Setup WireGuard VPN on Google Cloud Platform
- Authors
- Name
- upvpn LLC
- @upvpnapp
Table of Contents
- Introduction
- Creating a GCP Instance
- Firewall Rules
- Installing WireGuard
- Configuration for the Server and Client
- Client Configuration
- Complete Script
- Using the VPN
- Adding Additional Clients
Introduction
This guide will walk you through setting up a WireGuard VPN server on Google Cloud Platform (GCP. WireGuard is a modern, fast, and secure VPN protocol that's easier to configure than traditional solutions like OpenVPN or IPSec.
Creating a GCP Instance
Make sure you have active billing account or have free trial for your GCP project. On Google Cloud Console activate cloud shell.
- From cloud shell, create a new VM instance in GCP with Ubuntu 24.04 LTS:
gcloud compute instances create wireguard-vpn \
--zone=us-central1-a \
--machine-type=e2-micro \
--image-family=ubuntu-minimal-2404-lts-amd64 \
--image-project=ubuntu-os-cloud \
--network-tier=STANDARD
Firewall Rules
- From cloud shell, Create the necessary firewall rules in GCP:
gcloud compute firewall-rules create allow-wireguard \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=udp:51820 \
--source-ranges=0.0.0.0/0
Installing WireGuard
- SSH into your instance from cloud shell:
gcloud compute ssh wireguard-vpn
- Install WireGuard and required tools:
sudo apt update
sudo apt install wireguard iptables qrencode curl -y
- Enable IP forwarding:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Configuration for the Server and Client
- Generate server and client keys:
wg genkey | sudo tee /etc/wireguard/server_private.key
sudo chmod 600 /etc/wireguard/server_private.key
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
wg genkey | sudo tee /etc/wireguard/client_private.key
sudo cat /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
- Create the server configuration file:
SERVER_PRIVATE_KEY=$(sudo cat /etc/wireguard/server_private.key)
CLIENT_PUBLIC_KEY=$(sudo cat /etc/wireguard/client_public.key)
cat << EOF | sudo tee /etc/wireguard/wg0.conf
[Interface]
PrivateKey = ${SERVER_PRIVATE_KEY}
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -t nat -I POSTROUTING -o ens4 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE
[Peer]
PublicKey = ${CLIENT_PUBLIC_KEY}
AllowedIPs = 10.0.0.2/32
EOF
sudo chmod 600 /etc/wireguard/wg0.conf
- Start and enable WireGuard:
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
Confirm that WireGuard interface is up sudo wg show
Client Configuration
Create a client configuration file named client.conf:
SERVER_IP=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip" -H "Metadata-Flavor: Google")
SERVER_PUBLIC_KEY=$(sudo cat /etc/wireguard/server_public.key)
CLIENT_PRIVATE_KEY=$(sudo cat /etc/wireguard/client_private.key)
cat << EOF | sudo tee /etc/wireguard/client.conf
[Interface]
PrivateKey = ${CLIENT_PRIVATE_KEY}
Address = 10.0.0.2/32
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = ${SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_IP}:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF
Connect mobile device using the QR code for client configuration:
sudo cat /etc/wireguard/client.conf | qrencode -t ansiutf8
Complete Script
Here's the complete set of commands to run on the server:
#!/bin/bash
# Exit on any error
set -e
# Install required packages
echo "Installing required packages..."
sudo apt update
sudo apt install wireguard iptables qrencode -y
# Enable IP forwarding
echo "Configuring IP forwarding..."
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Create WireGuard directory if it doesn't exist
sudo mkdir -p /etc/wireguard
# Generate server keys
echo "Generating server keys..."
wg genkey | sudo tee /etc/wireguard/server_private.key
sudo chmod 600 /etc/wireguard/server_private.key
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
# Generate client keys
echo "Generating client keys..."
wg genkey | sudo tee /etc/wireguard/client_private.key
sudo cat /etc/wireguard/client_private.key | wg pubkey | sudo tee /etc/wireguard/client_public.key
# Get server public IP
SERVER_IP=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip" -H "Metadata-Flavor: Google")
SERVER_PRIVATE_KEY=$(sudo cat /etc/wireguard/server_private.key)
CLIENT_PUBLIC_KEY=$(sudo cat /etc/wireguard/client_public.key)
# Create server configuration
echo "Creating server configuration..."
cat << EOF | sudo tee /etc/wireguard/wg0.conf
[Interface]
PrivateKey = ${SERVER_PRIVATE_KEY}
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -t nat -I POSTROUTING -o ens4 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE
[Peer]
PublicKey = ${CLIENT_PUBLIC_KEY}
AllowedIPs = 10.0.0.2/32
EOF
# Set correct permissions
sudo chmod 600 /etc/wireguard/wg0.conf
# Create client configuration
echo "Creating client configuration..."
