
16:36 Wireguard full routing VS Split Tunnel settings
17:48 How to Configure Wireguard to start on Bootup
18:50 Persistent Wireguard Keep Alive Settings
20:50 How Wireguard Creates Interfaces
23:00 Testing wireguard and full tunneling
27:00 Configuring Windows Wireguard Clients
32:30 Wireguard Inter client Communication
34:07 My Final Thoughts on Wireguard

The best wireguard tutorial I've seen, shows you everything you need to know, really great work

I learned a lot from this single video. Finally I was able to setup my VPS to connect to my home network behind a 4G router. Thank you so much and keep up the good work!

I have been playing with WireGuard for a while and like it a lot. Setting it up was a bit confusing, and I really wish I found this video first. You did an excellent job laying out how it works. Thank you!

Loving the Forums. Thanks for the Guides.

Thanks so much for this. I've spent many hours trying to get wireguard working using several different tutorials and never really succeeded because none of the tutorials had a practical and useful example. Now my VPN is up and fully functional doing exactly what I wanted.

Good tutorial! If i could make some wishes i would like a tutorial on how it could be used with docker networking. And also how to build and manage some more complex network structures.

old but gold!
first I have "hardened" server, set up ufw, fail2ban, suricata, and much more,
set up some services ane left server alone,
now 2nd day lost because I can not set up WG connection,
only this guide mentioned about need to enable ipv4 forwarding AND ufw.... -,-'
WORKS!!!
thanks man :)

This tutorial just saved me lot of time. Thank you so much

Mikrotik implemented WireGuard in ROS 7.1b2.
Finally I was able to set up a secure VPN at home without faffing with IPsec NAT-T issues or having a dedicated appliance running OVPN server.

Bless you, Tom! Thank you!

Very good video, advanced and precise information

Very helpful and clear. Thanks

THANK YOU SO MUCH FOR THIS VIDEO!!!

Second time watching still very cool - love it - Cheers ;O)

Kickass video! Thanks man!

This is a great video. Thank you!

Thank you for this very well explained video.

Every time I'm starting to look into a new tech you seems to cover it strait away, I literally installed wireguard the day before that video came (yesterday at the time of writing) up and that's the second time this happens! We are in sync that's awesome haha - keep up the great work :)

Very good explanation

Great video, many thanks - although I was watching it to figure out how to get my existing wireguard setup to work with IPv6 as my ISP has gone to the dreaded carrier grade nat.

First thanks for the good tutorial.
two questions:
- Is there an easy way to exclude individual IPs or IP ranges (e.g. 10.x.x.x/8) in order to have a full tunnel with the possibility of accessing something like a local NAS (in school or at the university), without calculating all the allowed IPs ranges?
-
What is with IPv6 and Wireguard?

Thanks for the review

Amazing...!!! Good.. Saludos desde Perú..!!!

speaking of automation. PiVPN is a good solution that allows you to install and manage Wireguard config and users with simplicity. Thanks for the video 🙌

Thank you!

Is that a Sangoma S705 on top of the open cabinet behind you?

Really great vid, thanks! Would you use UFW on your digital ocean droplet to separate different clients?

Nice as if there was an instruction on how to get to the LAN when I have a VPN wireguard client on the router placed on the VPS server .

Very good tutorial. But I have an query,
After following your instructions I was successfully able to deploy the WireGuard VPN server. But I do not want to route all traffic over Wireguard. I just want to create a secure tunnel to connect to my VPS hosted on private subnet with AWS but my internal traffic should still be routed through my internal network.
I tried multiple blogs like adding entry "Table=off" or only allow access using "AllowedIP" but that didn't work. Can you please confirm is that possible with WireGuard or not ?

Your video was so good.But I had found a little problem in the post that was "cd /etc/wiregaurd".The correct is"cd /etc/wireguard"

well done sir

Great video. Super usefull. What needs to be done in the client side so the youtubevpn activate automaticaly on boot?

high quality tutorial, great job!!

Thanks much for this in-depth tutorial! For some reason, I keep getting an "Object already exists" error. I found this in the log: 2021-05-22 08:00:41.351: [TUN] [Test] Unable to set interface addresses, routes, dns, and/or interface settings: The object already exists.
Do you have an idea what could be wrong? I triple-checked my addresses. Thanks!!

