Setting Up WireGuard
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.
Last updated
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.
Last updated
Assuming you have a local node (i.e. block producer / validator client / local laptop) and remote node (i.e. relay node / beacon-chain node / VPS), this guide helps you secure and encrypt your network traffic between the two machines with WireGuard.
This greatly minimizes the chances that your local node is attacked and minimizes the attack surface of the remote node by not requiring you to open ports for services such as Grafana.
Only the remote node is public internet facing online and the local machine can access the remote node's internal services, such as Grafana.
Linux Headers needs to be installed before WireGuard. Below you see the generic headers being installed.
In case of linux header problems, use the following instead.
Be aware this will require installing the headers again. Not restarting with the new linux-headers will prevent Wireguard network interface from functioning.
On each node, to generate a public/private key type the following commands:
Create a wg0.conf
configuration file in /etc/wireguard
directory.
Update your Private and Public Keys accordingly.
Change the Endpoint to your remote node public IP or DNS address.
You must allow traffic on port 51820 UDP to your node.
To configure your firewall / port forwarding, type:
Setup systemd on both your local node and remote node.
Add the service to systemd.
Start wireguard.
Check the status.
Check the status of the interfaces by running wg
Verify ping works between nodes.
Cardano-specific Configuration
Review and update your topology.json
file(s) to ensure that the address
key in the localRoots
section matches this new tunneled IP address, and not the usual public node IP address.
Dual node setup
Example: topology.json on blockproducer { "address": "10.0.0.2", "port": 6000 },
topology.json on **relaynode1 ** { "address": "10.0.0.1", "port": 6000 },
Triple node setup
Example: topology.json on blockproducer { "address": "10.0.0.2", "port": 6000 },
{ "address": "10.0.0.3", "port": 6000 },
topology.json on **relaynode1 ** { "address": "10.0.0.1", "port": 6000 },
{ "address": "10.0.0.3", "port": 6000 },
topology.json on relaynode2 { "address": "10.0.0.1", "port": 6000 },
{ "address": "10.0.0.2", "port": 6000 },
Wireguard setup is complete.
To stop and disable WireGuard, type: