2.1 KiB
2.1 KiB
wireguard on aws server
This is an ansible playbook that launches a wireguard vpn server in the amazon cloud.
Created by Stefan Maerkle <stefan at abgruen dot de>
Optimized for minimized costs
It is optimized to minimize aws costs:
- uses arm64 graviton instances (cheaper than amd64)
- uses spot instance (cheaper than on demand)
- uses t4g.nano with 512MB (smallest/cheapest instance type)
- uses Debian 10 arm64 ami, for your right image look at https://wiki.debian.org/Cloud/AmazonEC2Image/Buster
What does it do?
It installs a debian server (arm64) and wireguard on it. It configures wireguard with as much clients as you need and provides the client profiles you need to get your wireguard clients running. Some details:
- Uses private subnet 10.100.100.0/24 that is then nat'ed to the internet
- Uses quad9 dns server 9.9.9.9 through the tunnel
- Client does route EVERYTHING through the tunnel
- Server has NO firewalling neither as aws security group restriction nor on the debian server
Prerequisites
- You need an aws account
- You need credentials for api usage and store them in environment variables
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
- You need a ssh key that you can use to connect to a linux instance e.g.
~/.ssh/id_rsa
and~/.ssh/id_rsa.pub
- You need ansible installed on your machine e.g.
apt-get install ansible
- You need the amazon.aws collection installed from ansible-galaxy e.g.
ansible-galaxy collection install amazon.aws
Installation of server
- ansible-playbook create_aws_wireguard_server.yml
- provide informations the script asks from you. If in doubt just accept defaults by pressing return
Installation of clients
- Install wireguard client for your operating system (e.g. via package manager or Appstore)
- Import the client profile that was created during the server installation. It is located in
wireguard_profiles
subfolder as config file and as a qrcode png file to be scanned by mobile clients
(!) under ubuntu, you have to enable tcp_mtu_probing e.g. by issuing 'echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing' or by setting 'net.ipv4.tcp_mtu_probing = 2' /in /etc/sysctl.conf