English
How to setup WireGuard
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.
Assuming you have a local node (i.e. block producer / validator client / local laptop) and remote node (i.e. relay node / beacon-chain node / VPS), this guide helps you secure and encrypt your network traffic between the two machines with WireGuard.
This greatly minimizes the chances that your local node is attacked and minimizes the attack surface of the remote node by not requiring you to open ports for services such as Grafana.
Only the remote node is public internet facing online and the local machine can access the remote node's internal services, such as Grafana.

🐣
1. Install Wireguard

Linux Headers needs to be installed before Wireguard. Below you see the generic headers being installed.
local and remote node
1
sudo apt install linux-headers-generic
2
sudo add-apt-repository ppa:wireguard/wireguard -y
3
sudo apt-get update
4
sudo apt-get install wireguard -y
Copied!
In case of linux header problems, use the following instead.
1
sudo apt install linux-headers-$(uname -r)
Copied!
Be aware this will require installing the headers again. Not restarting with the new linux-headers will prevent Wireguard network interface from functioning.

🗝
2. Setup Public / Private Keypair

Generate a public/private key on each node by running the following commands.
local and remote nodes
1
sudo su
2
3
cd /etc/wireguard
4
umask 077
5
wg genkey | tee wireguard-privatekey | wg pubkey > wireguard-publickey
Copied!

🤖
3. Configure Wireguard

Create a wg0.conf configuration file in /etc/wireguard directory.
Update your Private and Public Keys accordingly.
Change the Endpoint to your remote node public IP or DNS address.

Two Node Setup ( i.e. 1 block producer, 1 relay node)

local node
remote node
1
# local node WireGuard Configuration
2
[Interface]
3
# local node address
4
Address = 10.0.0.1/32
5
# local node private key
6
PrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=>
7
# local node wireguard listening port
8
ListenPort = 51820
9
10
# remote node
11
[Peer]
12
# remote node's publickey
13
PublicKey = <i.e. Rq7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=>
14
# remote node's public ip address or dns address
15
Endpoint = remotenode.mydomainname.com:51820
16
# remote node's interface address
17
AllowedIPs = 10.0.0.2/32
18
PersistentKeepalive = 21
Copied!
1
# remote node WireGuard Configuration
2
[Interface]
3
Address = 10.0.0.2/32
4
PrivateKey = <i.e. cF3OjVhtKJAY/rQ...LFi7ASWg=>
5
ListenPort = 51820
6
7
# local node
8
[Peer]
9
# local node's public key
10
PublicKey = <i.e. rZLBzslvFtEJ...JdfX4XSwk=>
11
# local node's public ip address or dns address
12
Endpoint = localnodesIP-or-domain.com:51820
13
# local node's interface address
14
AllowedIPs = 10.0.0.1/32
15
PersistentKeepalive = 21
Copied!

Triple Node Setup ( i.e. 1 block producer, 2 relay nodes)

local node
remote node 1
remote node 2
1
# local node WireGuard Configuration
2
[Interface]
3
# local node address
4
Address = 10.0.0.1/32
5
# local node private key
6
PrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=>
7
# local node wireguard listening port
8
ListenPort = 51820
9
10
# remote node 1 config
11
[Peer]
12
# remote node's publickey
13
PublicKey = <i.e. R11q7QEe2g3qIjDftMu...knBGdd2mvJDCaasde=>
14
# remote node's public ip address or dns address
15
Endpoint = remotenode1.mydomainname.com:51820
16
# remote node's interface address
17
AllowedIPs = 10.0.0.2/32
18
PersistentKeepalive = 21
19
20
# remote node 2 config
21
[Peer]
22
# remote node 2's publickey
23
PublicKey = <i.e. ESDd7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=>
24
# remote node 2's public ip address or dns address
25
Endpoint = remotenode2.mydomainname.com:51820
26
# remote node 2's interface address
27
AllowedIPs = 10.0.0.3/32
28
PersistentKeepalive = 21
Copied!
1
# remote node 1's WireGuard Configuration
2
[Interface]
3
Address = 10.0.0.2/32
4
PrivateKey = <i.e. cF3OjVhtKJAY/rQ...LFi7ASWg=>
5
ListenPort = 51820
6
7
# local node config
8
[Peer]
9
PublicKey = <i.e. rZLBzslvFtEJ...knBGS9mvJDCa4WQg=>
10
Endpoint = localnodesIP-or-domain.com:51820
11
AllowedIPs = 10.0.0.1/32
12
PersistentKeepalive = 21
13
14
# remote node 2 config
15
[Peer]
16
PublicKey = <i.e. m2222zslvFtEJ...JdfX4XSwk=>
17
Endpoint = remotenode2.mydomainname.com:51820
18
AllowedIPs = 10.0.0.3/32
19
PersistentKeepalive = 21
Copied!
1
# remote node WireGuard Configuration
2
[Interface]
3
Address = 10.0.0.3/32
4
PrivateKey = <i.e. 222jVhtKJAY/rQ...LFi7ASWg=>
5
ListenPort = 51820
6
7
# local node config
8
[Peer]
9
PublicKey = <i.e. rZLBzslvFtEJ...knBGS9mvJDCa4WQg=>
10
Endpoint = localnodesIP-or-domain.com:51820
11
AllowedIPs = 10.0.0.1/32
12
PersistentKeepalive = 21
13
14
# remote node 1 config
15
[Peer]
16
PublicKey = <i.e. R11q7QEe2g3qIjDftMu...knBGdd2mvJDCaasde=>
17
Endpoint = remotenode1.mydomainname.com:51820
18
AllowedIPs = 10.0.0.2/32
19
PersistentKeepalive = 21
Copied!

