Welcome to the Academy, operator. Below is a video overview of the VPN setup process. The Rapid Staging Reference Guide can be downloaded from the link at the bottom right of the video. For those who prefer a text format, I've provided a written guide in the sections further down.
Important Notice: It appears that I accidentally cut footage of the first command that should be performed when logging in to the Virtual Machine. Please be sure to run the first command "apt install wireguard" as the video does not show this step. It can be done at any point before the "cd /etc/wireguard" command and you should be able to keep moving as expected. Apologies if this caused some confusion! Huge thanks to WTV and Mo85 who caught this and brought it to my attention on Discord!
A VPN can get just about any helium hotspot deployment out of relayed status. You can have as many of these set up as you want, you'll just need to repeat this process for each miner. This method will also enable you to connect multiple hotspots on the same internet connection, something that is extremely useful in remote or off-grid deployments. There are many providers that we can use to achieve this goal, but in this guide, we'll be using Digital Ocean.
Hardware used in this Guide can be found at the below Amazon Affiliate links. Purchasing through these links awards a small commission, at no additional expense to you. If you found this guide useful, please consider supporting this project by purchasing through our links. The GL-iNet Mango router can be found here: https://amzn.to/3nuS63q If bright yellow isn't your thing, use the GL-iNet Shadow: https://amzn.to/3fznd9o Need more ethernet? I have used cables by Cable Matters for years: https://amzn.to/3qzhE0W
If you're having trouble, swing by our Discord server and someone is sure to offer a helping hand. You can get an invite to the server by clicking here:https://discord.hntacademy.com/
Let's get to work!
Part 1 - Provisioning the VPS
For those of you new to the information technology scene, VPS stands for Virtual Private Server. It's an exciting way to host all kinds of services in "the cloud." As you will see from our use with Helium today, their ability to scale up or down to make our costs hyper-efficient can be extremely useful!
To start off, head over to digitalocean.com and create an account. If this is the first time you've used this account, you'll get a few boxes to pop up - click the one that says deploy a virtual machine. If you don't see those boxes, you'll need to click the green Create button at the top and create a droplet. At the top, make sure Ubuntu 20.04 LTS is selected. Double check that Shared CPU: Basic is selected. Under CPU Options, select Regular Intel with SSD and click the box that says $5 per month. Scroll down and click the region closest to you.
Under Authentication, we're using password to keep this as streamlined as possible. If you know how to generate and manage SSH keys, you can use this option instead. Otherwise, select password and make sure to use something secure. Go ahead and copy this into the Rapid Staging Reference, we're going to need it in just a moment. Under additional options, enable monitoring. Where it says, "Choose a hostname," I like to use the animal name of my miner. This makes it easy to see what miner's VPN you're working on if you have multiple set up. Now just click "Create droplet."
Once the droplet finishes deploying, you'll see an IP address pop up next to the name. Go ahead and copy that by hovering to the right of the IP address, and clicking the button that pops up there. Put this in your reference file as well.
Part 2 - Configuring the VPS
Next we're going to open Command Prompt if you're on Windows, or Terminal for those Mac users out there. To easily open Command Prompt, press the Windows key and type "cmd" and press enter.
Using the IP address we just pasted into your reference guide, enter the command
Be sure to put the IP address next to the command in your reference guide as well, so you don't forget how to connect in the future.
First thing we're going to do is install WireGuard.
apt install wireguard press enter press Y and then press enter
Next we are going to make sure that all of the pre-installed software is up to date. This is important to do because we have already seen hacking activity on the network, and software updates often include a fix for security vulnerabilities. If you are new to doing this, it can look kind of crazy with how fast everything scrolls past.
apt update press enter
This command updates the list of upgrades available for the system. This is fundamentally no different than clicking "check for updates" for your phone apps. If we follow that same line of thought, this next command is like clicking the update all button. To do that we type:
apt upgrade press enter press Y and then press enter
You'll get a popup at some point near the end of this process, just press enter and it will keep trucking along. Now that we have successfully updated all of the software, we need to reboot the system.
reboot press enter
This will close your connection to the server, and it can take a minute before the server comes back online. Trying to log back in too soon will give some error messages, but it won't hurt anything. If you get a "connection timed out" or "connection refused" just double check to ensure that you don't have any typo and try again. When it lets you connect, put in your password again and press enter.
