How to setup WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.

Assuming you have a block producer setup and relay node setup, this guide helps you secure and encrypt your network traffic between the two nodes with WireGuard. This minimizes the chances that your block producer is attacked or hacked. Only the relay node is public facing online and the block producer can only communicate with the relay node.

​🐣 1. Install Wireguard

BlockProducer and RelayNode1
BlockProducer and RelayNode1
sudo apt install linux-headers-$(uname -r)
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard -y

🗝 2. Setup Public / Private Keypair

BlockProducer
BlockProducer
sudo su
​
cd /etc/wireguard
umask 077
wg genkey | tee blockproducer-privatekey | wg pubkey > blockproducer-publickey
wg genkey | tee relaynode1-privatekey | wg pubkey > relaynode1-publickey

​🤖 3. Configure Wireguard

Create a wg0.conf configuration file in /etc/wireguard directory. Update your Private and Public Keys accordingly. Change the Endpoint to your RelayNode's public IP or DNS address.

BlockProducer
RelayNode1
BlockProducer
# blockproducer WireGuard Configuration
[Interface]
# blockproducer address
Address = 10.0.0.1/32
# blockproducer private key
PrivateKey = SJ6ygM3csa36...+pO4XW1QU0B2M=
# blockproducer wireguard listening port
ListenPort = 51820
SaveConfig = true
​
# RelayNode1
[Peer]
# relaynode1's publickey
PublicKey = Rq7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=
# relaynode1's public ip address or dns address
Endpoint = relay.mydomainname.com:51820
# relaynode1's interface address
AllowedIPs = 10.0.0.2/32
# send a handshake every 21 seconds
PersistentKeepalive = 21
RelayNode1
# RelayNode1 WireGuard Configuration
[Interface]
Address = 10.0.0.2/32
PrivateKey = cF3OjVhtKJAY/rQ...LFi7ASWg=
ListenPort = 51820
SaveConfig = true
​
# BlockProducer
[Peer]
# blockproducer's public key
PublicKey = rZLBzslvFtEJ...JdfX4XSwk=
# blockproducer's public ip address or dns address
Endpoint = 12.34.56.78:51820
# blockproducer's interface address
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 21

​🧱 Configure your firewall / port forwarding to allow port 51820 udp traffic to your node.

BlockProducer
RelayNode1
BlockProducer
ufw allow 51820/udp
# check the firewall rules
ufw verbose
RelayNode1
ufw allow 51820/udp
# check the firewall rules
ufw verbose

​🔗 4. Setup autostart with systemd

Setup systemd on both your block producer and relaynode.

Add the service to systemd.

BlockProducer and RelayNode1
BlockProducer and RelayNode1
sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload

Start wireguard.

BlockProducer and RelayNode1
BlockProducer and RelayNode1
sudo systemctl start wg-quick@wg0

Check the status.

BlockProducer and RelayNode1
BlockProducer and RelayNode1
sudo systemctl status wg-quick@wg0

​✅ 5. Verify Connection is Working

Check the status of the interfaces by running wg

BlockProducer and RelayNode1
BlockProducer and RelayNode1
sudo wg
​
## Example Output
# interface: wg0
# public key: rZLBzslvFtEJ...JdfX4XSwk=
# private key: (hidden)
# listening port: 51820
​
#peer:
# endpoint: 12.34.56.78:51820
# allowed ips: 10.0.0.2/32
# latest handshake: 15 seconds ago
# transfer: 500 KiB received, 900 KiB sent
# persistent keepalive: every 21 seconds

Verify ping works between nodes.

BlockProducer
RelayNode1
BlockProducer
ping 10.0.0.2
RelayNode1
ping 10.0.0.1

Update and/or review your topology.json file to ensure the "addr" matches this new tunneled IP address, and not the usual public node IP address.

Example: topology.json on blockproducer { "addr": "10.0.0.2", "port": 6000, "valency": 1 },

topology.json on relaynode1 { "addr": "10.0.0.1", "port": 6000, "valency": 1 },

Congrats! Wireguard is working!

​🛑 6. Stop and disable Wireguard

sudo systemctl stop wg-quick@wg0
sudo systemctl disable wg-quick@wg0.service
sudo systemctl daemon-reload