stefan/wg-aws
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
wg-aws/Readme.md
Stefan Märkle a5ebbc7eed Ubuntu hazzle documented in readme
2020-12-28 16:08:26 +01:00

42 lines
2.1 KiB
Markdown
Raw Blame History

# wireguard on aws server
This is an ansible playbook that launches a wireguard vpn server in the amazon cloud.
Created by Stefan Maerkle `<stefan at abgruen dot de>`
## Optimized for minimized costs
It is optimized to minimize aws costs:
- uses arm64 graviton instances (cheaper than amd64)
- uses spot instance (cheaper than on demand)
- uses t4g.nano with 512MB (smallest/cheapest instance type)
- uses Debian 10 arm64 ami, for your right image look at https://wiki.debian.org/Cloud/AmazonEC2Image/Buster
## What does it do?
It installs a debian server (arm64) and wireguard on it. It configures wireguard with as much clients as you need and provides the client profiles you need to get your wireguard clients running.
Some details:
- Uses private subnet 10.100.100.0/24 that is then nat'ed to the internet
- Uses quad9 dns server 9.9.9.9 through the tunnel
- Client does route EVERYTHING through the tunnel
- Server has NO firewalling neither as aws security group restriction nor on the debian server
## Prerequisites
1. You need an aws account
2. You need credentials for api usage and store them in environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
3. You need a ssh key that you can use to connect to a linux instance e.g. `~/.ssh/id_rsa` and `~/.ssh/id_rsa.pub`
4. You need ansible installed on your machine e.g. `apt-get install ansible`
5. You need the amazon.aws collection installed from ansible-galaxy e.g. `ansible-galaxy collection install amazon.aws`
## Installation of server
1. ansible-playbook create_aws_wireguard_server.yml
2. provide informations the script asks from you. If in doubt just accept
defaults by pressing return
## Installation of clients
1. Install wireguard client for your operating system (e.g. via package manager or Appstore)
2. Import the client profile that was created during the server installation. It is located in `wireguard_profiles` subfolder
as config file and as a qrcode png file to be scanned by mobile clients
(!) under ubuntu, you have to enable tcp_mtu_probing e.g. by issuing 'echo 2 >
/proc/sys/net/ipv4/tcp_mtu_probing' or by setting 'net.ipv4.tcp_mtu_probing = 2'
/in /etc/sysctl.conf
Reference in New Issue View Git Blame Copy Permalink