Configure a Blazing-fast, Always-free, Personal Wireguard VPN in Oracle Cloud

Oracle Cloud (OCI) has a very generous free tier! Spin up an ubuntu instance with Terraform, configure Wireguard with Ansible, and you’ve got an always-free blazing-fast personal VPN :grin:

All of the code for this guide can be found here: https://github.com/knutsonchris/oci-wireguard

The readme in that repo has just about everything you’ll need to get up and running, this page here serves as more of a formal guide.

Provisioning the infrastructure in OCI

We will be creating an always-free compute instance in OCI running Ubuntu. The always-free tier of OCI allows for up to 3 VM.Standard.E2.1.Micro instances with 10 TB of network egress per month. Most clouds do not charge much for ingress but charge heavily for egress. OCI’s generous free-tier egress allowance makes it an ideal place to host a VPN. https://www.oracle.com/cloud/free/#always-free

We will be creating several other OCI resources to facilitate this, each of which is included in the always-free tier.

• A Compartment to organize everything we are provisioning. A compartment is simply “a collection of related cloud resources”.

  https://blogs.oracle.com/developers/post/introduction-to-the-key-concepts-of-oracle-cloud-infrastructure

• A Virtual Cloud Network or VCN, analogous to a VPC in AWS.

  https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm

• A single Subnet to put our instance in.

• A Security List to act as a firewall, allowing only ports 443 and 22 to our instance. A security list is similar to a security group in AWS.

  https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm

• An Internet Gateway to allow our instance to reach the internet.

  https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIGs.htm

• Lastly, a Route Table with a single entry directing traffic destined for the internet to the internet gateway.

Pre-requisites

We will be using Terraform to provision the instance and configure the required security group rules. Before getting started:

• Create an always-free account in OCI

  https://www.oracle.com/cloud/free

• Set up the OCI CLI config at ~/.oci/config. You do not need to actually install the CLI for our purposes here, but the OCI terraform provider will look there to find credentials.

  https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliconfigure.htm

• Create an ssh key pair to connect to your instance. This code expects to find the public key at ~/.ssh/oci1.pub and the private key at ~/.ssh/oci1 on your local machine. I’ll leave that as an exercise to the reader if you would like to change the name or path of these files :grin:

  $ ssh-keygen -f ~/.ssh/oci1 -N ""

  -f specifies the output file path

  -N "" sets an empty passphrase

Variables in the tfvars

We’ll need to populate 3 variables with data about your OCI account in auto.tfvars before running Terraform apply. These 3 variables are used to configure the OCI provider.

• tenancy_ocid

  Get the tenancy OCID from the Oracle Cloud Infrastructure Console on the Tenancy Details page:

  1. Open the Profile menu () and click Tenancy: <your_tenancy_name>.
  2. The tenancy OCID is shown under Tenancy Information. Click Show to display the entire ID or click Copy to copy it to your clipboard.

  https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/contactingsupport_topic-Finding_Your_Tenancy_OCID_Oracle_Cloud_Identifier.htm

• user_ocid

  Get the user OCID from the Oracle Cloud Infrastructure Console on the My Profile page:

  1. Open the Profile menu () and click My Profile
  2. The user OCID is shown under User Information. Click Show to display the entire ID or click Copy to copy it to your clipboard.

• region

  You can use the default region for your tenancy, for example us-sanjose-1

• wireguard_listen_port

  This value is pre-populated to 443. If you choose a different listen port, be sure to update it in the Ansible section. (just do a global search for 443)

• instance_source_id

  This is equivalent to an AMI in AWS. This value is pre-populated with an Ubuntu 22.04 OCID in the us-sanjose-1 region. If you are using a different region, be sure to update this OCID to match. The OCIDs for this image can be found here: https://docs.oracle.com/en-us/iaas/images/image/aeb80dc6-48a2-4c28-953b-5ddc386eb667/

Running Terraform

Run $ just apply

Don’t have just? Take a look in the justfile to find the terraform init and terraform apply commands. I would recommend giving just a look:

https://github.com/casey/just

Step 1 is done! Now for the easy part: using Ansible to configure Wireguard on your new always-free Ubuntu instance. :confetti_ball:

Setting up Wireguard

We will be using Ansible to configure Wireguard on the instance we provisioned in the previous section. All of the steps can be found in the wireguard role in ansible/roles/wireguard. This section can stand alone from the previous section. Any Ubuntu machine that is accessible over SSH could be used here. Here we will be using the one that we provisioned in the previous section, and we will be making the assumption that UDP 443 is open and reachable from 0.0.0.0/0 (or at least wherever you will be accessing it from).

There is a second role present in the roles directory, ansible/roles/stress-ng. This role installs a very simple unit that runs stress-ng to keep the CPU utilization around roughly 10%. OCI will periodically stop instances that are considered “idle”. One of the criteria OCI uses to determine if an instance is idle is if the instance is consistently using less than 10% of its CPU. Using stress-ng we can keep the CPU utilization above 10% and avoid this idle resource killer. More about idle resources can be found here:

https://docs.oracle.com/en-us/iaas/Content/FreeTier/freetier_topic-Always_Free_Resources.htm#compute__idleinstances

Pre-requisites

We will be using an Ansible playbook to install and configure Wireguard on this Ubuntu machine. Before you run the playbook, be sure to:

• Specify the public IP of the target machine in hosts.yaml. This can be found in the terraform output of the previous section.

• Wait a minute or so after deploying the infrastructure for the host to become available. If you are too quick at the draw you might hit it before sshd comes up on the server :stuck_out_tongue:

• Configure your Wireguard peers (users) in ansible/playbooks/roles/wireguard/vars/main.yaml

Dependiencies

This playbook uses the ansible.posix and community.general collections. Install all dependencies with just deps.

Deploy this

Put the IP address of your OCI instance in the hosts.yaml and run just play.

Connecting to your new Wireguard server

You’re almost done! When Ansible has finished running, it will place one Wiregurad conf file for each peer in a folder called peer_configs in the root of the repo. These peer_name.conf files are ready to be loaded into the Wireguard client of your choice!

Not sure if it is a bug with the MacOS Wireguard client, but it seems to take hitting activate and deactivate a few times to get it working, at least the first time connecting to the server.

Feel free to shoot any questions to chris@gitsquash.com