WireGuard VPN Server with Terraform

This Terraform configuration automatically deploys a WireGuard VPN server on AWS EC2 with a web-based management interface.

Features

🚀 One-command deployment of WireGuard VPN server
🔧 Web-based management interface (wg-easy)
🛡️ Secure by default with proper security groups
💰 Cost-optimized using t3.nano instances
🌍 Multi-region support - deploy anywhere
📱 20 peer configurations ready out of the box
🔒 Elastic IP for consistent connection

Prerequisites

AWS CLI configured with appropriate permissions
Terraform installed (>= 1.0)
SSH key pair created in your target AWS region (see setup below)

Install Terraform (if not installed)

macOS:

brew install terraform

Ubuntu/Debian:

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform

Windows: Download from terraform.io

Set Up SSH Key Pairs

You need to create SSH key pairs manually in each region where you plan to deploy.

Option 1: AWS Console (Easiest)

Go to AWS Console → EC2 → Key Pairs
Select your target region (top-right corner)
Click "Create key pair"
Name: wireguard-key (or any name you prefer)
Key pair type: RSA
Private key file format: .pem
Click "Create key pair"
Download and save the .pem file securely
Set permissions: chmod 400 ~/path/to/your-key.pem

Repeat for each region you plan to use (same name, different regions).

Option 2: Use Your Existing Keys

If you already have key pairs in some regions, just note their names. Terraform will prompt you for the key name during deployment.

Quick Start

1. Clone/Download the Configuration

Create a new directory and save all the Terraform files:

mkdir wireguard-terraform
cd wireguard-terraform
# Save all .tf files and user_data.sh in this directory

2. Configure Your Settings

Copy the example configuration:

cp terraform.tfvars.example terraform.tfvars

Edit terraform.tfvars:

aws_region = "eu-north-1"        # Your preferred region
aws_access_key = "your-aws-access-key"
aws_secret_key = "your-aws-secret-key"
ssh_key_name = "wireguard-key"   # Your SSH key name in AWS
instance_name = "My VPN Server"  # Name for your EC2 instance

Important: Make sure the ssh_key_name exists in your selected aws_region!

3. Deploy

# Initialize Terraform
terraform init

# Review the deployment plan
terraform plan

# Deploy the infrastructure
terraform apply

Type yes when prompted to confirm the deployment.

4. Access Your VPN

After deployment (takes ~3-5 minutes), Terraform will output:

wireguard_web_ui_url = "http://1.2.3.4:51821"
ssh_connection_command = "ssh -i ~/.ssh/my-key-pair.pem [email protected]"

Visit the web UI URL to manage your WireGuard VPN!

WireGuard Client Setup

Once your VPN server is running, you can connect from any device using WireGuard clients. Here's how to set up each platform:

📱 Mobile Devices

Android

Install WireGuard app from Google Play Store
Open the app and tap the "+" button
Scan QR Code:
- Go to your web UI: http://YOUR_IP:51821
- Find your device in the peer list
- Tap the QR code icon
- Scan with your phone
Give it a name (e.g., "My Phone") and tap "Create Tunnel"
Connect by toggling the switch

iPhone/iPad (iOS)

Install WireGuard app from App Store
Open the app and tap "Add a tunnel"
Scan QR Code:
- Go to your web UI: http://YOUR_IP:51821
- Find your device in the peer list
- Tap the QR code icon
- Scan with your iPhone
Give it a name and tap "Save"
Connect by toggling the switch

💻 Desktop/Laptop

Windows

Download WireGuard from wireguard.com/install
Install and run WireGuard
Get config file:
- Go to your web UI: http://YOUR_IP:51821
- Find your device in the peer list
- Click the download icon to get .conf file
Import config: Click "Add Tunnel" → "Import tunnel(s) from file"
Select your downloaded .conf file
Connect by clicking "Activate"

macOS

Install WireGuard from Mac App Store or download from wireguard.com
Open WireGuard application
Get config file from your web UI (same as Windows above)
Import: Click "+" → "Import tunnel(s) from file"
Select your .conf file and click "Import"
Connect by toggling the switch

Managing Your VPN

Access the Web Interface

URL: http://YOUR_IP:51821
Default: No password required (change this in production!)

SSH to the Server

ssh -i ~/.ssh/your-key.pem ubuntu@YOUR_IP

View Logs

# On the server
cd wireguard
docker-compose logs wg-easy

Customization

Change Instance Type

Edit main.tf and modify the instance_type:

resource "aws_instance" "wireguard_server" {
  instance_type = "t3.small"  # Changed from t3.nano
  # ...
}

Add More Security

Edit the security group in main.tf to restrict access:

# Restrict SSH to your IP only
ingress {
  from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = ["YOUR_IP/32"]  # Replace YOUR_IP
  description = "SSH from my IP only"
}

Enable HTTPS

To enable HTTPS, modify the docker-compose.yml template in user_data.sh:

environment:
  - INSECURE=false  # Changed from true

Cost Optimization

Instance: t3.nano (~$3.80/month)
Storage: 8GB gp3 (~$0.80/month)
Data Transfer: $0.09/GB outbound
Elastic IP: Free while attached

Estimated monthly cost: ~$5-15 depending on usage

Cleanup

To destroy all resources:

terraform destroy

Type yes to confirm. This will delete:

EC2 instance
Elastic IP
Security Group
All associated resources

Troubleshooting

Common Issues

1. SSH Key Not Found

Error: InvalidKeyPair.NotFound

Solution:

Ensure your SSH key exists in the selected region
Go to AWS Console → EC2 → Key Pairs (in the correct region)
Create the key pair if it doesn't exist
Check the key name matches what you entered in terraform.tfvars

2. Wrong Region Selected

Error: collecting instance settings: couldn't find resource

Solution: Make sure your SSH key exists in the region you selected

3. WireGuard Not Starting

# SSH to the server and check
sudo tail -f /var/log/user-data.log
docker-compose logs wg-easy

3. Can't Access Web UI

Check security group allows port 51821
Verify instance is running: terraform show
Check if Docker is running: docker ps

4. Terraform Permission Issues Ensure your AWS user/role has these permissions:

EC2: Create/modify instances, security groups, elastic IPs
VPC: Describe VPCs, subnets

Getting Help

Check the user-data log: /var/log/user-data.log
Verify Docker status: systemctl status docker
Check container logs: docker-compose logs

Security Considerations

Change the default web UI password
Restrict security group access to known IPs
Regularly update the Docker image
Monitor access logs
Consider enabling AWS CloudTrail

Advanced Configuration

Multiple Regions

Create separate terraform directories for each region, or use Terraform workspaces:

terraform workspace new us-west-2
terraform workspace new eu-west-1

Automated Backups

Add this to your configuration for automated snapshots:

# Add to main.tf
resource "aws_ebs_snapshot" "wireguard_backup" {
  volume_id   = aws_instance.wireguard_server.root_block_device[0].volume_id
  description = "WireGuard server backup"
  
  tags = {
    Name = "WireGuard Backup"
  }
}

Happy VPN-ing! 🔐

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
.gitignore		.gitignore
README.md		README.md
docker-compose.yml		docker-compose.yml
main.tf		main.tf
outputs.tf		outputs.tf
terraform.tfvars.example		terraform.tfvars.example
user_data.sh		user_data.sh
variables.tf		variables.tf

mohammedbabelly/terraform-wireguard

Folders and files

Latest commit

History

Repository files navigation