WireGuard® is an open-source VPN solution that is known for its simplicity, speed, and security. While setting up a WireGuard instance on most cloud providers is relatively straightforward, Oracle Cloud Infrastructure presents some unique challenges. This blog post will help you navigate those challenges and guide you through configuring a WireGuard instance on Oracle Cloud. We’ll discuss a specific problem reported by users on Reddit and how to solve it using the provided scripts.
Around two years ago, a Reddit user shared their difficulties in setting up a WireGuard VPN between a Windows PC client and an Ubuntu server hosted on Oracle Cloud’s free tier. The main issue appeared to be with the network address translation (NAT) and routing settings, which prevented the VPN from working as expected. The users suspected that Oracle Cloud had some unique configurations that caused these issues.
Previously, I had also experimented with Oracle Cloud and encountered the same issues. Consequently, I decided to share my experience in a response to the Reddit post. The solution I provided was well-received and recognized by the community, and to this day, I continue to receive appreciative testimonials for my assistance.
Recently, I returned to my experiments with Wireguard in Oracle Cloud and found myself searching for my own Reddit post to access the instructions I had shared earlier. As a result, I decided to create this blog post as a reference for myself and others who may need it in the future.
The solution involved using two scripts added to the WireGuard configuration file (wg0.conf). These scripts help configure NAT and routing settings for the VPN to work properly on Oracle Cloud Infrastructure.
Here’s what you should do:
- Update your wg0.conf file by adding the following lines:
PostUp = /etc/wireguard/helper/add-nat-routing.sh PostDown = /etc/wireguard/helper/remove-nat-routing.sh
These lines tell WireGuard to execute the corresponding scripts when the VPN is brought up (PostUp) and taken down (PostDown).
- Create two new scripts in the /etc/wireguard/helper/ directory and give them execution permissions:
#!/bin/bash IPT="/sbin/iptables" IPT6="/sbin/ip6tables" IN_FACE="ens3" # NIC connected to the internet WG_FACE="wg0" # WG NIC SUB_NET="10.66.66.0/24" # WG IPv4 sub/net aka CIDR WG_PORT="59075" # WG udp port SUB_NET_6="fd42:42:42::/64" # WG IPv6 sub/net ## IPv4 ## $IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE $IPT -I INPUT 1 -i $WG_FACE -j ACCEPT $IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT $IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT $IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT ## IPv6 (Uncomment) ## $IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE $IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT $IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT $IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
#!/bin/bash IPT="/sbin/iptables" IPT6="/sbin/ip6tables" IN_FACE="ens3" # NIC connected to the internet WG_FACE="wg0" # WG NIC SUB_NET="10.66.66.0/24" # WG IPv4 sub/net aka CIDR WG_PORT="59075" # WG udp port SUB_NET_6="fd42:42:42::/64" # WG IPv6 sub/net # IPv4 rules # $IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE $IPT -D INPUT -i $WG_FACE -j ACCEPT $IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT $IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT $IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT # IPv6 rules (uncomment) # $IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE $IPT6 -D INPUT -i $WG_FACE -j ACCEPT $IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT $IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
Let’s dive deeper into the details of the scripts provided:
The add-nat-routing.sh script sets up NAT and routing for both IPv4 and IPv6 networks when the VPN is activated. It does so by adding appropriate iptables and ip6tables rules. Key aspects of this script include:
- Defining the internet-connected network interface (IN_FACE) and the WireGuard network interface (WG_FACE) is crucial for proper configuration. Keep in mind that you may need to adjust the interface name in
IN_FACE="ens3"based on the default interface present on your Oracle instance.
- It’s essential to specify the WireGuard IPv4 subnet (SUB_NET), the WireGuard IPv6 subnet (SUB_NET_6), and the WireGuard UDP port (WG_PORT). Ensure that these values align with your wg0.conf configuration.
- Lastly, add iptables and ip6tables rules for NAT, INPUT, and FORWARD chains. These rules will facilitate the correct routing and translation of network addresses, ensuring that your WireGuard VPN operates as intended.
This script ensures that traffic from the VPN is correctly routed through the internet-connected network interface on the Oracle Cloud server.
The remove-nat-routing.sh script undoes the changes made by the add-nat-routing.sh script when the VPN is deactivated. It removes the corresponding iptables and ip6tables rules to ensure a clean shutdown of the VPN. This script has a similar structure to the add-nat-routing.sh script, but instead of adding rules, it deletes them.
With the provided scripts in place, you should now be able to set up a WireGuard instance on Oracle Cloud without any issues. The NAT and routing configurations should work as expected, allowing you to connect your VPN client to the Ubuntu server on Oracle Cloud’s free tier. If you encounter any issues or have any questions, leave a comment below, and I’ll do my best to help you out.
If you have any further questions or require additional assistance, the Reddit community and WireGuard documentation can be valuable sources of information. Don’t hesitate to reach out and share your experiences, as your insights might help others facing similar challenges.