Skip to main content

Connect a Digital Ocean Ubuntu Server to a Cloud VPN

In this tutorial, you’ll learn how you can connect a Digital Ocean Ubuntu Server via WireGuard to a Cloud VPN interface on the Telnyx network.

Pre-requisites

Before following these steps, you'll need to create a Telnyx Account, grab your API key and create a Network.

You'll also need to create a Digital Ocean Ubuntu Server and run extra setup steps for greater security.

Step 1: Install Wireguard on the Digital Ocean Ubuntu server

Log onto your Digital Ocean Ubuntu Server and execute the following command:

$ sudo apt install wireguard

Step 2: Generate public and private keys

In this step you will use the WireGuard key generation tool to create the public and private keys needed to communicate with the Cloud VPN server on the Telnyx network.

$ wg genkey | tee privatekey | wg pubkey > publickey

Print both keys to screen as you will need both of them soon.

$ cat privatekey
$ cat publickey
Note

The private_key will be needed later to build the Cloud VPN peer configuration. The public_key will be used when creating the Cloud VPN peer

Step 3: Create a cloud VPN interface

Create a Cloud VPN Interface associated with the Network that you created in the Networking Quickstart Guide. This network interface is configured on the Telnyx network and acts as a tunnel interface.

Create a cloud VPN interface with the Telnyx API

curl -X POST \
  --header "Content-Type: application/json" \
  --header "Accept: application/json" \
  --header "Authorization: Bearer YOUR_API_KEY" \
  --data '{
  "network_id": "7c3c05f4-7d53-4edb-9224-371c6d659cd4", 
  "region_code": "ashburn-va", 
  "name": "WG_net01_VA_interface01"
  }' \
  https://api.telnyx.com/v2/wireguard_interface

Example response

{
    "data": {
        "status": "provisioning",
        "network_id": "7c3c05f4-7d53-4edb-9224-371c6d659cd4",
        "id": "9122b687-30aa-47a6-8f64-2b8681476ec2",
        "updated_at": "2022-06-13T09:50:54.117345Z",
        "created_at": "2022-06-13T09:50:53.627044Z",
        "region_code": "ashburn-va",
        "public_key": "4sHgXncx9tgswHmQvxq8B8O8iJ1AuJjLNmT9Qfs/VV0=",
        "name": "WG_net01_VA_interface01",
        "region": {
            "code": "ashburn-va",
            "name": "Ashburn",
            "record_type": "region"
        },
        "record_type": "wireguard_interface",
        "endpoint": "64.16.243.3:5034",
        "server_ip_address": "172.27.1.17/29"
    }
}
Note

the 'server_ip_address' is the private ip of the Cloud VPN interface and will be used later to test the connectivity between the added peer and the interface

Step 4: Create a cloud VPN peer

Create a Cloud VPN Peer associated with the Cloud VPN Interface. This adds a peer to the server configuration created on the Cloud VPN server on the Telnyx network. Input your public_key generated on the Digital Ocean Ubuntu server in step 2 as an input parameter.

Create a cloud VPN peer with the Telnyx API

curl -X POST \
  --header "Content-Type: application/json" \
  --header "Accept: application/json" \
  --header "Authorization: Bearer YOUR_API_KEY" \
  --data '{
  "wireguard_interface_id": "9122b687-30aa-47a6-8f64-2b8681476ec2",
  "name": "ubuntu_peer01"
  “public_key”: "ToEvvyKC/zI+Q3AipAUs7Zl3CvEkOzMXNtf4YTf8UH4="
  }' \
  https://api.telnyx.com/v2/wireguard_peers

Example response

{
    "data": {
        "updated_at": "2022-06-13T09:56:23.601577Z",
        "id": "e4916505-a638-4b1d-b076-3142e7f1516a",
        "wireguard_interface_id": "9122b687-30aa-47a6-8f64-2b8681476ec2",
        "created_at": "2022-06-13T09:56:23.601577Z",
        "public_key": "ToEvvyKC/zI+Q3AipAUs7Zl3CvEkOzMXNtf4YTf8UH4=",
        "name": "ubuntu_peer01",
        "last_seen": null,
        "record_type": "wireguard_peer"
    }
}

Step 5: Retrieve your configuration for the Cloud VPN Peer

You will now need to save the peer configuration file in the /etc/wireguard directory on the Digital Ocean Ubuntu server. The peer configuration can be retrieved via API. You will need to add the private key to the configuration file. Give the configuration a meaningful name e.g. wg0.conf or wg_ubuntu.conf. It must have .conf as the file extension.

