
Install WireGuard on VPS
Install WireGuard on VPS with Free SSL Let’s Encrypt
Install WireGuard on VPS In the world of virtual private networks (VPNs), WireGuard is gaining popularity due to its simplicity, speed, and security. This advanced tutorial guides you through installing WireGuard on a Virtual Private Server (VPS) while utilizing Let’s Encrypt for free SSL certificates. Furthermore, we will create custom commands to manage users, set passwords, and choose preferred ports, ensuring a robust and flexible VPN setup.
Table of Contents
Toggle1. Prerequisites
Before starting, ensure you have:
- A VPS running a Linux distribution (Ubuntu 20.04 or Debian 10 is recommended).
- Root access to the server.
- Basic command-line knowledge.
- A domain name pointed to your VPS IP.
2. Installing WireGuard
Step 1: Update Your System
Connect to your VPS via SSH and update the package list:
ssh root@your_vps_ip
apt update && apt upgrade -y
Step 2: Install WireGuard
On Ubuntu, you can install WireGuard directly from the default repositories:
apt install wireguard -y
For Debian, you may need to enable the backports repository to install WireGuard:
echo 'deb http://deb.backports.org/debian-backports squeeze-backports main' >> /etc/apt/sources.list
apt update
apt install wireguard -y
Step 3: Configure WireGuard Server – Install WireGuard on VPS
Create the configuration directory and a base configuration file for WireGuard:
mkdir /etc/wireguard
nano /etc/wireguard/wg0.conf
Add the following configuration to wg0.conf
. You will need to replace YOUR_SERVER_PUBLIC_IP
with your VPS IP and adjust the private keys accordingly:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = YOUR_SERVER_PRIVATE_KEY
[Peer]
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
Step 4: Generate Key Pairs
To generate the server’s private and public keys, run:
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key
Replace YOUR_SERVER_PRIVATE_KEY
in the wg0.conf
file with the content of server_private.key
.
3. Setting Up Let’s Encrypt for SSL
Step 1: Install Certbot
Certbot is the recommended tool for obtaining SSL certificates from Let’s Encrypt. Install it using:
apt install certbot -y
Step 2: Obtain Your SSL Certificate
To obtain your SSL certificate, use Certbot with the standalone option:
certbot certonly --standalone -d yourdomain.com
Follow the prompts to complete the certificate issuance. Ensure that the firewall permits traffic on ports 80 and 443 during this process.
Step 3: Configure WireGuard to Use SSL
WireGuard does not use SSL certificates directly, but you can secure your configuration file and provide secure access to clients. In your wg0.conf
, specify the paths to your SSL certificates if you plan to use them for routing or logging purposes.
Step 4: Enable Auto-Renewal for SSL Certificates
To automate SSL certificate renewal, you can add a cron job:
crontab -e
Add the following line:
0 0 * * * /usr/bin/certbot renew --quiet
This command will attempt to renew your certificate daily at midnight.
4. Creating Custom Commands for User Management
To enhance user management in WireGuard, we will create custom scripts for adding users, deleting users, setting passwords, and choosing preferred ports.
Adding a New WireGuard User
Create a script named adduser.sh
:
nano ~/adduser.sh
Insert the following code into the script:
#!/bin/bash
# Add a WireGuard user
if [ -z "$1" ]; then
echo "Usage: $0 username"
exit 1
fi
# Generate client keys
umask 077
wg genkey | tee client_private_$1.key | wg pubkey > client_public_$1.key
# Add client to server configuration
echo -e "\n[Peer]\nPublicKey = $(cat client_public_$1.key)\nAllowedIPs = 10.0.0.2/32" >> /etc/wireguard/wg0.conf
echo "User $1 added. Private key: $(cat client_private_$1.key)"
Make the script executable:
chmod +x ~/adduser.sh
Deleting a User
Create a script called deluser.sh
:
nano ~/deluser.sh
Insert the following code:
#!/bin/bash
# Remove a WireGuard user
if [ -z "$1" ]; then
echo "Usage: $0 username"
exit 1
fi
# Remove client from server configuration (this is manual for now; ensure you edit wg0.conf)
sed -i "/^# User $1/,/^$/d" /etc/wireguard/wg0.conf
echo "User $1 removed. Please also delete their key files."
Make this script executable:
chmod +x ~/deluser.sh
Setting Passwords for VPN Users
WireGuard does not use usernames and passwords traditionally, but you can enforce security by managing key pairs. However, if you want to implement a password-based system, you may need to use additional scripts or authentication methods beyond WireGuard’s core functionality.
Choosing Preferred Ports
To change the default listening port for WireGuard, create a script named setport.sh
:
nano ~/setport.sh
Insert the following code:
#!/bin/bash
# Set preferred WireGuard port
if [ -z "$1" ]; then
echo "Usage: $0 port_number"
exit 1
fi
sed -i "s/^ListenPort = .*/ListenPort = $1/" /etc/wireguard/wg0.conf
echo "WireGuard port set to $1. Please restart WireGuard."
Make this script executable:
chmod +x ~/setport.sh
5. Starting WireGuard
To start the WireGuard server and enable it to start on boot, run:
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
Check the status to ensure it’s running:
systemctl status wg-quick@wg0
6. FAQs
Q1: How do I connect to WireGuard from a client?
To connect, you need the client configuration file, including keys, which can be generated using the adduser.sh
script. Transfer this file to the client device securely.
Q2: Can I use WireGuard without SSL?
WireGuard uses its own encryption methods and does not require SSL certificates. However, if you’re routing traffic through a web server, using SSL can enhance security.
Q3: How often do I need to renew my SSL certificate?
Let’s Encrypt certificates are valid for 90 days. The auto-renewal setup via cron will handle this for you.
Q4: Can I customize my WireGuard configuration further?
Absolutely! You can customize various settings in the wg0.conf
file, including IP ranges, DNS settings, and additional peer configurations.
Q5: What if I forget the commands?
Keep this guide saved or create a cheat sheet for quick reference, especially for the custom scripts.
Q6: How do I change the encryption method?
WireGuard uses a fixed cryptographic protocol, but if you want different configurations, you can adjust the cipher settings in your client configuration files.
7. Conclusion
This advanced tutorial has guided you through the installation of WireGuard on a VPS, complete with free SSL certificate management using Let’s Encrypt. The custom scripts created allow for efficient user management and configuration adjustments, making your WireGuard setup both secure and flexible. By repeating the phrase “WireGuard on VPS with free SSL Let’s Encrypt,” we have emphasized its importance in securing your online communications. Should you have any further questions or require assistance, feel free to reach out!
Other Tutorial: Install OpenVPN on VPS