How to Self-Host a WireGuard VPN on Amazon AWS

This tutorial shows you how to deploy a Lightsail VPS on Amazon AWS and configure it as a VPN. You can then use it to make browsing the internet on a public network such as a coffee shop, library or airport more secure. Or to bypass geo-blocks.

In this tutorial, we will:

• Deploy a Ubuntu 20.04 Lightsail VPS.
• Install and configure WireGuard on the Ubuntu VPS.
• Connect to the VPN with a WireGuard client.

With these instructions, you can create your own private VPN that only costs $3.50 per month.

Step 1: Deploy Amazon Lightsail VPS

The first thing we need to do is log in to Amazon Lightsail and create a new VPS. We will deploy the VPS to the country you want websites to think you are from.

For example, if you want a website to see your IP address as you being from the US, you can deploy the instance in Virginia (us-east-1a). If you’re not bothered about bypassing a geo-block, you can deploy it in a region that is closest to you.

Let’s get started by logging into Amazon Lightsail then clicking Create instance.

Choose a location by clicking on Change AWS Region and Availability Zone. Select Linux/Unix then click OS Only.

Select Ubuntu 20.04 LTS then scroll down.

Select the $3.50 instance plan, then scroll down.

Give the instance a name then click Create instance.

You should see your instance is running. Make a note of the public IP address of the instance because you will use it to connect via SSH and when configuring the WireGuard VPN client.

Step 2: Configure Networking

With the instance now running, we need to make some changes to the firewall rules to allow WireGuard clients to connect to the server.

Click on the instance name then Networking.

Delete the HTTP rule (because it’s not a web server) by clicking the recycle bin icon next to the HTTP rule.

Click Add rule, select Custom, UDP, assign port 51820 then click Create. This is the port the WireGuard service will use to connect to clients.

Note: I’ve also disabled IPv6 because I don’t plan on using it.

Step 3: Connect to VPS Instance with SSH

We are now ready to connect to the VPS instance using SSH. Navigate to Account then SSH keys. Click Download next to the key assigned to your instance.

Give the key a name and save it to your computer. The following screenshot shows the key saved to the Desktop on my Mac.

Open a Terminal session (On Unix-like operating systems or Putty on Windows) then connect to the VPS instance using the public IP address.

Make the key readable only by current user.

chmod 600 ~/Desktop/vpn.cer

Connect replacing the certificate path and IP address with your own.

ssh -i ~/Desktop/vpn.cer ubuntu@3.231.94.220

Step 4: Enable Port Forwarding

The first thing we need to do after connecting to the server is enable port forwarding so that traffic from the client can access the internet through the VPN server. To enable port forwarding, create a file called 10-wireguard.conf in /etc/sysctl.d by running the command.

sudo vim /etc/sysctl.d/10-wireguard.conf

Then add the following contents to the file.

net.ipv4.ip_forward=1

Port forwarding will now be enabled when the server boots. To enable it now, run the following command.

sudo sysctl -p /etc/sysctl.d/10-wireguard.conf

Step 5: Install WireGuard & Generate Keys

Run the following command to install WireGuard.

sudo apt update && sudo apt install wireguard -y

Generate server and client keys.

sudo -i
cd /etc/wireguard/
wg genkey | tee server.key | wg pubkey > server.pub
wg genkey | tee client.key | wg pubkey > client.pub

You should now see a list of files.

/etc/wireguard# ls -l
total 16
-rw------- 1 root root 45 Sep 29 10:32 client.key
-rw------- 1 root root 45 Sep 29 10:32 client.pub
-rw------- 1 root root 45 Sep 29 10:32 server.key
-rw------- 1 root root 45 Sep 29 10:32 server.pub

We will use the contents of these files when creating the server and client config files in the upcoming steps.

Step 6: Create WireGuard Server Config

Now we need to create the WireGuard config file before we start the service.

sudo vim wg0.conf

Add the following to wg0.conf. Use the contents of server.key for the PrivateKey value and the contents of client.pub for the peers PublicKey value.

[Interface]
Address = 10.1.1.1/24
ListenPort = 51820
PrivateKey = [replace_with_contents_of_server.key]
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = [replace_with_contents_of_client.pub]
AllowedIPs = 10.1.1.2/32

Enable the WireGuard service when the server boots.

sudo systemctl enable wg-quick@wg0

Start the WireGuard service now.

sudo systemctl start wg-quick@wg0

We are now ready to install and configure a client to connect to the WireGuard VPN.

Step 7: Install and Configure WireGuard Client

There are clients available for Windows, Linux, iOS, Android and most operating systems. In this tutorial, I will demonstrate using the macOS WireGuard client but the configuartion file should work on other systems.

Open the App Store, search for WireGuard, install the client then click Open.

Click + then Add Empty Tunnel…

Enter a name for the VPN, for example USA, then add the following config.

[Interface]
PrivateKey = [replace_with_contents_of_client.key]
Address = 10.1.1.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = [replace_with_contents_of_server.pub]
AllowedIPs = 0.0.0.0/0
Endpoint = [replace_with_server_public_ip]:51820
PersistentKeepalive = 15

Replace the PrivateKey, PublicKey and Endpoint IP address with your values.

Click Activate to connect to the VPN and switch your IP address from your ISPs to the VPNs.

When data is being sent and received, it should be working. We will test it in the next step.

Step 8: Test Internet Connection

If everything is configured correctly, you should be able to ping the client from the server.

ping 10.1.1.2

PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=245 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=266 ms

--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 244.832/255.412/265.992/10.580 ms

And you should be able to ping the server from the client.

ping 10.1.1.1

PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=92.378 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=89.811 ms

--- 10.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 89.811/90.799/92.378/1.040 ms

If port forwarding is configured and the PostUp script is correct, you should be able to browse the internet on the client and websites will think you are visiting from the server IP address. You can test this by searching for what is my ip in Google.

As you can see from the screenshot above, Google sees my IP address as the one assigned to the VPS instance in Virginia.

Conclusion

In this tutorial, we created a private WireGuard VPN server on Ubuntu 20.04.

Connecting a client to the VPN allows us to bypass geo-blocks and makes browsing the internet from public networks secure. With these instructions, there’s no need to pay for an expensive VPN provider and share an IP with people that might be doing illegal things.

Another benefit of self-hosting your VPN on Amazon is the ability to pay as you go. Once you have finished with the VPN, you can destroy the instance, and you will only pay for the duration it existed and any bandwidth over the monthly plan used.