+
+| Amsterdam | Bangalore |
+
+
+|
+
+**VPC-A** subnet is **172.16.1.0/24**.
+ |
+
+
+**VPC-B** subnet is **172.16.2.0/24**.
+
+ |
+
+
+|
+
+#### Gateway-A
+
+| Interface | IP Address |
+|:---------------------|:--------------|
+| Public | 192.0.2.1 |
+| VPC | 172.16.1.3 |
+| Wireguard | 10.10.0.1 |
+
+ |
+
+
+#### Gateway-B
+
+| Interface | IP Address |
+|:---------------------|:--------------|
+| Public | 192.0.2.2 |
+| VPC | 172.16.2.3 |
+| Wireguard | 10.10.0.2 |
+
+ |
+
+
+|
+
+#### App-Server
+
+| Interface | IP Address |
+|:---------------------|:--------------|
+| Public | 192.0.2.3 |
+| VPC | 172.16.1.2 |
+
+ |
+
+
+#### DB-Server
+
+| Interface | IP Address |
+|:---------------------|:--------------|
+| Public | none |
+| VPC | 172.16.2.2 |
+
+ |
+
+
+
+## Section 1: Create the VPCs
+
+In this step, you'll create the VPCs in each location.
+
+### Create VPC-A in Amsterdam
+
+1. Follow this link to [add a VPC Network](https://my.vultr.com/network/vpc/add/).
+1. Choose the **Amsterdam** location.
+1. In the Configure IP Range section, choose **Manual - Advanced** to open the **Set IP Range** section.
+1. Enter `172.16.1.0` in Network Address.
+1. Enter `24` in Network Prefix.
+1. In the Manage Routes section, choose **No Routes**.
+1. Enter `VPC-A` for the network name, then click **Add Network**.
+
+### Create VPC-B in Bangalore
+
+These are the exact steps you did for VPC-A, except the network subnet and location are different.
+
+1. Follow this link to [add a VPC Network](https://my.vultr.com/network/vpc/add/).
+1. Choose the **Bangalore** location.
+1. In the Configure IP Range section, choose **Manual - Advanced** to open the **Set IP Range** section.
+1. Enter `172.16.2.0` in Network Address.
+1. Enter `24` in Network Prefix.
+1. In the Manage Routes section, choose **No Routes**.
+1. Enter `VPC-B` for the network name, then click **Add Network**.
+
+When finished, you'll have two VPCs, like this:
+
+
+
+## Section 2: Deploy Servers and Gateways
+
+In this step, you'll deploy the servers and gateways.
+
+### Deploy the Amsterdam Servers
+
+Follow these steps to deploy two identical servers in Amsterdam.
+
+1. Follow this link to [deploy a new server](https://my.vultr.com/deploy/).
+1. Select **Optimized Cloud Compute - General Purpose**.
+1. Choose the **Amsterdam** location.
+1. Choose the **Ubuntu 22.04 LTS x64** operating system.
+1. Choose the **30 GB NVMe** server size.
+1. In the Additional Features section, select **Enable Virtual Private Clouds**.
+1. You can choose an SSH key if you have one available. Or, you can use the root password you'll find on the server overview page after deployment.
+1. Choose `2` in the **Servers Qty** field at the bottom of the screen.
+1. Enter `Gateway-A` in the **Server 1 Hostname & Label** section.
+1. Enter `App-Server` in the **Server 2 Hostname & Label** section.
+1. Click **Deploy Now**.
+
+### Deploy the Bangalore Servers
+
+For demonstration, DB-Server in Bangalore has no public IP address. Because it has a different configuration than Gateway-B, you'll deploy these servers simultaneously.
+
+#### Deploy Gateway-B
+
+1. Follow this link to [deploy a new server](https://my.vultr.com/deploy/).
+1. Select **Optimized Cloud Compute - General Purpose**, unless you have different performance requirements.
+1. Choose the **Bangalore** location.
+1. Choose the **Ubuntu 22.04 LTS x64** operating system.
+1. Choose the **30 GB NVMe** server size.
+1. In the Additional Features section, select **Enable Virtual Private Clouds**.
+1. You can choose an SSH key if you have one.
+1. Enter `Gateway-B` in the **Server Hostname & Label** section.
+1. Click **Deploy Now**.
+
+#### Deploy DB-Server
+
+DB-Server has no public IP address and is only reachable through the VPC, so the steps differ slightly from the previous three deployments.
