Set-up Wireguard and Wireguard-UI (GUI) on AWS: EC2

7 min readAug 24, 2023

Lucky for us, there is an open source project that set up everything and made it possible for us to simply set up a docker container and it works.

AWS SET UP

Set up a VPC with subnets, make sure that the Subnet, and EC2 (created later) has internet access. I will be using a public subnet that utilizes the Internet gateway.

Create an EC2 instance, I used Ubuntu 20.04 LTS which is compatible with a lot of the wireguard accessories as well (had some issues with the 22.04 LTS); and I chose T3 micro ( $.01 and hour for affordability, and to make sure i have enough memory to do what I need to do).

Make sure to enable public IP (look into elastic IP for consistency, skip to below to see how I attach an IP address before you set up wireguard), and use the VPC and subnet created like below. If you haven’t already created a security group for this, make sure to create one.

Below should be how your security group inbound rules look like, make sure to allow all for the outbound.

Installation:

Connect to your EC2 server via ssh, or the AWS console. Start off, by running

sudo apt update

sudo apt install docker.io

sudo apt install vim

sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m)" -o /usr/local/bin/docker-compose 
sudo chmod +x /usr/local/bin/docker-compose

Check that you have Docker compose

sudo docker-compose --version

Create the wireguard config files with the following commands:

mkdir wireguard
cd wireguard

Create the file docker compose will follow to create the containers using “vi”:

vi docker-compose.yaml

Copy and paste the following into your new file

version: "3"

services:

  # WireGuard VPN service
  wireguard:
    image: linuxserver/wireguard:v1.0.20210914-ls6
    container_name: wireguard
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/config
    ports:
      # Port for WireGuard-UI
      - "80:5000"
      # Port of the WireGuard VPN server
      - "51820:51820/udp"

  # WireGuard-UI service
  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # Use the network of the 'wireguard' service
    # This enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=password
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard

Keep in mind that “WGUI_USERNAME” and “WGUI_PASSWORD” in the file are the default passwords we set up for you to be able to access the Wireguard-UI portal:
After creating the file and saving it, it’s time to run it; using the command below:

sudo docker-compose up -d

You will see something like below:

Congratulations, you are pretty much done, you can check and see more information about your 2 containers running by typing in:

sudo docker ps

Accessing the Wireguard-UI and configuration

Your docker-compose file will start the WireGuard-UI application on port 80 of your EC2 instance. You can now access the application at “http://<your-ec2-instance-ip>”.

Log in and follow the steps below* to configure your wireguard, switch to the “Wireguard Server” tab. Then in the “Post Up Script” field, put:

iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

And respectively in “Post Down Script“:

iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

In short, this enables packets to and from your WireGuard server to be routed using Network Address Translation (NAT) inside the Docker’s WireGuard container. We won’t go into detail about it because it is outside the scope of this guide.

Then click the “Save” button to save your changes, and finally, hit “Apply Config” to apply them to the WireGuard VPN server.

You will be asked if you want the changes to be applied and the WireGuard server restarted. Confirm by clicking the “Apply” button.

Go to the “Global Settings” tab and carefully review the information. Your public IP address should be entered in the “Endpoint Address” section. WireGuard-UI will try to find it and fill it in automatically. However, if it fails, you must enter the correct one.

If you need help figuring out your public IP address, our guide on the subject will greatly help.

By default, the system sets the DNS server to “1.1.1.1,” which works great. However, change it in the “DNS Server” field if you want to use a different one.

Of course, if you make any changes, remember to apply them by clicking on the “Save” button and then hitting “Apply Config.”

Create a New WireGuard Client

To create a new client that will connect to the WireGuard server to establish a VPN connection, click on the “New Client” button in the upper right corner of the WireGuard-UI.

This opens a modal window, where I recommend you enter only the client name and email and leave the other options as they are by default. I’m convinced you understand what you’re doing if you change them.

Finally, click the “Submit” button to add the client to the WireGuard VPN server.

The WireGuard-UI will do all of the work in the background to generate the necessary public and private keys to enable the VPN connection for the client, as well as automatically set some options related to routing its traffic, the DNS server used, and the internal private IP address it will receive when connecting to the WireGuard server.

If you’re nevertheless curious about what things look like “from the source,” you can look at the final result, which is stored as a JSON file in the “clients” directory of the Docker “db” volume.

Attention! Never edit this file directly; only through the WireGuard-UI interface provided.

Finally, we want to emphasize something significant. It is essential to remember that whatever changes you make to users, always complete the operations with the “Apply Config” button. Otherwise, your changes will be saved but not applied to the WireGuard VPN server, which may lead you to believe that things aren’t working correctly.

Setting Up WireGuard Client

We come to the most exciting part, where we will see the results of our efforts so far — configuring the client part and connecting it to the WireGuard VPN server.

Switch to the “Wireguard Clients” to see currently available ones.

Connecting to WireGuard from Linux PC using Network Manager

To get the client’s WireGuard configuration file, click the “Download” button on the respective profile. This action will download a file with the name you assigned to the account through WireGuard-UI and the extension “.conf.”

Download the file, and upload it to your desktop client here:

Activate your client and you should see something like this after you click “Activate” (Data being transfered and a handshake made).

And this is where you have every reason to congratulate yourself because your WireGuard VPN tunnel works as expected!

If you return to the WireGuard-UI and select the “Status” tab, you should see your current active VPN connection there.

Congratulations, now add as many peers as you like, and as long as your EC2 is running and the ports needed are available, your network with work.

BONUS: Associate Elastic IP to your EC2

To add an Elastic IP to your newly created EC2, type in “elastic-ip” into your search bar.

Once on the page, click on “Allocate Elastic IP address”, make sure the network border is the same region as your EC2, then click on “Allocate” at the bottom right corner.

Next, to tie your newly created Elastic IP to your EC2, select the “Action” from the drop down menu, and click on “Associate Elastic IP address”.