Creating WireGuard VPN with Firezone in GCP
This tutorial will gave you an insight on how to implement Wireguard VPN on a GCE VM in GCP, using Firezone. WireGuard itself is a lightweight Virtual Private Network (VPN) protocol that supports IPv4 and IPv6 connections, so that you can access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi in a public places (airport, hotel, etc).
Usually, configuring clients for WireGuard requires the server’s administrator to manually access the server’s CLI terminal and adding the peer for the tunnel interface. For a small number of user, this may not be a huge concern. But if the there’s so many user like in a big organization, manually configuring peer is definitely not ideal.
This is where Firezone comes into play. Firezone is an open-source secure remote access platform built on WireGuard VPN protocol, that has a Web GUI to ease the effort of administering the VPN. Firezone also has the capability to support SSO login using various identity provider like Google Workspace, Azure AD, Okta, and Onelogin. It also supports Multi-Factor Authentication (MFA) with those identity providers.
In this tutorial, we will only cover the VM creation, and also basic deployments of Firezone on the VM. We are also going to utilize DuckDNS as a dynamic DNS so that when the VM unexpectedly stops, you don’t need to search for the public IP address of the VM and reconfigure the client’s connection profile.
Prerequisites
- A GCP Account
- DuckDNS
Step 1 : Create a Firewall Rule on GCP
Go to GCP console (https://console.cloud.google.com). Then, click VPC Network.
Click Firewall on the sidebar.
Then, click Create Firewall Rule.
After that, name the rule, and add the network tag. Note down the network tag as it will indicates which VM that will implement this rule.
Then, specify the Source IPv4 Ranges as 0.0.0.0/0, and Checklist the UDP and specify port number as 51820. After done, click Save.
This means we are going to open the server’s port 51820 access from Internet, so that the clients can access the VPN server as its gateway. This was done because WireGuard uses port 51820 as its default and communicates using UDP, not TCP.
Step 2 : Create a VM Instance in GCP
Back to the GCP Console homepage, then click Compute Engine. After that, click Create Instance.
Name the server, choose the region and the zone.
Configure the Machine Series and Machine type. You don’t need a powerful hardware as everything that we will implement is not resource heavy.
Scroll down, then check the Allow HTTPS Traffic. After that, click Advanced Options, and Click Networking. Check the IP Forwarding option. Then, specify the network tags. The network tag should be exactly the same as the one you specified when you create the firewall rule earlier.
After everything was done, click Create.
Step 3 : Create Domain in DuckDNS
After your VM Instance was created, head to duckdns.org. Login, specify domain name, then add domain. After that, manually assign the IP address of the domain by pasting the VM’s public IP.
Step 4 : Install WireGuard on the Created VM Instance
Access SSH to VM from the Console by clicking SSH on the VM’s name.
Do this command to update the repository and the server’s built-in package :
sudo apt update && sudo apt upgrade -y
After that, install WireGuard :
sudo apt install wireguard -y
Step 5 : Install Firezone
Do this command on the VM to install Firezone’s package repository :
curl -1sLf \\
'<https://dl.cloudsmith.io/public/firezone/firezone/setup.deb.sh>' \\
| sudo -E bash
After Firezone’s package repository installation was done, we can now proceed to install Firezone :
sudo apt install firezone -y
Step 6 : Edit Firezone Configuration
After Firezone was successfully installed, we will configure it to suit our needs. Edit the firezone configuration by doing this command :
sudo nano /etc/firezone/firezone.rb
Inside the configuration file, Change these configurations (leave the rest as is) :
# Auto-generated based on the server's hostname.
# Set this to the URL used to access the Firezone Web UI.
default['firezone']['external_url'] = 'https://your-domain.duckdns.org'
# Email for the primary admin user.
default['firezone']['admin_email'] = 'your@email.com'
# field for generating Device configs. Override this if you wish to change.
default['firezone']['wireguard']['endpoint'] = 'your-domain.duckdns.org'
# Set the email that will be used for the issued certificates and certifications.
default['firezone']['ssl']['email_address'] = 'your@email.com'
# Enable ACME renewal
default['firezone']['ssl']['acme']['enabled'] = true
Step 7 : Reconfigure Firezone & Create admin password
Then, configure the Firezone by using this command :
sudo firezone-ctl reconfigure
Finally, create an admin user :
sudo firezone-ctl create-or-reset-admin
Note down the credentials that were being outputted from that command
Step 8 : Create a bash file
Create a bash file named update.sh. The contents are as follows :
echo url="<https://www.duckdns.org/update?domains=><your_domain>&token=<your-duckdns-domain>" | curl -k -o ~/duckdns/duck.log -K -
Step 9 : Create a cronjob
Create a cron job to periodically update the domain’s IP. This was done to avoid reconfiguring when the VM was unexpectedly doing restart or the public IP just randomly changes.
crontab -e
Use any text editor that you like. After that, add this :
*/5 * * * * bash <your-directory>/update.sh >/dev/null 2>&1
@reboot bash <your-directory>/update.sh >/dev/null 2>&1
Then, safe the file and exit.
Step 10 : Access the Web Portal to create another user
Enter your domain name on browser’s URL, then login using the admin credentials created earlier.
After Login, Click Add User.
Then, specify the email address and the password of the new user :
Then, click Save.
Step 11 : User self-login and connection profile creation
This is from the user’s POV. Enter the server’s domain name on browser’s URL, then login using the user credentials created earlier by the admin.
Then, click Add Device
Specify the connection profile name, then click Generate Configuration.
A popup will appear, either click the Download WireGuard Configuration, or simply Scan the Barcode.
We have now created a VM server, configured the VPN, create admin profile, adding user, and letting the user generate their own connection profile.
Congratulations, user can now use the VPN!