Thank You Lawrence Systems for this nice video,,as well as the written form of this videol. Got this setup,pretty easily on a Debian Linux Bullseye, locally to a Debian Linux Bullseye running in Google Compute Engine. Reason for doing this is actually to try and get a new Helium Miner to a public ip address were it is not in relayed mode. Still haven't got that working,,,yet! I am now behind a cgnat setup via a cellular provider,,so this is whole new thing.
Question, I am experiencing seems very much latency, about 145 ms just from the client machine to the Google Cloud VM Debian instance. Is this to be expected. Am still actually getting very good download/upload speed same as before,,just very delayed,,,much like dns is not setting up correctly. Thanks again

It’s amazing how TH-camrs can take a 3 minute process of creating a Wireguard tunnel and turn it into a year-long video 😂

Shouldn't you also enable some sort of firewall on the system? Since the machine is multihomed (public IP and wireguard) and you enable ip forwarding, I can now use your public interface to route traffic to that wireguard network if you don't filter it, or am I missing something?

I have some basic questions as I'm learning. Can I reinstall my VPS with a control panel (lets say Plesk) and then install wireguard and other services like FreePBX on the same server the easy way ?

Is this cheaper than something like pia or express VPN for accessing regional content if I pause the droplet when I am knot using it>

Good teacher

It is great video, complete understanding of wireguard, but I have few queries
I wanted to configure Only Allowed IP can go through VPN rest of things like TH-cam, Google, Facebook, Should work through my local internet connection
is it possible in this case? I tried but not able to do
can you please help me in that ?

Hi Lawrence, can you please make a tutorial of Wireguard VPN server in the cloud (VPS) and Pfsense firewall server connecting to it as a client and at the same time Wireguard sharing internet to PfSense firewall.
I hope you can entertain this request.

Wireguard combined with Linux namespaces is just so pleasant to use.

Hi, really great video. I have a question: Once I've set up wireguard how do I ensure that incoming traffic is only one way? Meaning when a network accesses my vpn they are not able to see or access another connected network. Is it one way by default or do I need to enforce this with some iptable command?

Nice tutorial, I do have some questions, I want to achieve a tunneling for a game server, the game server is on my home connection and I want to buy a VPS with a public IP which I want to use so people can connect to it without knowing my home IP. I'm gonna connect the server running the gameserver with the VPS through wireguard, then on the server I'm gonna use DNAT to "redirect" the packets to my home connection (through the wireguard interface). However, for the game server to be able to respond to those packets or to send other packets to the gameclients, I think I'll also have to modify the SNAT, however that would hide the player's IP address from the gameserver which I don't want. If I do a full tunnel from the home connection through wireguard, and only do DNAT on the VPS, would that work?

Wow - thanks a lot for this great tutorial. I really enjoy your content. Thanks a lot for sharing

Nice explanations as always... Dumb question how do you know 192.168.69.0 is the default route when looking at the routing table 25:07 ?

i got lost at the windows public key... the wg client had a public key at the top but you just ignore it and paste a different public key of the vpn server in the settings below? then what's the public key at the top for? thx

What am I going put to "AllowedIPs" of the "[Peer]" section in the server if client has dynamic IP?

Just stumbled across this video. Is there a way to instead of using a wireguard client, make pfSense the client instead? I have installed wireguard inside of pfSense, but now I am kind of stuck.

Hi man, did the same as you did, but my windows 10 seems to connect to the server. But have no internet. Please HELP

@Lawrence Systems What ssh client is that you're using in your demos?

We need an updated video!

Can you setup a wireguard server on a cloud, and set a single peer on pfsense to route everything down stream of the router over wireguard?

I'm able to connect to my Wireguard VPN, however, I'm not able to load hostnames (websites), but I can access my local devices via an IP address. Any idea what the issue is? TIA

Thank you for your video :) I tried with Debian buster but failed in Google cloud :( I am going to try with Ubuntu, and if that doesn't work, I will try with another VM service

Is it possible to do Port Forwarding in WireGuard Server?

