Setting Up a WireGuard VPN Server on Google Cloud Platform

Introduction

In this comprehensive guide, I'll walk you through setting up your own WireGuard VPN server on Google Cloud Platform (GCP). This setup allows you to route all your internet traffic through a GCP instance, making your traffic appear to originate from the server's IP address instead of your actual location. Perfect for privacy, accessing geo-restricted content, or development testing.

Why WireGuard?

WireGuard is a modern, fast, and secure VPN protocol that's:

• Lightweight: Only ~4,000 lines of code (compared to OpenVPN's 100,000+)
• Fast: Better performance than traditional VPN protocols
• Secure: Uses state-of-the-art cryptography
• Simple: Easy to configure and maintain

Why Google Cloud Platform?

GCP offers an excellent free tier that includes:

• 1 e2-micro instance per month (free forever)
• 30 GB standard persistent disk storage
• 1 GB network egress per month (US regions)
• $300 credit for 90 days for new users

Prerequisites

• A Google Cloud Platform account
• A client machine running Linux (I'm using Kali Linux)
• Basic command-line knowledge

Part 1: Setting Up the GCP VM Instance

Step 1: Create Your VM Instance

1. Navigate to Compute Engine → VM Instances in the GCP Console
2. Click "Create Instance"
3. Configure your instance:
   • Name: wireguard-vpn-server
   • Region: Choose based on desired IP location (e.g., us-central1)
   • Machine type: e2-micro (free tier eligible)
   • Boot disk: Ubuntu 22.04 LTS, 30 GB Standard persistent disk
   • Firewall: Check "Allow HTTP" and "Allow HTTPS"

Step 2: Configure Firewall Rules for WireGuard

WireGuard uses UDP port 51820, so we need to allow it:

1. Go to VPC Network → Firewall
2. Click "Create Firewall Rule"
3. Configure:
   • Name: allow-wireguard
   • Direction: Ingress
   • Targets: All instances in the network
   • Source IP ranges: 0.0.0.0/0
   • Protocols and ports: UDP 51820
4. Click "Create"

Part 2: Installing and Configuring WireGuard Server

Step 3: Connect to Your VM

Use GCP's browser-based SSH (click the SSH button next to your instance) or use gcloud CLI:

gcloud compute ssh wireguard-vpn-server --zone=us-central1-a

Step 4: Install WireGuard

# Update system
sudo apt update && sudo apt upgrade -y

# Install WireGuard
sudo apt install wireguard -y

Step 5: Generate Server Keys

# Generate server private key
wg genkey | sudo tee /etc/wireguard/server_private.key

# Set proper permissions
sudo chmod 600 /etc/wireguard/server_private.key

# Generate server public key from private key
sudo cat /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key

Step 6: Identify Your Network Interface

ip route | grep default

Look for the interface name after "dev" (usually ens4 on GCP).

Step 7: Create Server Configuration

sudo nano /etc/wireguard/wg0.conf

Add the following configuration (replace ens4 with your actual interface if different):

[Interface]
PrivateKey = <paste_contents_of_server_private.key>
Address = 10.8.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE

Get your server private key:

sudo cat /etc/wireguard/server_private.key

Save your server public key for later (you'll need it for client config):

sudo cat /etc/wireguard/server_public.key

Step 8: Enable IP Forwarding

# Enable IP forwarding temporarily
sudo sysctl -w net.ipv4.ip_forward=1

# Make it permanent
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

Step 9: Start WireGuard Server

# Start the WireGuard interface
sudo wg-quick up wg0

# Enable auto-start on boot
sudo systemctl enable wg-quick@wg0

# Verify it's running
sudo wg show

Step 10: Get Your GCP External IP

curl ifconfig.me

Save this IP address - you'll need it for the client configuration.

Part 3: Setting Up the Client (Kali Linux)

Step 11: Install WireGuard on Client

sudo apt update
sudo apt install wireguard openresolv -y

Note: openresolv is needed for DNS configuration.

