Running Wireguard on Scaleway Stardust
November 03, 2020
Scaleway just (3rd of November 2020) released their new tiny cloud instance offering aptly named Stardust. As exploding stars launch tiny atoms into space so does Cloudflare launch tiny instances into the cloud space. The Stardust instance is a very modest virtual private server clocking in at 1 vCPU, 1GB RAM, 1 IPv4 address, 10GB of local NVMe storage and up to 100Mbps bandwidth. And best of all the stardust instance cost clocks in at €0.0025 per hour adding up to under €2 per month, barely the cost of a coffee! If you can make do without the IPv4 address you can get it even cheaper, at only €0.0005 which should not even register in your wallet. Safe to say Stardust is a pretty sweet deal, but is limited to 1 per region per customer, so don't go thinking that you can set up some sort of swarm on them.
So what can you do with something small like the Stardust instance? Well according to the blog post users can
[...] deploy Stardust instances for use cases such as creating their own workers free from vendor lock-in, configuring triggers and daemons, as well as small Load-Balanced LAMP websites, VPN or Network Bastions. VPN networks they say?
I had always wanted to set up a personal Wireguard VPN server. A VPN is typically used to secure your network traffic when on untrusted networks like at cafés and hotels. Wireguard is a modern VPN implementation implemented largely in kernel space to provide speed and security. While I had originally considered subscribing to a commercially hosted Wireguard host, the Scaleway Stardust launch gave me an excellent excuse to try to host it myself.
The setup proved to be not so complicated at all.
I will not repeat the setup instructions here, but you should be aware that Wireguard now ships in Ubuntu's own repositories so no PPA is required.
The most complex configuration in the setup was the post up and post down settings to make sure the correct
iptables commands were run.
While they are documented and working it is always a good idea to understand what is going on.
So how did the Wireguard server on Scaleway Stardust perform? A quick unscientific test on my desktop on a 750Mbps download and 25Mbps upload speed gave me the following results:
$ speedtest Retrieving speedtest.net configuration... Testing from Scaleway (51.x.x.X)... Retrieving speedtest.net server list... Selecting best server based on ping... Hosted by Naitways (Paris) [1.88 km]: 80.411 ms Testing download speed........................... Download: 122.54 Mbit/s Testing upload speed............................. Upload: 21.11 Mbit/s $ speedtest Retrieving speedtest.net configuration... Testing from Scaleway (51.x.x.X)... Retrieving speedtest.net server list... Selecting best server based on ping... Hosted by KEYYO (Paris) [1.88 km]: 80.166 ms Testing download speed........................... Download: 98.86 Mbit/s Testing upload speed............................. Upload: 19.38 Mbit/s $ speedtest Retrieving speedtest.net configuration... Testing from Scaleway (51.x.x.X)... Retrieving speedtest.net server list... Selecting best server based on ping... Hosted by Naitways (Paris) [1.88 km]: 80.891 ms Testing download speed........................... Download: 155.69 Mbit/s Testing upload speed............................. Upload: 19.60 Mbit/s
On average I would say that Wireguard on the Stardust instance is more than capable of delivering the 100Mbps the instance offers. If you have a few times more speedy Internet, or even gigabit speeds, this setup will obviously not be your daily driver. On the other hand the next time you are sitting at some café or hotel, maybe after the covid-19 pandemic is over, your VPN is likely not going to be the bottleneck. The usual hotel and café networks will be limited by the wi-fi network and internet connection speed.
Before ending the post I would like to point out that this setup affords no extra anonymity on the wider Internet. While you will be masking your own private IP address, you will still be broadcasting your Scaleway instance's IP address instead. What this setup does afford you is a secure connection to a trusted network if no trusted networks are available where you are. It also hides your traffic from your ISP if that is a concern to you.
This was my first blog post in quite a while and I hope you enjoyed it. If you have any questions or comments feel free to shoot me an email at firstname.lastname@example.org.