Cloud VPN peer configuration template

[Interface]
Address = <server_private_ip_address>
PrivateKey = <contents-of-client-privatekey>

[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-ip>:<port>
AllowedIPs = <ip/cidr>

Retrieve Configuration for the Cloud VPN Peer with the Telnyx API

curl -X GET \
  --header "Content-Type: application/json" \
  --header "Accept: application/json" \
  --header "Authorization: Bearer YOUR_API_KEY" \
  https://api.telnyx.com/v2/19783d68-c893-4954-bfbf-815d9ab9b0f6/Config

Example response

{
  [Interface]
PrivateKey = <! INSERT PEER PRIVATE KEY HERE !>
Address = 172.27.1.18/32

[Peer]
PublicKey = ToEvvyKC/zI+Q3AipAUs7Zl3CvEkOzMXNtf4YTf8UH4=
AllowedIPs = 172.27.1.16/29
Endpoint = 64.16.243.3:5034
PersistentKeepalive = 25
}

Step 6: Bring up Wireguard interface on your peer

In this step you will bring up the Wireguard VPN interface on the peer. The command must contain the name of the peer configuration file you created on the Digital Ocean Ubuntu server in step 5, without the file extension, .conf.

Bring up the Wireguard interface on your peer

Use the following command

$ sudo wg-quick up wg0

Example response

root@ubuntu-s-1vcpu-1gb-lon1-01:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.27.255.60/29 dev wg0
[#] ip link set mtu 1420 up dev wg0

Step 7: Test connection

Test that a connection was established between your peer and the Telnyx network.

Use the following command to show the current peer configuration

$ sudo wg show

Example response

root@ubuntu-s-1vcpu-1gb-lon1-01:~# wg show
interface: wg0
  public key: ToEvvyKC/zI+Q3AipAUs7Zl3CvEkOzMXNtf4YTf8UH4=
  private key: (hidden)
  listening port: 45111

peer: qF4EqlZq+5JL2IKYY8ij49daYyfKVhevJrcDxdqC8GU=
  endpoint: 203.0.113.0:51871
  allowed ips: 198.51.100.0/29
  latest handshake: 2 minutes, 12 seconds ago
  transfer: 10.20 KiB received, 5.05 KiB sent

Test connection

$ ping <server_ip_address>

Note:

  • The 'server_ip_address' is the private ip of the Cloud VPN interface and can be found in the response of the Cloud VPN Interface create endpoint in step 3.

Example response

root@ubuntu-s-1vcpu-1gb-lon1-01:~# ping 172.27.1.17
PING 172.27.1.17 (172.27.1.17) 56(84) bytes of data.
64 bytes from 172.27.1.17: icmp_seq=1 ttl=64 time=145 ms
64 bytes from 172.27.1.17: icmp_seq=2 ttl=64 time=144 ms
64 bytes from 172.27.1.17: icmp_seq=3 ttl=64 time=144 ms
64 bytes from 172.27.1.17: icmp_seq=4 ttl=64 time=144 ms
64 bytes from 172.27.1.17: icmp_seq=5 ttl=64 time=144 ms
64 bytes from 172.27.1.17: icmp_seq=6 ttl=64 time=144 ms

Next steps

Congratulations! You have successfully connected your Digital Ocean Ubuntu Server to a Cloud VPN server running in the Telnyx network.

By repeating the steps in this tutorial for multiple peers, you'll be able to link apps, devices and services together across the Telnyx backbone for low latency, secure communications across the globe.

Follow our other tutorials to learn how to connect a Mac to a Cloud VPN Server.