Setting Up WireGuard
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.
🐣 Installing WireGuard
sudo apt install linux-headers-generic
sudo add-apt-repository ppa:wireguard/wireguard -y
sudo apt-get update
sudo apt-get install wireguard -y
🗝️ Setting Up Public/Private Key Pairs
On each node, to generate a public/private key type the following commands:
sudo su
cd /etc/wireguard
umask 077
wg genkey | tee wireguard-privatekey | wg pubkey > wireguard-publickey
🤖 Configuring WireGuard
Create a wg0.conf
configuration file in /etc/wireguard
directory.
Update your Private and Public Keys accordingly.
Change the Endpoint to your remote node public IP or DNS address.
Two Node Setup ( i.e. 1 block producer, 1 relay node)
# local node WireGuard Configuration
[Interface]
# local node address
Address = 10.0.0.1/32
# local node private key
PrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=>
# local node wireguard listening port
ListenPort = 51820
# remote node
[Peer]
# remote node's publickey
PublicKey = <i.e. Rq7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=>
# remote node's public ip address or dns address
Endpoint = remotenode.mydomainname.com:51820
# remote node's interface address
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 21
Triple Node Setup ( i.e. 1 block producer, 2 relay nodes)
# local node WireGuard Configuration
[Interface]
# local node address
Address = 10.0.0.1/32
# local node private key
PrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=>
# local node wireguard listening port
ListenPort = 51820
# remote node 1 config
[Peer]
# remote node's publickey
PublicKey = <i.e. R11q7QEe2g3qIjDftMu...knBGdd2mvJDCaasde=>
# remote node's public ip address or dns address
Endpoint = remotenode1.mydomainname.com:51820
# remote node's interface address
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 21
# remote node 2 config
[Peer]
# remote node 2's publickey
PublicKey = <i.e. ESDd7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=>
# remote node 2's public ip address or dns address
Endpoint = remotenode2.mydomainname.com:51820
# remote node 2's interface address
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 21
🧱 Configuring Your Firewall / Port Forwarding
You must allow traffic on port 51820 UDP to your node.
To configure your firewall / port forwarding, type:
sudo ufw allow 51820/udp
sudo ufw allow from 10.0.0.0/16 to any
# check the firewall rules
sudo ufw verbose
🔗 Setting Up Autostart with systemd
Add the service to systemd.
sudo systemctl enable [email protected]
sudo systemctl daemon-reload
Start wireguard.
sudo systemctl start wg-quick@wg0
Check the status.
sudo systemctl status wg-quick@wg0
✅ Verifying the Connection
Check the status of the interfaces by running wg
sudo wg
## Example Output
# interface: wg0
# public key: rZLBzslvFtEJ...JdfX4XSwk=
# private key: (hidden)
# listening port: 51820
#peer:
# endpoint: 12.34.56.78:51820
# allowed ips: 10.0.0.2/32
# latest handshake: 15 seconds ago
# transfer: 500 KiB received, 900 KiB sent
# persistent keepalive: every 21 seconds
Verify ping works between nodes.
ping 10.0.0.2
# if triple node configuration
ping 10.0.0.3
Cardano-specific Configuration
Review and update your topology.json
file(s) to ensure that the address
key in the localRoots
section matches this new tunneled IP address, and not the usual public node IP address.
Dual node setup
Example: topology.json on blockproducer { "address": "10.0.0.2", "port": 6000 },
topology.json on **relaynode1 ** { "address": "10.0.0.1", "port": 6000 },
Triple node setup
Example: topology.json on blockproducer { "address": "10.0.0.2", "port": 6000 },
{ "address": "10.0.0.3", "port": 6000 },
topology.json on **relaynode1 ** { "address": "10.0.0.1", "port": 6000 },
{ "address": "10.0.0.3", "port": 6000 },
topology.json on relaynode2 { "address": "10.0.0.1", "port": 6000 },
{ "address": "10.0.0.2", "port": 6000 },
Wireguard setup is complete.
🛑 Stopping and Disabling WireGuard
To stop and disable WireGuard, type:
sudo systemctl stop wg-quick@wg0
sudo systemctl disable [email protected]
sudo systemctl daemon-reload
Last updated