Question

how to set up a private webserver on Digital Ocean: wireguard?

I have experience developing web applications and setting up web and database servers, but minimal experience with VPNs and not a really advanced understanding of networking. Now I would like to set up web and database servers that are not public-facing at all, but only accessible to a very select few devices/users. I’ve done some searching and reading, and seen competing ideas and products – OpenVPN, Algo, Wireguard. I like Wireguard, and wonder if a sound approach would be to set up a web server that only accepts connections from the handful of IP addresses that are part of my little Wireguard network. I hope my meaning is clear and terminology close enough to correct.

Does this idea make sense? Any other suggestions?

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi there,

A quick way to do this without a lot of server-side configuration would be:

  • Install a firewall on your server like csf:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

  • Then close all ports for that server. That way only the IP’s that are in the CSF allow list would be able to access the ports and the services running on those ports.

  • After that, you can set up a separate VPN server like Wireguard or OpenVPN as you mentioned. You could use this 1-Click installation here:

https://marketplace.digitalocean.com/apps/openvpn-access-server

  • Then get the IP address of your VPN server and allow it in your csf firewall so that whenever you connect to the VPN you will also have access to your web server.

Alternatively to using CSF you could use the DigitalOcean Cloud Firewalls which are available at no additional cost:

https://docs.digitalocean.com/products/networking/firewalls/

Regarding the communication between the database server and the webserver, they could be created in the same VPC and could communicate via the private network so that the traffic would not go over the public network:

https://docs.digitalocean.com/products/networking/vpc/

Hope that this helps!

Best,

Bobby