Assuming you have a local node (i.e. block producer / validator client / local laptop) and remote node (i.e. relay node / beacon-chain node / VPS), this guide helps you secure and encrypt your network traffic between the two machines with WireGuard.
This greatly minimizes the chances that your local node is attacked and minimizes the attack surface of the remote node by not requiring you to open ports for services such as Grafana.
Only the remote node is public internet facing online and the local machine can access the remote node's internal services, such as Grafana.
sudo apt install linux-headers-$(uname -r)sudo add-apt-repository ppa:wireguard/wireguardsudo apt-get updatesudo apt-get install wireguard -y
sudo sucd /etc/wireguardumask 077wg genkey | tee localnode-privatekey | wg pubkey > localnode-publickeywg genkey | tee remotenode-privatekey | wg pubkey > remotenode-publickey
Create a wg0.conf
configuration file in /etc/wireguard
directory.
Update your Private and Public Keys accordingly.
Change the Endpoint to your remote node public IP or DNS address.
# local node WireGuard Configuration[Interface]# local node addressAddress = 10.0.0.1/32# local node private keyPrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=># local node wireguard listening portListenPort = 51820SaveConfig = true# remote node[Peer]# remote node's publickeyPublicKey = <i.e. Rq7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=># remote node's public ip address or dns addressEndpoint = remotenode.mydomainname.com:51820# remote node's interface addressAllowedIPs = 10.0.0.2/32# send a handshake every 21 secondsPersistentKeepalive = 21
# remote node WireGuard Configuration[Interface]Address = 10.0.0.2/32PrivateKey = <i.e. cF3OjVhtKJAY/rQ...LFi7ASWg=>ListenPort = 51820SaveConfig = true# local node[Peer]# local node's public keyPublicKey = <i.e. rZLBzslvFtEJ...JdfX4XSwk=># local node's public ip address or dns addressEndpoint = 12.34.56.78:51820# local node's interface addressAllowedIPs = 10.0.0.1/32PersistentKeepalive = 21
ufw allow 51820/udp# check the firewall rulesufw verbose
ufw allow 51820/udp# check the firewall rulesufw verbose
Setup systemd on both your local node and remote node.
Add the service to systemd.
sudo systemctl enable wg-quick@wg0.servicesudo systemctl daemon-reload
Start wireguard.
sudo systemctl start wg-quick@wg0
Check the status.
sudo systemctl status wg-quick@wg0
Check the status of the interfaces by running wg
sudo wg## Example Output# interface: wg0# public key: rZLBzslvFtEJ...JdfX4XSwk=# private key: (hidden)# listening port: 51820#peer:# endpoint: 12.34.56.78:51820# allowed ips: 10.0.0.2/32# latest handshake: 15 seconds ago# transfer: 500 KiB received, 900 KiB sent# persistent keepalive: every 21 seconds
Verify ping works between nodes.
ping 10.0.0.2
ping 10.0.0.1
Update and/or review your topology.json file to ensure the "addr" matches this new tunneled IP address, and not the usual public node IP address.
Example: topology.json on blockproducer { "addr": "10.0.0.2", "port": 6000, "valency": 1 },
topology.json on relaynode1 { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
Update and/or review your validator's configuration and ensure it connects to the beacon-chain's new tunneled IP address, and not the usual public node IP address.
In this example, the beacon-chain is the remote node with IP address 10.0.0.2
To access Grafana from your local machine, enter into the browser http://10.0.0.2:3000
Wireguard setup is complete.
sudo systemctl stop wg-quick@wg0sudo systemctl disable wg-quick@wg0.servicesudo systemctl daemon-reload