Setting Up WireGuard
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner.
🐣 Installing WireGuard
sudo apt install linux-headers-generic
sudo add-apt-repository ppa:wireguard/wireguard -y
sudo apt-get update
sudo apt-get install wireguard -y
🗝️ Setting Up Public/Private Key Pairs
On each node, to generate a public/private key type the following commands:
sudo su
cd /etc/wireguard
umask 077
wg genkey | tee wireguard-privatekey | wg pubkey > wireguard-publickey
🤖 Configuring WireGuard
Create a wg0.conf
configuration file in /etc/wireguard
directory.
Update your Private and Public Keys accordingly.
Change the Endpoint to your remote node public IP or DNS address.
Two Node Setup ( i.e. 1 block producer, 1 relay node)
# local node WireGuard Configuration
[Interface]
# local node address
Address = 10.0.0.1/32
# local node private key
PrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=>
# local node wireguard listening port
ListenPort = 51820
# remote node
[Peer]
# remote node's publickey
PublicKey = <i.e. Rq7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=>
# remote node's public ip address or dns address
Endpoint = remotenode.mydomainname.com:51820
# remote node's interface address
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 21
Triple Node Setup ( i.e. 1 block producer, 2 relay nodes)
# local node WireGuard Configuration
[Interface]
# local node address
Address = 10.0.0.1/32
# local node private key
PrivateKey = <i.e. SJ6ygM3csa36...+pO4XW1QU0B2M=>
# local node wireguard listening port
ListenPort = 51820
# remote node 1 config
[Peer]
# remote node's publickey
PublicKey = <i.e. R11q7QEe2g3qIjDftMu...knBGdd2mvJDCaasde=>
# remote node's public ip address or dns address
Endpoint = remotenode1.mydomainname.com:51820
# remote node's interface address
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 21
# remote node 2 config
[Peer]
# remote node 2's publickey
PublicKey = <i.e. ESDd7QEe2g3qIjDftMu...knBGS9mvJDCa4WQg=>
# remote node 2's public ip address or dns address
Endpoint = remotenode2.mydomainname.com:51820
# remote node 2's interface address
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 21
🧱 Configuring Your Firewall / Port Forwarding
You must allow traffic on port 51820 UDP to your node.
To configure your firewall / port forwarding, type:
sudo ufw allow 51820/udp
sudo ufw allow from 10.0.0.0/16 to any
# check the firewall rules
sudo ufw verbose
🔗 Setting Up Autostart with systemd
Add the service to systemd.
sudo systemctl enable [email protected]
sudo systemctl daemon-reload
Start wireguard.
sudo systemctl start wg-quick@wg0
Check the status.
sudo systemctl status wg-quick@wg0
✅ Verifying the Connection
Check the status of the interfaces by running wg
sudo wg
## Example Output
# interface: wg0
# public key: rZLBzslvFtEJ...JdfX4XSwk=
# private key: (hidden)
# listening port: 51820
#peer:
# endpoint: 12.34.56.78:51820
# allowed ips: 10.0.0.2/32
# latest handshake: 15 seconds ago
# transfer: 500 KiB received, 900 KiB sent
# persistent keepalive: every 21 seconds
Verify ping works between nodes.
ping 10.0.0.2
# if triple node configuration
ping 10.0.0.3
Cardano-specific Configuration
Update and/or review your topology.json file(s) and/or relay-topology_pull.sh script to ensure the "addr" matches this new tunneled IP address, and not the usual public node IP address.
Dual node setup
Example: topology.json on blockproducer { "addr": "10.0.0.2", "port": 6000, "valency": 1 },
topology.json on **relaynode1 ** { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
Triple node setup
Example: topology.json on blockproducer { "addr": "10.0.0.2", "port": 6000, "valency": 1 },
{ "addr": "10.0.0.3", "port": 6000, "valency": 1 },
topology.json on **relaynode1 ** { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
{ "addr": "10.0.0.3", "port": 6000, "valency": 1 },
topology.json on relaynode2 { "addr": "10.0.0.1", "port": 6000, "valency": 1 },
{ "addr": "10.0.0.2", "port": 6000, "valency": 1 },
Wireguard setup is complete.
🛑 Stopping and Disabling WireGuard
To stop and disable WireGuard, type:
sudo systemctl stop wg-quick@wg0
sudo systemctl disable [email protected]
sudo systemctl daemon-reload