pull down to refresh

Guide for setting up a WireGuard VPN server on a DigitalOcean droplet
0 sats \ 0 comments \ @monaco 8 Aug 2023 tech
Guide for setting up a WireGuard VPN server on a DigitalOcean droplet. We will use Ubuntu 20.04 LTS for this guide.

Step 1: Create Droplet and SSH Into It

  1. Log into your DigitalOcean account, create a new droplet, and choose Ubuntu 20.04 LTS. Choose your desired size and region.
  2. Once your droplet is created, you will receive an email with your droplet's IP address and root password. SSH into your droplet:
    ssh root@your_droplet_ip
  3. You will be prompted to change your password upon your first login. Please do so.

Step 2: Install WireGuard

  1. Update your package list and install WireGuard:
    apt update && apt upgrade -y
apt install wireguard -y

Step 3: Configure WireGuard

  1. Create the WireGuard directory:
    mkdir /etc/wireguard
  2. Generate the server's private and public keys:
    cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
  3. Open the WireGuard configuration file:
    nano /etc/wireguard/wg0.conf
  4. Add the following content to the file:
    [Interface]
Address = 10.0.0.1/24
SaveConfig = true
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Replace SERVER_PRIVATE_KEY with the server's private key generated in the previous step.
  1. Set the correct permissions for the configuration file:
    chmod 600 /etc/wireguard/wg0.conf

Step 4: Enable WireGuard at Startup

  1. Enable WireGuard to start at boot:
    systemctl enable wg-quick@wg0
  2. Start WireGuard:
    systemctl start wg-quick@wg0
  3. Confirm that WireGuard is running:
    systemctl status wg-quick@wg0

Step 5: Configure Firewall

  1. Install UFW:
    apt install ufw -y
  2. Allow SSH, VPN, and secure web traffic:
    ufw allow 22
ufw allow 51820/udp
ufw enable

Step 6: Backup Configuration

  1. Install rsync and cron:
    apt install rsync cron -y
  2. Schedule a cron job to back up the WireGuard configuration every week:
    crontab -e
Add the following line:
```
0 3 * * 0 rsync -a /etc/wireguard/ /path/to/backup/directory
```
This will back up the configuration every Sunday at 3 AM.

Step 7: Automatic Updates

  1. Install unattended-upgrades:
    apt install unattended-upgrades -y
  2. Configure it to install updates automatically:
    dpkg-reconfigure -plow unattended-upgrades
Select "Yes" when prompted.

Step 8: Harden SSH Access

To enhance security, it's recommended to disallow root login and password authentication over SSH. Instead, use SSH key pairs for authentication.
  1. Generate a new SSH key pair on your local machine (skip this step if you already have an SSH key pair):
    ssh-keygen
  2. Copy the public key to your server:
    ssh-copy-id -i ~/.ssh/id_rsa.pub root@your_droplet_ip
  3. Now login to your server and edit the SSH configuration:
    nano /etc/ssh/sshd_config
  4. Make the following changes:
    PermitRootLogin no
PasswordAuthentication no
  5. Finally, restart the SSH service for the changes to take effect:
    systemctl restart sshd

Step 9: Setup Fail2Ban

Fail2Ban is a log-parsing application that protects your server from brute-force attacks.
  1. Install Fail2Ban:
    apt install fail2ban -y
  2. Copy the jail configuration file:
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. Fail2Ban should start automatically. You can check its status with:
    systemctl status fail2ban

Step 10: Setup WireGuard Clients

To connect to your WireGuard server, you will need to set up WireGuard clients. The steps are similar to setting up the server.
  1. Install WireGuard on the client machine:
    apt install wireguard -y
  2. Generate a key pair:
    wg genkey | tee privatekey | wg pubkey > publickey
  3. Create a client configuration file:
    nano /etc/wireguard/wg0-client.conf
  4. Add the following content:
    [Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = your_droplet_ip:51820
AllowedIPs = 0.0.0.0/0
Replace CLIENT_PRIVATE_KEY with the client's private key and SERVER_PUBLIC_KEY with the server's public key.
  1. Start WireGuard client:
    wg-quick up wg0-client
Remember to replace your_droplet_ip with your actual droplet's IP address.