+
+1. Follow this link to [deploy a new server](https://my.vultr.com/deploy/).
+1. Select **Optimized Cloud Compute - General Purpose**.
+1. Choose the **Bangalore** location.
+1. Choose the **Ubuntu 22.04 LTS x64** operating system.
+1. Choose the **30 GB NVMe** server size.
+1. In the Additional Features section:
+
+ * Select **No Public IPv4 Address**.
+ * Select **Enable Virtual Private Clouds**.
+
+ The Additional Features section looks like this after your selections:
+
+ 
+
+1. Enter `DB-Server` in the **Server Hostname & Label** section.
+1. Click **Deploy Now**.
+
+### Confirm the Server Configuration
+
+You should now have four servers deployed. The overview page shows the servers and their public IP addresses.
+
+
+
+Make a note of the public addresses for the two gateways and App-Server.
+
+Because you created the VPCs before deploying the servers, Vultr could automatically configure each server's private network adapter [with cloud-init](https://www.vultr.com/docs/how-to-deploy-a-vultr-server-with-cloudinit-userdata/).
+
+To confirm the VPC network configuration for each server:
+
+1. Click the server entry to view its overview page.
+1. Click the **Settings tab**.
+1. Click the **IPv4** menu and scroll to the **VPC Network** section, which looks like this:
+
+
+
+Verify all servers have their VPCs configured and note the addresses before proceeding.
+
+## Section 3: Install Wireguard
+
+In this section, you'll install Wireguard on both gateways.
+
+> Follow these steps for **Gateway-A**, then repeat the same steps on **Gateway-B** before proceeding to the next section.
+
+1. From your local workstation, open a terminal and SSH to the server as the root user.
+
+ user@localhost:~$ ssh root@192.0.2.1
+
+1. [Update](https://www.vultr.com/docs/how-to-update-a-vultr-cloud-server/#How_to_Update_Debian___Ubuntu) the server.
+
+ Gateway-A:# apt update && apt upgrade -y
+
+1. Reboot the server to ensure all updates are applied, then reconnect with SSH.
+
+ Gateway-A:# reboot
+ Gateway-A:# Connection to 192.0.2.1 closed by remote host.
+
+ user@localhost:~$ ssh root@192.0.2.1
+
+ Gateway-A:#
+
+1. Install Wireguard.
+
+ Gateway-A:# apt install wireguard
+
+1. Create Wireguard's **private** key.
+
+ Gateway-A:# wg genkey | sudo tee /etc/wireguard/private.key
+
+1. Create Wireguard's **public** key.
+
+ Gateway-A:# cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
+
+1. View the keys with `cat`, and make a note of them. This guide uses example values for clarity.
+
+ Gateway-A:# cat /etc/wireguard/private.key
+ GATEWAY-A-PRIVATE-KEY-EXAMPLE
+
+ Gateway-A:# cat /etc/wireguard/public.key
+ GATEWAY-A-PUBLIC-KEY-EXAMPLE
+
+1. **Repeat these steps on Gateway-B** and make a note of its public and private keys before proceeding to the next section.
+
+## Section 4: Configure the VPN
+
+In this section, you'll create a Wireguard interface on each machine and configure it with the remote gateway's address and public/private key information.
+
+### Configure Gateway-A
+
+1. SSH to Gateway-A.
+
+ user@localhost:~$ ssh root@192.0.2.1
+
+1. Create the Wireguard configuration file. The Wireguard interface takes its name from the filename, and the standard convention is to name the first Wireguard interface `wg0`.
+
+ Gateway-A:# nano /etc/wireguard/wg0.conf
+
+1. Copy these settings into `wg0.conf`. You can also [download the file here](Gateway-A/wg0.conf).
+
+ # Local Settings - Gateway-A
+ [Interface]
+ PrivateKey = GATEWAY-A-PRIVATE-KEY-EXAMPLE
+ Address = 10.10.0.1/32 # Gateway-A Wireguard address
+ ListenPort = 51820
+
+ # Firewall Rules
+ PreUp = ufw allow 51820/udp
+ PostDown = ufw delete allow 51820/udp
+
+ # IP forwarding
+ PreUp = sysctl -w net.ipv4.ip_forward=1
+
+ # Remote Settings - Gateway-B
+ [Peer]
+ PublicKey = GATEWAY-B-PUBLIC-KEY-EXAMPLE
+ Endpoint = 192.0.2.2:51820 # Gateway-B public IP and port
+ AllowedIPs = 10.10.0.2/32, 172.16.2.0/24 # Gateway-B Wireguard IP, VPC-B subnet
+
+1. Change this example file:
+
+ * Under **# Local Settings - Gateway-A**:
+ * Change `PrivateKey` to Gateway-A's private key.
