How to install and configure you own vpn server in GCP with Wireguard

Server-side setup

  1. Create a virtual instance
  2. Setup ssh keys
  3. Install Wireguard
  4. Configure Wireguard Server
  5. Create Peers

1. Create virtual host in GCP

Setup ssh keys

chmod 400 ~/.ssh/[KEY_FILENAME]
# copy directly from command line output
cat ~/.ssh/[KEY_FILENAME].pub
# copy with xclip
cat ~/.ssh/[KEY_FILENAME].pub | xclip -selection c
ssh -i ~/.ssh/[KEY_FILENAME] [USER]@[PUBLIC_IP_ADDRESS]

Install Wireguard

sudo dnf update
sudo yum install elrepo-release epel-release
sudo yum install kmod-wireguard wireguard-tools

Configure Wireguard Server

# change to root user
sudo su -
# go to /etc/wireguard directory
cd /etc/wireguard
# limit default file permission of root user
umask 077
# generate public and private key
wg genkey | tee private-key | wg pubkey > public-key
[Interface]
Address = 10.50.0.1/24
SaveConfig = true
PostUp = firewall-cmd --zone=public --add-port 50555/udp && firewall-cmd --zone=public --add-masquerade && firewall-cmd --zone=trusted --add-interface=wgserver && firewall-cmd --zone=trusted --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 50555/udp && firewall-cmd --zone=public --remove-masquerade && firewall-cmd --zone=trusted --remove-interface=wgserver && firewall-cmd --zone=trusted --remove-masquerade
ListenPort = 50555
PrivateKey = <private key>

Add firewall rules in GCP

Enable wireguard server at boot with systemd

systemctl enable --now wg-quick@wgserver
systemctl status wg-quick@wgserver

Configure Peers

[Interface]
PrivateKey = <client_private_key>
Address = 10.50.0.xxx/32
[Peer]
PublicKey = <server_public_key>
Endpoint = <server_public_ip_address>:<server_listen_port>
# to route all traffic through wireguard server
# AllowedIPs = 0.0.0.0/0, ::/0
# to route only wireguard server subnet
AllowedIPs = 10.50.0.0/24
# create client directory
mkdir ~/wgclients/client1
# copy template
cp ~/wgclients/template.conf ~/wgclients/client1/client1.conf
# generate keys
wg genkey | tee private-key | wg pubkey > public-key
# copy client private key and paste in client config file
cat private-key | xclip -selection c
[Interface]
PrivateKey = QWERTfvCAJ5WgIqpCxOz9e7yYIzxOmB/PE1GBGNGJ29=
Address = 10.50.0.100/32
[Peer]
PublicKey = QWERTYvCAJ5WgIqpCxOz9e7yYIzxOmB/QWERTYNGJ20=
Endpoint = 32.54.69.87:50555
AllowedIPs = 10.50.0.0/24
[Peer]
PublicKey = QWERTYvCAJ5WgIqpCxOz9e7yYIzxOmB/QWERTYNGJ20=
# if client have static ip address put here, else omit the field
# Endpoint = 32.54.69.87:50555
AllowedIPs = 0.0.0.0/0, ::/0
# reload wgserver config file
sudo su -c "wg addconf wgserver <(wg-quick strip wgserver)"
# check wireguard config status, will appers the new client
sudo wg show wgserver
# generate QR code from terminal
qrencode -t ansiutf8 < ~/wgclients/testclient/testclient.conf
# check connection with
sudo wg show wgserver

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Moreno

Ivan Moreno

Engineer || MSc student || DevOps in progress