Thanks Tom, a very informative video. can you make a small video for IOS CONFIGURATION setup please. I held at the point where you configure iOS application in Xcode. I have already add teamID of developer account as well as NetworkExtension also but not configure successfully. please help me .

what's the main website of your form website?

Very interesting, how does wireguard work with freepbx ? Like will it be easy to setup wireguard on freepbx server (using cent os) and enable clients connect to it ?

I stopped right after reading the known limitation! No passwords! No obfuscation! How can they call it a VPN!

i try wireguard but, is not working well, the issue is that i can ping devices on my network but i can't access it, i have a trueNAS chared folder and i can ping it but i can't access it, even the network sectionisn't working, it's like that the pc don't recognise the wireguard network adptor, how do i fix this?

Could you check out and review Tailscale? It’s basically ZeroTier but is much more user friendly, more configurable and also uses WireGuard!

if i i leave my house and, i don't have constant keep alive can i still conect

How would you pass netflix through it?

Would like to hear your opinion on OpenConnect VPN server.

By way of me learning something new everyday, at 22:30, wouldn't that create an IP address conflict?

why do the MTU's keep getting smaller as you add interfaces? is it just auto shrinking the MUT as more are added?

Trying to run keepalived over Wireguard interface and failing miserably. Has anyone tried this? If you're successful please share your experience.

Tom, I love you man, but... WTF does Obstication mean? I've heard of obfuscation ... I feel stupid.

What shell are you using, please?

I don't get it, do you need 2 vps, or can you use one interface and the other windows

when i install wirequard on all country worked but in turkmenistan not, and i need it in turkmenistan, how can i fix this problem ?

Is it possible to set up a Wireguard server in windows, or must it be some sort of *nix?

Can you add captions?

server wireguard error mes: client_loop: send disconnect: Connection reset by peer

i just locked myself out of my own vm by ufw enabling lol
anyways is there anyway around cgnat for this method, cant ping 69.1, feel like its a portforwarding issue. win10 and oracle free cloud vm btw
edit: running ubuntu

one question: when i initialize wg0 (server) and youtube(client), for example. wg0 command line freezes, what can i do?

How about pritunl or mistborn wireguard?

Thanks, very simple how-to video, very nice :)
1. Can you add a remote client without downing the wire guard interface ?
2. Can you add a client using a /32 subnet ip? eg: @11:41 & @14:31
- on server [Peer] # test debian client | AllowedIPs=192.168.69.2/32
- on client [Interface] Address=192.168.69.2/32
3. On the client side, using "AllowedIPs", do you have to put the wire guard ip, if just allowing your local network only? eg:
- on client [Peer] # ubuntu D.O.S | AllowedIPs=192.168.69.2/32, 10.10.1.1/24, 192.168.0.1/24
0. The AllowedIPs= is for network the clients wants to connect to? or connecting from ???????

Has WIreGuard been security vetted yet?

where are the whitepages pls

obfuscation, not obsucation

the reality is. i smell something fishy about WG, to good to be true, and free,
i always wonder, who gives up time into working and makeing perfect software for free? not only wg.
many ng firewalls come with open ports for secure tunels, and there are alot of tunnels used everyday in all os's that we have no idea about.
some of are publicaly known, like wg, vpn, ipsec, bla bla bla,
i mean you can create an ICMP tunnel and bypass any firewall, or dns tunnel,
using open source software means nothing, who knows to audit it, also knows the business behind it, and proffit.

Who made such a mess of IT.

You talk to server (and Linux) "initiated" persons... and not to the common (Windows) user, even advanced like me meaning... your pedagogy is very bad ! And you talk too fast on top of that so... quite user unfriendly tuto : (

Hi ,
please correct the line "Go to to the Wireguard config cd /etc/wiregaurd " # cd /etc/wireguard

ob-fuh-SKAY-shun. Say it with me. ;) great video - helped answer tons of questions I have

There is a typo @ your forums.lawrencesystem getting-started-building-your-own-wireguard-vpn-server/7425 at WG client section : cd /etc/wiregaurd it . Nicely explainned and consised

how to get public key for the Peer?