+ * Verify `Address` is the correct Wireguard IP address for Gateway-A. If you've followed the Wireguard and VPC addressing scheme from this guide, you won't need to change this.
+ * Under **# Remote Settings - Gateway-B**:
+ * Change `PublicKey` to Gateway-B's public key.
+ * Change `Endpoint` to Gateway-B's public IP address, followed by `:51820` to indicate the remote port.
+ * Verify `AllowedIPs` matches Gateway-B's Wireguard IP and VPC-B subnet. If you've followed the Wireguard and VPC addressing scheme from this guide, you won't need to change these.
+
+ These other settings rarely need to be changed:
+
+ * Under `# Firewall Rules`:
+ * `PreUp` commands run before Wireguard brings up the tunnel. Here, it opens the firewall port `51820/udp`.
+ * `PostDown` commands run after Wireguard brings down the tunnel. Here, it closes the firewall port.
+ * Under `# IP forwarding`:
+ * This `PreUp` setting enables IP forwarding, which allows packets from the VPN tunnel to be passed to the VPC interface.
+
+1. Save and exit the file.
+1. Start the Wireguard service.
+
+ Gateway-A:# systemctl start wg-quick@wg0.service
+
+1. Enable the Wireguard service to restart after the server reboots.
+
+ Gateway-A:# systemctl enable wg-quick@wg0.service
+
+Gateway-A is now waiting for Gateway-B to come online, which you'll do in the next step.
+
+### Configure Gateway-B
+
+Next, you'll connect to Gateway-B to configure the other end of the tunnel. These steps are similar to the ones you did for Gateway-A, but the addresses and keys differ.
+
+1. SSH to Gateway-B.
+
+ user@localhost:~$ ssh root@192.0.2.2
+
+1. Create the `wg0.conf` configuration file.
+
+ Gateway-B:# nano /etc/wireguard/wg0.conf
+
+1. Copy these settings into `wg0.conf`. You can also [download the file here](Gateway-B/wg0.conf).
+
+ # Local Settings - Gateway-B
+ [Interface]
+ PrivateKey = GATEWAY-B-PRIVATE-KEY-EXAMPLE
+ Address = 10.10.0.2/32 # Gateway-B Wireguard address
+ ListenPort = 51820
+
+ # Firewall Rules
+ PreUp = ufw allow 51820/udp
+ PostDown = ufw delete allow 51820/udp
+
+ # IP forwarding
+ PreUp = sysctl -w net.ipv4.ip_forward=1
+
+ # Remote Settings - Gateway-A
+ [Peer]
+ PublicKey = GATEWAY-A-PUBLIC-KEY-EXAMPLE
+ Endpoint = 192.0.2.1:51820 # Gateway-A public IP and port
+ AllowedIPs = 10.10.0.1/32, 172.16.1.0/24 # Gateway-A Wireguard IP, VPC-A subnet
+
+1. Change this example file:
+
+ * Under **# Local Settings - Gateway-B**:
+ * Change `PrivateKey` to Gateway-B's private key.
+ * Verify `Address` is the correct Wireguard IP address for Gateway-B. If you've followed the Wireguard and VPC addressing scheme from this guide, you won't need to change this.
+ * Under **# Remote Settings - Gateway-A**:
+ * Change `PublicKey` to Gateway-A's public key.
+ * Change `Endpoint` to Gateway-A's public IP address, followed by `:51820` to indicate the remote port.
+ * Verify `AllowedIPs` matches Gateway-A's VPN endpoint and VPC-A subnet. If you've followed the Wireguard and VPC addressing scheme from this guide, you won't need to change these.
+
+ Like Gateway-A's example, you usually won't need to change the `# Firewall Rules` or `# IP forwarding` sections.
+
+1. Start Wireguard on Gateway-B.
+
+ Gateway-B:# systemctl start wg-quick@wg0.service
+
+1. Enable the Wireguard service to restart after the server reboots.
+
+ Gateway-B:# systemctl enable wg-quick@wg0.service
+
+This establishes the VPN tunnel. You should test the connection at this stage before proceeding.
+
+1. Verify the `wg0` interface was created:
+
+ Gateway-B:# ip link show wg0
+
+ You'll see something similar to:
+
+ 4: wg0: