Complete WireGuard VPN Setup Guide for AWS

A comprehensive guide for setting up a WireGuard VPN server on AWS EC2

Table of Contents

1. Understanding the Architecture
2. Prerequisites
3. AWS Infrastructure Setup
4. WireGuard Server Installation
5. Server Configuration
6. Client Management
7. Testing and Verification
8. Troubleshooting
9. Maintenance Guide

Understanding the Architecture

What is WireGuard?

WireGuard is a modern VPN protocol that aims to be simpler, faster, and more secure than traditional VPN protocols like OpenVPN or IPSec. It operates at the network layer (Layer 3) and uses state-of-the-art cryptography.

Network Design

Our setup consists of three main networking components:

1. AWS VPC Network (172.31.0.0/16)

   • Where your AWS resources (EC2 instances, etc.) live
   • Public Subnet: 172.31.16.0/20

2. WireGuard Network (10.0.0.0/24)

   • Virtual network for VPN clients
   • Server: 10.0.0.1
   • Clients: 10.0.0.2 and up

3. Client Networks

   • Individual remote users connecting to VPN
   • Each gets unique IP from WireGuard network range

How Traffic Flows

1. Client initiates connection to VPN server (UDP port 51820)
2. WireGuard creates encrypted tunnel
3. Client traffic is routed through tunnel to VPC
4. Server NATs traffic to access VPC resources
5. Return traffic follows reverse path

Prerequisites

AWS Requirements

1. AWS Account with appropriate permissions
2. EC2 instance (t2.micro or larger)
3. Key pair for SSH access

Software Requirements

• Ubuntu 20.04 LTS or newer
• WireGuard packages
• Basic Linux command line knowledge

Network Requirements

• Stable internet connection
• Ability to access UDP port 51820
• No conflicting VPN services running

AWS Infrastructure Setup

Step 1: VPC Setup

1. Create VPC (if not using default)

   aws ec2 create-vpc --cidr-block 172.31.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=wireguard-vpc}]'
   

2. Enable VPC Settings

   • DNS hostnames
   • DNS resolution

   aws ec2 modify-vpc-attribute --vpc-id <vpc-id> --enable-dns-hostnames
   aws ec2 modify-vpc-attribute --vpc-id <vpc-id> --enable-dns-support
   

Step 2: Security Group Configuration

1. Create Security Group

   aws ec2 create-security-group \
     --group-name WireGuard-SG \
     --description "Security group for WireGuard VPN"
   

2. Add Rules

   # WireGuard Port
   aws ec2 authorize-security-group-ingress \
     --group-id <sg-id> \
     --protocol udp \
     --port 51820 \
     --cidr 0.0.0.0/0
   
   # SSH Access
   aws ec2 authorize-security-group-ingress \
     --group-id <sg-id> \
     --protocol tcp \
     --port 22 \
     --cidr 0.0.0.0/0
   
   # Internal VPC Traffic
   aws ec2 authorize-security-group-ingress \
     --group-id <sg-id> \
     --protocol all \
     --source-group <sg-id>
   

WireGuard Server Installation

Step 1: EC2 Instance Setup

1. Launch Ubuntu EC2 instance
2. Connect via SSH
3. Update system:

   sudo apt update && sudo apt upgrade -y
   

Step 2: Install WireGuard

# Install WireGuard
sudo apt install wireguard -y

# Enable IP Forwarding
sudo echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Verify Installation
sudo systemctl status wg-quick@wg0

Server Configuration

Step 1: Generate Server Keys

# Generate private key
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod 600 /etc/wireguard/private.key

# Generate public key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Step 2: Create Server Configuration

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <contents-of-private.key>

# NAT Rules
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT

Step 3: Start WireGuard

# Enable WireGuard service
sudo systemctl enable wg-quick@wg0

# Start WireGuard
sudo systemctl start wg-quick@wg0

# Check status
sudo systemctl status wg-quick@wg0

Client Management

Step 1: Setup Client Management Script

1. Save the script below as add-client.sh:

#!/bin/bash

# Script content as provided earlier
# (Your working script content goes here)

2. Make executable:

chmod +x add-client.sh

Step 2: Add New Client

# Add new client
sudo ./add-client.sh client1

# Verify client addition
sudo wg show

Step 3: Client Setup (Windows 11)

1. Download WireGuard for Windows

   • Visit: WireGuard for Windows Downloads
   • Download latest installer

2. Install WireGuard

   • Run installer with default options
   • Requires administrator privileges

3. Import Configuration

   • Open WireGuard
   • Click “Import tunnel(s) from file”
   • Select the config file
   • Click “Activate”

Testing and Verification

Step 1: Basic Connectivity

# On Windows client
ping 10.0.0.1

# Test VPC connectivity
ping 172.31.16.238

Step 2: VPN Tunnel Verification

# On Server
sudo wg show

# Check for:
# - Handshake timestamp
# - Received/sent data
# - Correct peer public key

Step 3: Route Verification

# On Windows
route print | findstr 10.0.0.0
route print | findstr 172.31.0.0

Troubleshooting

Common Issues and Solutions

1. Handshake Failures

   # Check server logs
   sudo journalctl -xeu wg-quick@wg0
   
   # Verify WireGuard status
   sudo wg show
   
   # Check UDP port
   sudo ss -lnpu | grep 51820
   

2. Connection Issues

   • Verify AWS Security Group
   • Check route tables
   • Validate server config

   sudo wg-quick down wg0
   sudo wg-quick up wg0
   

3. DNS Problems

   # Test DNS
   nslookup example.com
   
   # Check resolv.conf
   cat /etc/resolv.conf
   

Quick Fixes

1. Server Side

   # Restart WireGuard
   sudo systemctl restart wg-quick@wg0
   
   # Apply config changes
   sudo bash -c 'wg syncconf wg0 <(wg-quick strip wg0)'
   
   # Check logs
   sudo journalctl -fu wg-quick@wg0
   

2. Client Side

   • Deactivate and reactivate tunnel
   • Check Windows Firewall
   • Verify correct config import

Maintenance Guide

Regular Maintenance Tasks

1. System Updates

   # Update packages
   sudo apt update && sudo apt upgrade -y
   
   # Check WireGuard version
   wg --version
   

2. Backup Configuration

   # Backup WireGuard config
   sudo cp -r /etc/wireguard /etc/wireguard.backup
   
   # Archive client configs
   sudo tar czf wireguard-clients.tar.gz /etc/wireguard/clients/
   

3. Monitor Performance

   # Check interface status
   sudo wg show all
   
   # Monitor bandwidth
   sudo iftop -i wg0
   

Security Maintenance

1. Key Rotation

   • Generate new keys periodically
   • Update client configurations
   • Maintain key inventory

2. Access Review

   • Review active clients
   • Remove unused clients
   • Update allowed IPs

3. Audit Logs

   # Check system logs
   sudo journalctl -u wg-quick@wg0
   
   # Review authentication logs
   sudo tail -f /var/log/auth.log
   

Remember to:

• Keep regular backups
• Monitor system resources
• Update security patches
• Document any changes
• Test after modifications

Best Practices

1. Use unique keys for each client
2. Implement proper logging
3. Regular security audits
4. Maintain documentation
5. Test backup restoration
6. Monitor traffic patterns

Need help with specific steps or have questions? Feel free to reach out!

@rahulvaster Do we have any licensing issues or it is completely opensource (MIT/Apache)

What happens if a client’s key pair is compromised? How can you mitigate this risk? @rahulvaster