WireGuard® is an open-source VPN solution that is known for its simplicity, speed, and security. While setting up a WireGuard instance on most cloud providers is relatively straightforward, Oracle Cloud Infrastructure presents some unique challenges. This blog post will help you navigate those challenges and guide you through configuring a WireGuard instance on Oracle Cloud. We’ll discuss a specific problem reported by users on Reddit and how to solve it using the provided scripts.
The Problem
Around two years ago, a Reddit user shared their difficulties in setting up a WireGuard VPN between a Windows PC client and an Ubuntu server hosted on Oracle Cloud’s free tier. The main issue appeared to be with the network address translation (NAT) and routing settings, which prevented the VPN from working as expected. The users suspected that Oracle Cloud had some unique configurations that caused these issues.
Previously, I had also experimented with Oracle Cloud and encountered the same issues. Consequently, I decided to share my experience in a response to the Reddit post. The solution I provided was well-received and recognized by the community, and to this day, I continue to receive appreciative testimonials for my assistance.
Recently, I returned to my experiments with Wireguard in Oracle Cloud and found myself searching for my own Reddit post to access the instructions I had shared earlier. As a result, I decided to create this blog post as a reference for myself and others who may need it in the future.
The Solution
The solution involved using two scripts added to the WireGuard configuration file (wg0.conf). These scripts help configure NAT and routing settings for the VPN to work properly on Oracle Cloud Infrastructure.
Here’s what you should do:
- Update your wg0.conf file by adding the following lines:
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh
These lines tell WireGuard to execute the corresponding scripts when the VPN is brought up (PostUp) and taken down (PostDown).
- Create two new scripts in the /etc/wireguard/helper/ directory and give them execution permissions:
- add-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
IN_FACE="ens3" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.66.66.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="59075" # WG udp port
SUB_NET_6="fd42:42:42::/64" # WG IPv6 sub/net
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
## IPv6 (Uncomment) ##
$IPT6 -t nat -I POSTROUTING 1 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
- remove-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
IN_FACE="ens3" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.66.66.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="59075" # WG udp port
SUB_NET_6="fd42:42:42::/64" # WG IPv6 sub/net
# IPv4 rules #
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
# IPv6 rules (uncomment) #
$IPT6 -t nat -D POSTROUTING -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 -D INPUT -i $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 -D FORWARD -i $WG_FACE -o $IN_FACE -j ACCEPT
Let’s dive deeper into the details of the scripts provided:
add-nat-routing.sh
The add-nat-routing.sh script sets up NAT and routing for both IPv4 and IPv6 networks when the VPN is activated. It does so by adding appropriate iptables and ip6tables rules. Key aspects of this script include:
- Defining the internet-connected network interface (IN_FACE) and the WireGuard network interface (WG_FACE) is crucial for proper configuration. Keep in mind that you may need to adjust the interface name in
IN_FACE="ens3"
based on the default interface present on your Oracle instance. - It’s essential to specify the WireGuard IPv4 subnet (SUB_NET), the WireGuard IPv6 subnet (SUB_NET_6), and the WireGuard UDP port (WG_PORT). Ensure that these values align with your wg0.conf configuration.
- Lastly, add iptables and ip6tables rules for NAT, INPUT, and FORWARD chains. These rules will facilitate the correct routing and translation of network addresses, ensuring that your WireGuard VPN operates as intended.
This script ensures that traffic from the VPN is correctly routed through the internet-connected network interface on the Oracle Cloud server.
remove-nat-routing.sh
The remove-nat-routing.sh script undoes the changes made by the add-nat-routing.sh script when the VPN is deactivated. It removes the corresponding iptables and ip6tables rules to ensure a clean shutdown of the VPN. This script has a similar structure to the add-nat-routing.sh script, but instead of adding rules, it deletes them.
Conclusion
With the provided scripts in place, you should now be able to set up a WireGuard instance on Oracle Cloud without any issues. The NAT and routing configurations should work as expected, allowing you to connect your VPN client to the Ubuntu server on Oracle Cloud’s free tier. If you encounter any issues or have any questions, leave a comment below, and I’ll do my best to help you out.
If you have any further questions or require additional assistance, the Reddit community and WireGuard documentation can be valuable sources of information. Don’t hesitate to reach out and share your experiences, as your insights might help others facing similar challenges.
Wireguard didn’t work also with me we I setup on Oracle cloud free tier, however when I installed wireguard using pivpn script it worked
Are you using oracle Linux? The script says it’s incompatible for me, and I think oracle Linux is the only free option you can use.
Ubuntu and yes, it can be used for Free Tier machines.
Thanks for the help, worked like a charm!
One note, though, in your instructions, remove-nat-routing and add-nat-routing are actually swapped 😉
I’m glad to hear that the help provided worked for you!
Your observation regarding the mix-up between remove-nat-routing and add-nat-routing is greatly appreciated. We rely on keen-eyed users like yourself to keep our instructions as clear and accurate as possible. I’ve promptly addressed the issue.
Thanks once again for your input. Please don’t hesitate to reach out if you need more help or find anything else that needs correction.
Looks promising, but can I kindly ask you how to find the values for IN_FACE, SUB_NET and SUB_NET_6 ? I’m not experienced enough to find out those. In the wg0.conf I do not see much. Thank you!
IN_FACE can be found by typing “ip link” in the shell.
You’ll typically see two or three interfaces: lo, ens3, and wg0 (only if wireguard is up).
WG_FACE is the name of the /etc/wireguard/*.conf file.
If the name is wg0.conf, so WG_FACE=”wg0″
Inside that file, find the [Interface] section, and use the Address field as SUB_NET.
In my case, Address = 10.7.0.1/24, so SUBNET=”10.7.0.1/24″
Since my Address line doesn’t have an IPv6 address, I comment out SUB_NET6 and the lines at the bottom of the script.
If your Address line is instead in the format:
Address = 10.66.66.1/24,fd42:42:42::1/64
SUB_NET=”10.66.66.1/24″
SUB_NET6=”fd42:42:42::1/64″