Install WireGuard

Install WireGuard on VPS

Install WireGuard on VPS with Free SSL Let’s Encrypt

Install WireGuard on VPS In the world of virtual private networks (VPNs), WireGuard is gaining popularity due to its simplicity, speed, and security. This advanced tutorial guides you through installing WireGuard on a Virtual Private Server (VPS) while utilizing Let’s Encrypt for free SSL certificates. Furthermore, we will create custom commands to manage users, set passwords, and choose preferred ports, ensuring a robust and flexible VPN setup.

1. Prerequisites

Before starting, ensure you have:

  • A VPS running a Linux distribution (Ubuntu 20.04 or Debian 10 is recommended).
  • Root access to the server.
  • Basic command-line knowledge.
  • A domain name pointed to your VPS IP.

2. Installing WireGuard

Step 1: Update Your System

Connect to your VPS via SSH and update the package list:

ssh root@your_vps_ip  
apt update && apt upgrade -y

Step 2: Install WireGuard

On Ubuntu, you can install WireGuard directly from the default repositories:

apt install wireguard -y

For Debian, you may need to enable the backports repository to install WireGuard:

echo 'deb http://deb.backports.org/debian-backports squeeze-backports main' >> /etc/apt/sources.list  
apt update  
apt install wireguard -y

Step 3: Configure WireGuard Server – Install WireGuard on VPS

Create the configuration directory and a base configuration file for WireGuard:

mkdir /etc/wireguard  
nano /etc/wireguard/wg0.conf

Add the following configuration to wg0.conf. You will need to replace YOUR_SERVER_PUBLIC_IP with your VPS IP and adjust the private keys accordingly:

[Interface]
Address = 10.0.0.1/24 
ListenPort = 51820  
PrivateKey = YOUR_SERVER_PRIVATE_KEY

[Peer]
PublicKey = YOUR_CLIENT_PUBLIC_KEY  
AllowedIPs = 10.0.0.2/32

Step 4: Generate Key Pairs

To generate the server’s private and public keys, run:

umask 077  
wg genkey | tee server_private.key | wg pubkey > server_public.key

Replace YOUR_SERVER_PRIVATE_KEY in the wg0.conf file with the content of server_private.key.

3. Setting Up Let’s Encrypt for SSL

Step 1: Install Certbot

Certbot is the recommended tool for obtaining SSL certificates from Let’s Encrypt. Install it using:

apt install certbot -y

Step 2: Obtain Your SSL Certificate

To obtain your SSL certificate, use Certbot with the standalone option:

certbot certonly --standalone -d yourdomain.com

Follow the prompts to complete the certificate issuance. Ensure that the firewall permits traffic on ports 80 and 443 during this process.

Step 3: Configure WireGuard to Use SSL

WireGuard does not use SSL certificates directly, but you can secure your configuration file and provide secure access to clients. In your wg0.conf, specify the paths to your SSL certificates if you plan to use them for routing or logging purposes.

Step 4: Enable Auto-Renewal for SSL Certificates

To automate SSL certificate renewal, you can add a cron job:

crontab -e

Add the following line:

0 0 * * * /usr/bin/certbot renew --quiet

This command will attempt to renew your certificate daily at midnight.

4. Creating Custom Commands for User Management

To enhance user management in WireGuard, we will create custom scripts for adding users, deleting users, setting passwords, and choosing preferred ports.

Adding a New WireGuard User

Create a script named adduser.sh:

nano ~/adduser.sh

Insert the following code into the script:

#!/bin/bash  
# Add a WireGuard user

if [ -z "$1" ]; then  
  echo "Usage: $0 username"
  exit 1  
fi

# Generate client keys  
umask 077  
wg genkey | tee client_private_$1.key | wg pubkey > client_public_$1.key

# Add client to server configuration  
echo -e "\n[Peer]\nPublicKey = $(cat client_public_$1.key)\nAllowedIPs = 10.0.0.2/32" >> /etc/wireguard/wg0.conf  
echo "User $1 added. Private key: $(cat client_private_$1.key)"

Make the script executable:

chmod +x ~/adduser.sh

Deleting a User

Create a script called deluser.sh:

nano ~/deluser.sh

Insert the following code:

#!/bin/bash  
# Remove a WireGuard user

if [ -z "$1" ]; then  
  echo "Usage: $0 username"
  exit 1  
fi

# Remove client from server configuration (this is manual for now; ensure you edit wg0.conf)
sed -i "/^# User $1/,/^$/d" /etc/wireguard/wg0.conf  
echo "User $1 removed. Please also delete their key files."

Make this script executable:

chmod +x ~/deluser.sh

Setting Passwords for VPN Users

WireGuard does not use usernames and passwords traditionally, but you can enforce security by managing key pairs. However, if you want to implement a password-based system, you may need to use additional scripts or authentication methods beyond WireGuard’s core functionality.

Choosing Preferred Ports

To change the default listening port for WireGuard, create a script named setport.sh:

nano ~/setport.sh

Insert the following code:

#!/bin/bash  
# Set preferred WireGuard port

if [ -z "$1" ]; then  
  echo "Usage: $0 port_number"
  exit 1  
fi

sed -i "s/^ListenPort = .*/ListenPort = $1/" /etc/wireguard/wg0.conf  
echo "WireGuard port set to $1. Please restart WireGuard."

Make this script executable:

chmod +x ~/setport.sh

5. Starting WireGuard

To start the WireGuard server and enable it to start on boot, run:

systemctl start wg-quick@wg0  
systemctl enable wg-quick@wg0

Check the status to ensure it’s running:

systemctl status wg-quick@wg0

6. FAQs

Q1: How do I connect to WireGuard from a client?

To connect, you need the client configuration file, including keys, which can be generated using the adduser.sh script. Transfer this file to the client device securely.

Q2: Can I use WireGuard without SSL?

WireGuard uses its own encryption methods and does not require SSL certificates. However, if you’re routing traffic through a web server, using SSL can enhance security.

Q3: How often do I need to renew my SSL certificate?

Let’s Encrypt certificates are valid for 90 days. The auto-renewal setup via cron will handle this for you.

Q4: Can I customize my WireGuard configuration further?

Absolutely! You can customize various settings in the wg0.conf file, including IP ranges, DNS settings, and additional peer configurations.

Q5: What if I forget the commands?

Keep this guide saved or create a cheat sheet for quick reference, especially for the custom scripts.

Q6: How do I change the encryption method?

WireGuard uses a fixed cryptographic protocol, but if you want different configurations, you can adjust the cipher settings in your client configuration files.


7. Conclusion

This advanced tutorial has guided you through the installation of WireGuard on a VPS, complete with free SSL certificate management using Let’s Encrypt. The custom scripts created allow for efficient user management and configuration adjustments, making your WireGuard setup both secure and flexible. By repeating the phrase “WireGuard on VPS with free SSL Let’s Encrypt,” we have emphasized its importance in securing your online communications. Should you have any further questions or require assistance, feel free to reach out!

Other Tutorial: Install OpenVPN on VPS

Index