In order to complete this guide, you will first need to perform the following tasks on your Ubuntu 18.04 Droplet:
Step 1 — Install WireGuard
First, update your existing list of packages:
Add the WireGuard PPA to the system to configure access to the project’s packages:
- sudo add-apt-repository -y ppa:wireguard/wireguard
Once the PPA has been added, update the local package index to pull down information about the newly available packages and then install the WireGuard kernel module and userland components:
- sudo apt update
- sudo apt install wireguard-dkms wireguard-tools
dnsmasq because it will run inside the container:
- sudo apt remove -y dnsmasq
Disable systemd-resolved if it blocks port 53.
- sudo systemctl disable systemd-resolved
- sudo systemctl stop systemd-resolved
After that setup CloudFlare as your DNS server:
echo nameserver 22.214.171.124 | sudo tee /etc/resolv.conf
Step 2 — WireGuard modules
In order to load the required WireGuard modules you need to run the following commands:
- sudo modprobe wireguard
- sudo modprobe iptable_nat
- sudo modprobe ip6table_nat
Once the modules have been enabled you need to run the following commands in order to enable the modules when the server gets rebooted:
- echo "wireguard" | sudo tee /etc/modules-load.d/wireguard.conf
- echo "iptable_nat" | sudo tee /etc/modules-load.d/iptable_nat.conf
- echo "ip6table_nat" | sudo tee /etc/modules-load.d/ip6table_nat.conf
Finally check if systemd-modules-load service is active:
sudo systemctl status systemd-modules-load.service
Step 3 - Enable packet Packet forwarding
In order to get WireGuired to work as expected, we need to make sure that package forwarding is enabled. Packet forwarding means allowing packets to go from one network to another.
To do that you need to run the following commands:
- sudo sysctl -w net.ipv4.ip_forward=1
- sudo sysctl -w net.ipv6.conf.all.forwarding=1
Step 4 - Configure Domain name DNS
In order to use Let’s Encrypt and secure our Subspace instance, we need to make sure that we have a domain name that points to our Droplet’s IP address.
To do that make sure to create a DNS A record for your domain or subdomain name and point it to your server’s IP address.
subspace.your_domain.com A 172.16.1.1
Step 5 - Firewall Rules
As subspace runs a TLS (“SSL”) https server on port 443/tcp and a standard web server on port 80/tcp, we need to make sure that the two ports are open for incoming TCP traffic via our firewall. To do that run the following commands
- sudo ufw allow 80
- sudo ufw allow 443
Also, as port 51820/udp is the default WireGurad port, we need to make sure that it is open as well:
Next, we need to start the subspace Docker container.
Step 6 - Start subspace
Your data directory should be bind-mounted as
/data inside the container using the
After that, we need to create our container. Make sure to change the
--env SUBSPACE_HTTP_HOST to your domain name which is pointing to your Droplet.
docker create \
--name subspace \
--restart always \
--network host \
--cap-add NET_ADMIN \
--volume /usr/bin/wg:/usr/bin/wg \
--volume /data:/data \
--volume /lib/x86_64-linux-gnu/libc.so.6:/lib/x86_64-linux-gnu/libc.so.6:ro \
--volume /lib64/ld-linux-x86-64.so.2:/lib64/ld-linux-x86-64.so.2:ro \
--env SUBSPACE_HTTP_HOST="subspace.example.com" \
--env SUBSPACE_NAMESERVER="126.96.36.199" \
Then start your container:
- sudo docker start subspace
You can also check the logs of your container to make sure that it starts as expected:
- sudo docker logs subspace
Then visit your domain name via your browser and you will be able to see your subspace installation!
subspacecommunity/subspace project is community maintained and is a fork of the simple WireGuard VPN server GUI. If you notice any problems feel free to submit an issue or a pull request!
Hope that this helps!