WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.
Assuming you have a local node (i.e. block producer / validator client / local laptop) and remote node (i.e. relay node / beacon-chain node / VPS), this guide helps you secure and encrypt your network traffic between the two machines with WireGuard.
This greatly minimizes the chances that your local node is attacked and minimizes the attack surface of the remote node by not requiring you to open ports for services such as Grafana.
Only the remote node is public internet facing online and the local machine can access the remote node's internal services, such as Grafana.
🐣 Installing WireGuard
Linux Headers needs to be installed before WireGuard. Below you see the generic headers being installed.
In case of linux header problems, use the following instead.
sudo apt install linux-headers-$(uname -r)
Be aware this will require installing the headers again. Not restarting with the new linux-headers will prevent Wireguard network interface from functioning.
🗝️ Setting Up Public/Private Key Pairs
On each node, to generate a public/private key type the following commands:
Create a wg0.conf configuration file in /etc/wireguard directory.
Update your Private and Public Keys accordingly.
Change the Endpoint to your remote node public IP or DNS address.
Two Node Setup ( i.e. 1 block producer, 1 relay node)
# local node WireGuard Configuration[Interface]# local node addressAddress=10.0.0.1/32# local node private keyPrivateKey=<i.e.SJ6ygM3csa36...+pO4XW1QU0B2M=># local node wireguard listening portListenPort=51820# remote node[Peer]# remote node's publickeyPublicKey=<i.e.Rq7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=># remote node's public ip address or dns addressEndpoint=remotenode.mydomainname.com:51820# remote node's interface addressAllowedIPs=10.0.0.2/32PersistentKeepalive=21
# remote node WireGuard Configuration[Interface]Address=10.0.0.2/32PrivateKey=<i.e.cF3OjVhtKJAY/rQ...LFi7ASWg=>ListenPort=51820# local node[Peer]# local node's public keyPublicKey=<i.e.rZLBzslvFtEJ...JdfX4XSwk=># local node's public ip address or dns addressEndpoint=localnodesIP-or-domain.com:51820# local node's interface addressAllowedIPs=10.0.0.1/32PersistentKeepalive=21
# local node WireGuard Configuration[Interface]# local node addressAddress=10.0.0.1/32# local node private keyPrivateKey=<i.e.SJ6ygM3csa36...+pO4XW1QU0B2M=># local node wireguard listening portListenPort=51820# remote node 1 config[Peer]# remote node's publickeyPublicKey=<i.e.R11q7QEe2g3qIjDftMu...knBGdd2mvJDCaasde=># remote node's public ip address or dns addressEndpoint=remotenode1.mydomainname.com:51820# remote node's interface addressAllowedIPs=10.0.0.2/32PersistentKeepalive=21# remote node 2 config[Peer]# remote node 2's publickeyPublicKey=<i.e.ESDd7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=># remote node 2's public ip address or dns addressEndpoint=remotenode2.mydomainname.com:51820# remote node 2's interface addressAllowedIPs=10.0.0.3/32PersistentKeepalive=21
ping10.0.0.2# if triple node configurationping10.0.0.3
ping10.0.0.1# if triple node configurationping10.0.0.3
# if triple node configurationping10.0.0.1ping10.0.0.2
Cardano-specific Configuration
Update and/or review your topology.json file(s) and/or relay-topology_pull.sh script to ensure the "addr" matches this new tunneled IP address, and not the usual public node IP address.
Update and/or review your validator's configuration and ensure it connects to the beacon-chain's new tunneled IP address, and not the usual public node IP address.
In this example, the beacon-chain is the remote node with IP address 10.0.0.2
To access Grafana from your local machine, enter into the browser http://10.0.0.2:3000