Step 12: Generate Client Keys

# Generate client private key
wg genkey | tee client_private.key | wg pubkey > client_public.key

# View the keys
cat client_private.key
cat client_public.key

Step 13: Create Client Configuration

sudo nano /etc/wireguard/wg0-client.conf

Add the following configuration:

[Interface]
PrivateKey = <paste_your_client_private_key>
Address = 10.8.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <paste_your_server_public_key>
Endpoint = <your_gcp_external_ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Key Configuration Explained:

• Address: Your client's IP within the VPN network
• DNS: DNS server to use when connected
• Endpoint: Your GCP server's public IP and WireGuard port
• AllowedIPs = 0.0.0.0/0: Route ALL traffic through VPN
• PersistentKeepalive: Keep connection alive through NAT

Step 14: Add Client to Server

SSH back into your GCP VM and edit the server config:

sudo nano /etc/wireguard/wg0.conf

Add this at the end (paste your client's public key):

[Peer]
PublicKey = <paste_your_client_public_key>
AllowedIPs = 10.8.0.2/32

Restart WireGuard on the server:

sudo wg-quick down wg0
sudo wg-quick up wg0

Part 4: Testing the Connection

Step 15: Connect from Client

On your Kali machine:

# Check your current IP (before VPN)
curl -4 ifconfig.me

# Connect to VPN
sudo wg-quick up wg0-client

# Check connection status
sudo wg show

# Check your new IP (should be GCP's IP)
curl -4 ifconfig.me

Step 16: Verify the Connection

On the server side, you should see connection details:

sudo wg show

You should see:

• endpoint: Your client's public IP and port
• latest handshake: Time since last connection
• transfer: Data sent/received

On the client side:

sudo wg show

You should see similar connection statistics.

Step 17: Test Internet Connectivity

# Test DNS resolution
nslookup google.com

# Test connectivity
ping 8.8.8.8

# Check your IP appears as GCP's
curl -4 ifconfig.me

# Test HTTPS
curl https://www.google.com

Managing Your VPN Connection

Connect to VPN

sudo wg-quick up wg0-client

Disconnect from VPN

sudo wg-quick down wg0-client

Check Connection Status

sudo wg show

Monitor Traffic in Real-Time

# On server - watch connection stats
watch -n 2 sudo wg show

# Monitor network traffic
sudo tcpdump -i wg0 -n

# Check bandwidth usage
sudo iftop -i wg0

Troubleshooting

Connection Won't Establish

1. Check firewall rules: Ensure UDP port 51820 is open on GCP
2. Verify keys: Make sure public/private keys match between client and server
3. Check server status: sudo systemctl status wg-quick@wg0
4. Review logs: sudo journalctl -u wg-quick@wg0 -f

DNS Not Working

If DNS resolution fails after connecting:

# Install openresolv on client
sudo apt install openresolv -y

# Or manually set DNS
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Can't Access Internet When Connected

Check IP forwarding on server:

cat /proc/sys/net/ipv4/ip_forward
# Should output: 1

Check NAT rules:

sudo iptables -t nat -L -n -v

Performance Issues

• Choose a GCP region closer to your location
• Check bandwidth usage (free tier has 1GB/month limit)
• Consider upgrading to a larger instance type

Security Best Practices

1. Use strong keys: WireGuard generates cryptographically secure keys by default
2. Limit AllowedIPs: On the server, only allow specific client IPs
3. Regular updates: Keep both server and client updated
4. Monitor access: Regularly check connection logs
5. Firewall rules: Only open necessary ports
6. Key rotation: Periodically regenerate keys for enhanced security

Cost Considerations

GCP Free Tier Limits

• Compute: 1 e2-micro instance (free forever in eligible regions)
• Storage: 30 GB standard persistent disk
• Network: 1 GB egress per month (US regions)

After Free Tier

If you exceed limits:

• Network egress: ~$0.12/GB (varies by region)
• Compute: Minimal for e2-micro (~$7/month if not free tier)

Tip: Monitor usage in GCP Console → Billing → Reports

Use Cases

1. Privacy: Hide your real IP address from websites
2. Security: Encrypt traffic on public WiFi
3. Geo-unblocking: Access region-restricted content
4. Development: Test applications from different geographic locations
5. Remote access: Securely access resources in your VPN network

Conclusion

You now have a fully functional WireGuard VPN server running on Google Cloud Platform! Your internet traffic is encrypted and routed through your GCP instance, appearing to originate from the server's IP address.

This setup gives you:

• ✅ Complete control over your VPN infrastructure
• ✅ Fast, modern VPN protocol
• ✅ Minimal cost (free tier eligible)
• ✅ Privacy and security
• ✅ Flexibility to choose server location

Next Steps

• Add more clients: Repeat the client setup process with different keys
• Set up monitoring: Use Prometheus + Grafana for advanced metrics
• Implement failover: Set up multiple VPN servers for redundancy
• Optimize performance: Tune MTU settings and kernel parameters
• Automate deployment: Use Terraform or Ansible for infrastructure as code

Additional Resources

• WireGuard Official Documentation
• GCP Free Tier Details
• WireGuard Quick Start
• GCP Networking Best Practices

---

Have questions or run into issues? Drop a comment below! Happy VPN'ing! 🔒🚀