Why install a VPN?

With the recent Covid-19 pandemic; working from home (or remote working) has become cruical, as part of the worlds efforts to suppress the rising number of infections of the Covid-19 virus. Many organisations may be already prepared and have VPN technology and remote working policies in place. However, for some organisations this might be something entirely new.

There are a number of different VPN solutions, with different benefits and downsides (which we will avoid going into detail today).

Wireguard is:

  • small and lightweight
  • incredibly efficient
  • offering a boost in bandwidth throughput and performance
  • integrated into the latest Linux Kernel (5.6+)

So this blog post covers the simple instructions we followed, inorder to remote into some of our clients networks. In this example, we setup a VPN endpoint on AWS EC2.

EC2/Linux Configuration

Setup the server

Install wireguard on Amazon-Linux-2

curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install epel-release
yum install wireguard-dkms wireguard-tools

Create an empty server config file with proper permissions

mkdir /etc/wireguard && cd /etc/wireguard
bash -c 'umask 077; touch wg0.conf
wg genkey > /etc/wireguard/private.key
wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public.key

Create the inital configuration, copy and paste the following into wg0.conf

Address =
PrivateKey = server_private_key
ListenPort = 54321
PublicKey = client_public_key
AllowedIPs =

Then run the following to add the keys:

sed -i "s/server_private_key/$(sed 's:/:\\/:g' private.key)/" wg0.conf

dont forget to add the clients public key when your ready later…

Next start wireguard:

modprobe /usr/lib/modules/4.14.171-136.231.amzn2.x86_64/kernel/net/wireguard.ko
ip link add dev wg0 type wireguard
wg-quick up wg0

Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

Enable the service to start on boot

systemctl enable wg-quick@wg0.service

Setup a firewall

This next step really depends on your network setup, in the example below we allow all traffic to be routed through wireguard, to access the external services on the public internet. But you probably want to redirect traffic to your cloud apps, or other environments.

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 54321 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
netfilter-persistent save

Hopefully, provided there were no errors, your wireguard VPN is 99% ready. You just need to configure individual peers, and add the peers public key’s and expected IP address.

Setup a Linux Client

First, we create the configuration file. I call it client.conf in this example.

cd /etc/wireguard/
nano client.conf

Paste the following text into the editor.

Address =
PrivateKey = client_private_key

PublicKey = server_public_key
Endpoint = [insert_aws_ec2_ip_here]:54321
AllowedIPs =

Windows Configuration

A high performance and secure VPN client that uses the WireGuard protocol. TunSafe makes it extremely simple to setup a super fast and secure VPN tunnels between Windows and Linux.

Compared to more well-known VPN software Openvpn, Wireguard offers a much greater performance and throughput boost:


The configuration is similar to Linux, use the generate keypair to generate a private and public key. Stick the private-key in your configuration file, and pass the public-key to your vpn administrator, or add it to the peers of your server config.

Share on: