# wireguard on aws server This is an ansible playbook that launches a wireguard vpn server in the amazon cloud. Created by Stefan Maerkle `` ## Optimized for minimized costs It is optimized to minimize aws costs: - uses arm64 graviton instances (cheaper than amd64) - uses spot instance (cheaper than on demand) - uses t4g.nano with 512MB (smallest/cheapest instance type) - uses Debian 10 arm64 ami ## What does it do? It installs a debian server (arm64) and wireguard on it. It configures wireguard with as much clients as you need and provides the client profiles you need to get your wireguard clients running. Some details: - Uses private subnet 10.100.100.0/24 that is then nat'ed to the internet - Uses quad9 dns server 9.9.9.9 through the tunnel - Client does route EVERYTHING through the tunnel - Server has NO firewalling neither as aws security group restriction nor on the debian server ## Prerequisites 1. You need an aws account 2. You need credentials for api usage and store them in environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` 3. You need a ssh key that you can use to connect to a linux instance e.g. `~/.ssh/id_rsa` and `~/.ssh/id_rsa.pub` 4. You need ansible installed on your machine e.g. `apt-get install ansible` 5. You need the amazon.aws collection installed from ansible-galaxy e.g. `ansible-galaxy collection install amazon.aws` ## Installation of server 1. ansible-playbook create_aws_wireguard_server.yml ## Installation of clients 1. Install wireguard client for your operating system (e.g. via package manager or Appstore) 2. Import the client profile that was created during the server installation. It is located in `wireguard_profiles` subfolder.