🧱
Configure your firewall / port forwarding to allow port 51820 udp traffic to your node.

local node
remote nodes
1
sudo ufw allow 51820/udp
2
sudo ufw allow from 10.0.0.0/16 to any
3
# check the firewall rules
4
sudo ufw verbose
Copied!
1
sudo ufw allow 51820/udp
2
sudo ufw allow from 10.0.0.0/16 to any
3
# check the firewall rules
4
sudo ufw verbose
Copied!

🔗
4. Setup autostart with systemd

Setup systemd on both your local node and remote node.
Add the service to systemd.
local and remote node
1
sudo systemctl enable [email protected]
2
sudo systemctl daemon-reload
Copied!
Start wireguard.
local and remote node
1
sudo systemctl start [email protected]
Copied!
Check the status.
local and remote node
1
sudo systemctl status [email protected]
Copied!

5. Verify Connection is Working

Check the status of the interfaces by running wg
local and remote node
1
sudo wg
2
3
## Example Output
4
# interface: wg0
5
# public key: rZLBzslvFtEJ...JdfX4XSwk=
6
# private key: (hidden)
7
# listening port: 51820
8
9
#peer:
10
# endpoint: 12.34.56.78:51820
11
# allowed ips: 10.0.0.2/32
12
# latest handshake: 15 seconds ago
13
# transfer: 500 KiB received, 900 KiB sent
14
# persistent keepalive: every 21 seconds
Copied!
Verify ping works between nodes.
local node
remote node
remote node 2
1
ping 10.0.0.2
2
3
# if triple node configuration
4
ping 10.0.0.3
Copied!
1
ping 10.0.0.1
2
3
# if triple node configuration
4
ping 10.0.0.3
Copied!
1
# if triple node configuration
2
ping 10.0.0.1
3
ping 10.0.0.2
Copied!
Cardano
ETH2

Cardano Specific Configuration

Update and/or review your topology.json file to ensure the "addr" matches this new tunneled IP address, and not the usual public node IP address.
Dual node setup
Example: topology.json on blockproducer { "addr": "10.0.0.2", "port": 6000, "valency": 1 },
topology.json on relaynode1 { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
Triple node setup
Example: topology.json on blockproducer { "addr": "10.0.0.2", "port": 6000, "valency": 1 },
{ "addr": "10.0.0.3", "port": 6000, "valency": 1 },
topology.json on relaynode1 { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
{ "addr": "10.0.0.3", "port": 6000, "valency": 1 },
topology.json on relaynode2 { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
{ "addr": "10.0.0.2", "port": 6000, "valency": 1 },

ETH2 Validator Specific Configuration

Update and/or review your validator's configuration and ensure it connects to the beacon-chain's new tunneled IP address, and not the usual public node IP address.
In this example, the beacon-chain is the remote node with IP address 10.0.0.2
To access Grafana from your local machine, enter into the browser http://10.0.0.2:3000
Wireguard setup is complete.

🛑
6. Stop and disable Wireguard

1
sudo systemctl stop [email protected]
2
sudo systemctl disable [email protected]
3
sudo systemctl daemon-reload
Copied!
Last modified 2mo ago