🌐 WireGuard VPN Server on Google Cloud

This guide walks you through setting up and managing a WireGuard VPN server on a Google Cloud VM. It includes key generation, firewall setup, service control, monitoring, and maintenance.

---

🔑 Generate Server Keys

wg genkey | tee server_private.key | wg pubkey > server_public.key
chmod 600 server_private.key

📝 Use server_private.key in your server config. Share server_public.key with clients.

📁 Create WireGuard Config File

sudo nano /etc/wireguard/wg0.conf

• 📝 Add your [Interface] and [Peer] sections manually.
• 📝 %i is replaced by wg0 when using wg-quick.
• 📝 Replace eth0 with your VM’s external interface (check with ip a).
• 📝 Add additional [Peer] blocks for each client.

🚦 Start and Stop WireGuard

sudo wg-quick up wg0      # Start the VPN interface
sudo wg-quick down wg0    # Stop the VPN interface

🔁 Restart WireGuard

sudo wg-quick down wg0 && sudo wg-quick up wg0

⚙️ Enable/Disable Auto-Start on Boot

sudo systemctl enable wg-quick@wg0    # Enable auto-start
sudo systemctl disable wg-quick@wg0   # Disable auto-start

🔍 Monitor VPN Status

sudo wg show                          # Show interface and peer status
sudo journalctl -u wg-quick@wg0      # View logs
sudo journalctl -f -u wg-quick@wg0   # Live log stream

📝 Look for “latest handshake” to confirm active connections.

🌐 Enable IP Forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

🔥 Create GCP Firewall Rule

gcloud compute firewall-rules create allow-wireguard \
  --direction=INGRESS \
  --priority=1000 \
  --network=default \
  --action=ALLOW \
  --rules=udp:51820 \
  --source-ranges=0.0.0.0/0

📝 Adjust source-ranges to restrict access if needed.