Step 11: Periodic Reboot

Periodic reboot of the server can help apply patches that need a restart and can keep your server healthy.
  1. Install the needrestart package:
    apt install needrestart -y
  2. Schedule a weekly reboot at a time of your choice (for example, 3 AM every Sunday):
    crontab -e
Add this line:
```
0 3 * * 0 /sbin/shutdown -r now
```

Advanced Setup

Step 12: Configure System Logging

Having a good logging system can help you monitor your server and troubleshoot any issues. The rsyslog service is installed by default on Ubuntu. Ensure it's running with:
systemctl status rsyslog
If it's not running, start it with:
systemctl start rsyslog
You can configure rsyslog by editing its configuration file:
nano /etc/rsyslog.conf

Step 13: Monitor System Resources

Install and configure htop, an interactive process viewer, to monitor system resources:
apt install htop -y
You can run htop by typing htop into the terminal.

Step 14: Regular System Scan for Malware

Install and configure ClamAV, an open-source antivirus engine, to regularly scan your system for malicious software:
apt install clamav clamav-daemon -y
freshclam
Scan your system with:
clamscan -r /home
Schedule a daily system scan by editing the root user's crontab:
crontab -e
Add the following line to schedule a scan every day at 2 AM:
0 2 * * * clamscan -r /home

Step 15: Monitor Log Files

Install Logwatch, a customizable log analysis system:
apt install logwatch libdate-manip-perl -y
By default, Logwatch will send a daily report to the root user. You can change this by editing the /usr/share/logwatch/default.conf/logwatch.conf file.

More advanced setup

Step 16: Configure Network Time Protocol (NTP)

Keeping accurate time is important for servers, especially for log entries and error tracking. To install and configure the NTP service:
apt install ntp -y
systemctl start ntp
systemctl enable ntp

Step 17: Set Up a Monitoring Tool

Netdata is a real-time health monitoring and performance troubleshooting tool for cloud and on-premise servers. Use the following commands to install and start Netdata:
bash <(curl -Ss https://my-netdata.io/kickstart.sh)
systemctl start netdata
systemctl enable netdata
The above command downloads a script and runs it. This script is from the official Netdata website, you should review any such scripts from the internet before running them.

Step 18: Configure Swap Space

If your server runs out of physical memory, it can use swap space to prevent out-of-memory crashes. Here's how you can add swap space:
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
This will create a 2GB swap file.

Step 19: Install and Configure ModSecurity

ModSecurity is an open-source web application firewall (WAF) that can help protect your server against various attacks such as SQL injection and cross-site scripting (XSS). To install ModSecurity:
apt install libapache2-mod-security2 -y
After installing ModSecurity, you will need to configure it. The main configuration file is located at /etc/modsecurity/modsecurity.conf-recommended. To start, copy this file to a new file named modsecurity.conf:
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then, edit the configuration to meet your needs:
nano /etc/modsecurity/modsecurity.conf
By default, ModSecurity runs in "DetectionOnly" mode, which means it only logs potential threats but does not block them. To enable blocking, change the "SecRuleEngine" directive to "On":
SecRuleEngine On
Save and exit the file, then restart the Apache server to apply the changes:
systemctl restart apache2
ModSecurity can be complex to configure, and it is recommended to thoroughly test its configuration in a non-production environment before applying it to a live server.

Step 20: Kernel Hardening

Kernel hardening is an essential part of server security. This can be achieved by editing the /etc/sysctl.conf file. Here are a few recommended configurations:
echo 'net.ipv4.conf.all.rp_filter=1' | tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_redirects = 0' | tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.accept_redirects = 0' | tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.send_redirects = 0' | tee -a /etc/sysctl.conf
sysctl -p

Step 21: Regular System Auditing

The Linux Auditing System helps system administrators create an audit trail, a log that records which user is accessing what resource and when. The auditd service is responsible for this.
apt install auditd audispd-plugins -y
systemctl start auditd
systemctl enable auditd
You can configure rules by editing the /etc/audit/rules.d/audit.rules file.

Step 22: Intrusion Detection System

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. It creates a database of files specified in the configuration file and then uses the database to ensure file integrity and detect system intrusions.
apt install aide -y
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
To check the file system against the database manually, use aide --check.
You can also set up a cron job to run this command regularly and email the results.

Step 23: Docker Security

If you are using Docker, consider implementing Docker Bench Security, a script that checks for common best-practices around deploying Docker containers in production.
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
./docker-bench-security.sh
This script will output a list of warnings and recommendations for your Docker configuration.
write
preview
related posts