SERVER_PUBLIC_KEY=$(sudo cat /etc/wireguard/server_public.key)
CLIENT_PRIVATE_KEY=$(sudo cat /etc/wireguard/client_private.key)
cat << EOF | sudo tee /etc/wireguard/client.conf
[Interface]
PrivateKey = ${CLIENT_PRIVATE_KEY}
Address = 10.0.0.2/32
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = ${SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_IP}:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF
# Start WireGuard
echo "Starting WireGuard..."
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
# Create directory for client configs
mkdir -p ~/wireguard-client-configs
sudo cp /etc/wireguard/client.conf ~/wireguard-client-configs/
chmod 700 ~/wireguard-client-configs
# Generate QR code
echo "Generating QR code..."
sudo cat /etc/wireguard/client.conf | qrencode -t ansiutf8 > ~/wireguard-client-configs/client-qr.txt
# Print status information
echo "
========================================
WireGuard Installation Complete!
========================================
Server Information:
- Public IP: ${SERVER_IP}
- Port: 51820
- Interface: wg0
Client configuration has been saved to:
~/wireguard-client-configs/client.conf
QR code for mobile clients has been saved to:
~/wireguard-client-configs/client-qr.txt
To check WireGuard status:
sudo wg show
To view the QR code for mobile clients:
cat ~/wireguard-client-configs/client-qr.txt
"
# Show WireGuard status
echo "Current WireGuard status:"
sudo wg show
Using the VPN
For Desktop Clients
Install WireGuard client for your operating system:
- Windows: WireGuard Windows Client
- macOS: WireGuard macOS Client
- Linux:
sudo apt install wireguard(Ubuntu/Debian)
Copy the contents of
~/wireguard-client-configs/client.confto your client machineImport the configuration into your WireGuard client
Enable the VPN connection
For Mobile Clients
Install WireGuard app:
Scan the QR code displayed in
~/wireguard-client-configs/client-qr.txtEnable the VPN connection
Adding Additional Clients
To add more clients, run these commands on the server:
#!/bin/bash
# Generate keys for the new client
CLIENT_NUM=2 # Change this number for each new client
sudo wg genkey | sudo tee "/etc/wireguard/client${CLIENT_NUM}_private.key"
sudo cat "/etc/wireguard/client${CLIENT_NUM}_private.key" | wg pubkey | sudo tee "/etc/wireguard/client${CLIENT_NUM}_public.key"
# Get the keys and server info
NEW_CLIENT_PRIVATE_KEY=$(sudo cat "/etc/wireguard/client${CLIENT_NUM}_private.key")
NEW_CLIENT_PUBLIC_KEY=$(sudo cat "/etc/wireguard/client${CLIENT_NUM}_public.key")
SERVER_PUBLIC_KEY=$(sudo cat /etc/wireguard/server_public.key)
SERVER_IP=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip" -H "Metadata-Flavor: Google")
# Add peer to server config
sudo tee -a /etc/wireguard/wg0.conf << EOF
[Peer]
PublicKey = ${NEW_CLIENT_PUBLIC_KEY}
AllowedIPs = 10.0.0.$((CLIENT_NUM + 1))/32
EOF
# Create client config
cat << EOF | sudo tee "/etc/wireguard/client${CLIENT_NUM}.conf"
[Interface]
PrivateKey = ${NEW_CLIENT_PRIVATE_KEY}
Address = 10.0.0.$((CLIENT_NUM + 1))/32
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = ${SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_IP}:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF
# Generate QR code for the new client
sudo cat "/etc/wireguard/client${CLIENT_NUM}.conf" | qrencode -t ansiutf8 | sudo tee "/etc/wireguard/client${CLIENT_NUM}-qr.txt"
# Restart WireGuard to apply changes
sudo systemctl restart wg-quick@wg0
echo "New client configuration created:"
echo "Config file: /etc/wireguard/client${CLIENT_NUM}.conf"
echo "QR code: /etc/wireguard/client${CLIENT_NUM}-qr.txt"
Troubleshooting
If you encounter issues, check:
- WireGuard service status:
sudo systemctl status wg-quick@wg0
- Logs:
sudo journalctl -xeu wg-quick@wg0
- Interface status:
sudo wg show
ip addr show wg0
- IP forwarding status:
sysctl net.ipv4.ip_forward
All commands in this guide are ready to use without any modifications. The script automatically generates all necessary keys and configurations, and provides clear output about where to find the client configuration files.