Question

how to set up a private webserver on Digital Ocean: wireguard?

I have experience developing web applications and setting up web and database servers, but minimal experience with VPNs and not a really advanced understanding of networking. Now I would like to set up web and database servers that are not public-facing at all, but only accessible to a very select few devices/users. I’ve done some searching and reading, and seen competing ideas and products – OpenVPN, Algo, Wireguard. I like Wireguard, and wonder if a sound approach would be to set up a web server that only accepts connections from the handful of IP addresses that are part of my little Wireguard network. I hope my meaning is clear and terminology close enough to correct.

Does this idea make sense? Any other suggestions?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi there,

A quick way to do this without a lot of server-side configuration would be:

  • Install a firewall on your server like csf:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

  • Then close all ports for that server. That way only the IP’s that are in the CSF allow list would be able to access the ports and the services running on those ports.

  • After that, you can set up a separate VPN server like Wireguard or OpenVPN as you mentioned. You could use this 1-Click installation here:

https://marketplace.digitalocean.com/apps/openvpn-access-server

  • Then get the IP address of your VPN server and allow it in your csf firewall so that whenever you connect to the VPN you will also have access to your web server.

Alternatively to using CSF you could use the DigitalOcean Cloud Firewalls which are available at no additional cost:

https://docs.digitalocean.com/products/networking/firewalls/

Regarding the communication between the database server and the webserver, they could be created in the same VPC and could communicate via the private network so that the traffic would not go over the public network:

https://docs.digitalocean.com/products/networking/vpc/

Hope that this helps!

Best,

Bobby