# **WireGuard VPN on EC2 (Amazon Linux)** # Installation Script [WireGuard VPN Installation Script on EC2 (Amazon Linux)](https://github.com/CW-B-W/WireGuard-EC2-Installation-Script) --- # Table of Content [TOC] --- ## **Complete Guide: Setting Up WireGuard VPN on AWS EC2 with Two Clients** This guide will walk you through setting up a WireGuard VPN server on an AWS EC2 instance and configuring two clients. WireGuard is a fast, modern, and secure VPN protocol, and AWS EC2 provides a reliable platform for hosting your VPN server. --- ## **Prerequisites** 1. **AWS Account**: You need an AWS account to create and manage EC2 instances. 2. **EC2 Instance**: We’ll use the AWS Free Tier to host the VPN server. 3. **SSH Access**: You should have SSH access to your EC2 instance. --- ## **Step 1: Launch an EC2 Instance** 1. **Log in to AWS Console**: - Go to the [AWS Management Console](https://aws.amazon.com/console/). 2. **Launch an EC2 Instance**: - Navigate to **EC2** > **Instances** > **Launch Instance**. - Choose an **Amazon Machine Image (AMI)**: - Select **Amazon Linux 2 AMI** (free tier eligible). - Choose an **Instance Type**: - Select **t2.micro** (free tier eligible). - Configure Instance Details: - Use default settings. - Add Storage: - Use the default 8 GB SSD (free tier eligible). - Add Tags (optional): - Add a tag like `Name: WireGuard-VPN`. - Configure Security Group: - Create a new security group. - Add the following rules: - **SSH**: Port 22, Source: Your IP address. - **WireGuard**: Port 51820 (UDP), Source: `0.0.0.0/0` (or restrict to specific IPs for security). - Review and launch the instance. - Create or use an existing key pair (e.g., `wireguard-key.pem`) to connect to the instance. --- ## **Step 2: Connect to Your EC2 Instance** 1. **SSH into the Instance**: - Use the private key you downloaded to connect: ```bash ssh -i /path/to/wireguard-key.pem ec2-user@<your-ec2-public-ip> ``` - Replace `/path/to/wireguard-key.pem` with the path to your key file and `<your-ec2-public-ip>` with the public IP of your EC2 instance. --- ## **Step 3: Install WireGuard** 1. **Update the System**: ```bash sudo yum update -y ``` 2. **Install WireGuard**: - Install `epel-release` and `wireguard-tools`: ```bash sudo amazon-linux-extras install epel -y sudo yum install wireguard-tools -y ``` 3. **Enable WireGuard Kernel Module**: - Load the WireGuard kernel module: ```bash sudo modprobe wireguard ``` - Verify the module is loaded: ```bash lsmod | grep wireguard ``` --- ## **Step 4: Install `iptables`** Amazon Linux does not come with `iptables` pre-installed. You need to install it manually. 1. **Install `iptables`**: ```bash sudo yum install iptables -y ``` 2. **Verify Installation**: ```bash sudo iptables --version ``` --- ## **Step 5: Configure WireGuard** 1. **Generate Server Keys**: - Generate private and public keys for the server: ```bash umask 077 wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey sudo cat /etc/wireguard/privatekey sudo cat /etc/wireguard/publickey ``` 2. **Create Server Configuration File**: - Create a WireGuard configuration file: ```bash sudo nano /etc/wireguard/wg0.conf ``` - Add the following configuration: ```ini [Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = <server-private-key> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enX0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enX0 -j MASQUERADE ``` - Replace `<server-private-key>` with the contents of `/etc/wireguard/privatekey`. - Replace `enX0` with the correct network interface (use `ip a` to check). 3. **Enable IP Forwarding**: - Edit the sysctl configuration file: ```bash sudo nano /etc/sysctl.conf ``` - Uncomment or add the following line: ```bash net.ipv4.ip_forward=1 ``` - Apply the changes: ```bash sudo sysctl -p ``` --- ## **Step 6: Generate Keys for Two Clients** 1. **Create a Directory for Client Keys**: - Create a directory to store client keys: ```bash sudo mkdir -p /etc/wireguard/clients ``` 2. **Generate Keys for Client 1**: - Generate private and public keys for Client 1: ```bash umask 077 wg genkey | sudo tee /etc/wireguard/clients/client1_privatekey | wg pubkey | sudo tee /etc/wireguard/clients/client1_publickey sudo cat /etc/wireguard/clients/client1_privatekey sudo cat /etc/wireguard/clients/client1_publickey ``` 3. **Generate Keys for Client 2**: - Generate private and public keys for Client 2: ```bash umask 077 wg genkey | sudo tee /etc/wireguard/clients/client2_privatekey | wg pubkey | sudo tee /etc/wireguard/clients/client2_publickey sudo cat /etc/wireguard/clients/client2_privatekey sudo cat /etc/wireguard/clients/client2_publickey ``` --- ## **Step 7: Add Clients to the Server Configuration** 1. **Edit the Server Configuration**: - Open the WireGuard configuration file: ```bash sudo nano /etc/wireguard/wg0.conf ``` 2. **Add Client 1 as a Peer**: - Add a `[Peer]` section for Client 1: ```ini [Peer] PublicKey = <client1-public-key> AllowedIPs = 10.0.0.2/32 ``` - Replace `<client1-public-key>` with the contents of `/etc/wireguard/clients/client1_publickey`. 3. **Add Client 2 as a Peer**: - Add a `[Peer]` section for Client 2: ```ini [Peer] PublicKey = <client2-public-key> AllowedIPs = 10.0.0.3/32 ``` - Replace `<client2-public-key>` with the contents of `/etc/wireguard/clients/client2_publickey`. 4. **Save and Exit**: - Save the file and exit the editor. 5. **Restart WireGuard**: - Apply the changes by restarting WireGuard: ```bash sudo systemctl restart wg-quick@wg0 ``` --- ## **Step 8: Create Client Configuration Files** 1. **Create Configuration for Client 1**: - Create a configuration file for Client 1: ```bash sudo nano /etc/wireguard/clients/client1.conf ``` - Add the following configuration: ```ini [Interface] PrivateKey = <client1-private-key> Address = 10.0.0.2/24 DNS = 8.8.8.8 [Peer] PublicKey = <server-public-key> AllowedIPs = 0.0.0.0/0 Endpoint = <ec2-public-ip>:51820 PersistentKeepalive = 25 ``` - Replace `<client1-private-key>` with the contents of `/etc/wireguard/clients/client1_privatekey`. - Replace `<server-public-key>` with the server’s public key (found in `/etc/wireguard/publickey`). - Replace `<ec2-public-ip>` with the public IP of your EC2 instance. 2. **Create Configuration for Client 2**: - Create a configuration file for Client 2: ```bash sudo nano /etc/wireguard/clients/client2.conf ``` - Add the following configuration: ```ini [Interface] PrivateKey = <client2-private-key> Address = 10.0.0.3/24 DNS = 8.8.8.8 [Peer] PublicKey = <server-public-key> AllowedIPs = 0.0.0.0/0 Endpoint = <ec2-public-ip>:51820 PersistentKeepalive = 25 ``` - Replace `<client2-private-key>` with the contents of `/etc/wireguard/clients/client2_privatekey`. - Replace `<server-public-key>` with the server’s public key (found in `/etc/wireguard/publickey`). - Replace `<ec2-public-ip>` with the public IP of your EC2 instance. --- ## **Step 9: Share Configuration Files with Clients** 1. **Transfer Configuration Files**: - Use `scp` or a secure file-sharing method to transfer the configuration files to the client devices: ```bash scp -i /path/to/wireguard-key.pem /etc/wireguard/clients/client1.conf ec2-user@<your-ec2-public-ip>:/path/to/save/ scp -i /path/to/wireguard-key.pem /etc/wireguard/clients/client2.conf ec2-user@<your-ec2-public-ip>:/path/to/save/ ``` - Replace `/path/to/wireguard-key.pem` with the path to your private key and `/path/to/save/` with the destination path on the client devices. 2. **Import Configurations on Clients**: - On each client device, import the configuration file into the WireGuard client: - **Windows/macOS/Linux**: Use the WireGuard GUI to import the file. - **iOS/Android**: Use the WireGuard app to scan a QR code or import the file directly. --- ## **Step 10: Test the Connection** 1. **Connect from Clients**: - Start the WireGuard client on each device and connect to the VPN. 2. **Verify the Connection**: - On the server, check the status of WireGuard: ```bash sudo wg ``` - You should see both clients’ public keys and recent handshake times. 3. **Test Connectivity**: - On each client, try to ping the server’s VPN IP (`10.0.0.1`): ```bash ping 10.0.0.1 ``` - Try to ping an external IP (e.g., `8.8.8.8`): ```bash ping 8.8.8.8 ``` --- ## **Conclusion** You now have a fully functional WireGuard VPN server running on AWS EC2 with two clients. This setup is secure, cost-effective, and easy to manage. Enjoy your private and secure VPN! 🚀