First things first, we need to enable IP Forwarding on the server. This command takes the line that we type after echo, and appends it to the end of the system control configuration text file.
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf press enter
Now lets verify our work using the tail command to look at the "tail end," or bottom of the text file we appended that line to.
tail /etc/sysctl.conf press enter
We can see now on the screen that we were successful in updating the configuration. Now we need to load that configuration so that it is actively running!
sysctl --load press enter
If this is successful, you should get a response that shows exactly what we changed.
Now we need to create cryptographic keys for both the Server and for the Router to use. The purpose of these keys are two-fold; first, they enable us to verify that we are connecting to the device that we want to be connecting to. Second, they are used to encrypt the traffic between the two devices. Now that might sound pretty intense, but the program handles everything for us. To make our lives a bit easier, we are going to change to a different folder in the server. (NOTE: If this command says it doesn't exist, double check that you issued the first command, apt install wireguard.)
cd /etc/wireguard press enter
The next command will generate the keys that we will use to identify the virtual server, and put them into 2 separate files in the folder we just moved to.
wg genkey | tee server-privatekey | wg pubkey > server-publickey press enter
Now we will generate the keys that will be used to identify the router.
wg genkey | tee router-privatekey | wg pubkey > router-publickey press enter
It is a good idea to pause here and verify that all of the keys were generated successfully. Using the cat command, we can show the contents of each key on the screen.
cat server-privatekey press enter
cat server-publickey press enter
cat router-privatekey press enter
cat router-publickey press enter
Now that these are all on the screen, take a moment to copy all 4 of them and put them into your reference document. Remember, you can copy from the command prompt by highlighting with a left click and drag, and then copy with a simple right click.
Next, we are going to edit the configuration for WireGuard.
nano wg0.conf press enter
In your Reference guide, grab the server-privatekey and router-publickey outputs. They should look something like "xGOHrGz6migH7m19tI4cXfLoicBFU/kXru2Kp0iJfG8=". Replace the sections below that say "REPLACEMEWITHserver-privatekeyOUTPUT" and "REPLACEMEWITHrouter-publickeyOUTPUT" with the appropriate keys. Then, copy EVERYTHING below, and Paste it into the command prompt/terminal:
Before we continue, I'd like to reiterate that we need to replace the filler text by pasting your server-private key and router-public key in their respective sections. You can navigate in the command prompt with arrow keys.
Now that you've double checked that, save the file by pressing:
Control + O press enter
Exit by pressing:
Control + X
Double check that the file saved properly by using:
If text shows up, and your keys here look correct, then you're good to go on this step.
Now that all of the configurations are in place for the WireGuard server, we can set it to start any time the server reboots.
systemctl enable wg-quick@wg0
You should see some output mentioning the creation of a "symlink," and now all that's left is to start the WireGuard service.
systemctl start wg-quick@wg0
NOTE: If you see here something along the lines of "failed because the control process exited with error code" then check the wg0.conf file and make sure that your keys are correct!
If successful, there should be no further output. We can verify that the service is active by typing:
systemctl status email@example.com
You should see near the top a line that says "Active : Active."
Press Q - and we are done with the server side! Breathe a sigh of relief, we're almost there!
Part 3 - Preparing the hardware
If you haven't already done so, go ahead and get the GL-iNet Mango router connected to power. While that is booting up, let's also connect it to your main router or source of internet. I recommend using a cable instead of WiFi whenever possible. If you have to use WiFi for your deployment, I would at least relegate that responsibility to the GL-iNet and let your Helium hotspot miner just have an ethernet cable from between it and the GL-iNet.
For full cable configurations, connect your main router with an ethernet cable to the port labeled "WAN." If you're looking directly at the ports, that's the one on the left. Now, making sure that some type of antenna is connected, power on your Helium hotspot and connect it to the GL-iNet router with an ethernet cable to the port labeled "LAN." If you're looking directly at the ports, that's the one on the right.
Using your laptop, desktop or phone, connect to the GL-iNet with default WiFi name and password. In your web browser, navigate to 192.168.8.1 and be sure to set a secure admin password. Note this password in your staging reference near the bottom. Before you do anything else, change the WiFi Name (SSID) to something other than your model number, and change the password to be secure. You can find this in the GL-iNet under the Wireless tab. Click Modify to unlock the fields and click Apply when you're ready to make the changes go through. Note the WiFi name and the WiFi password in your staging reference near the bottom.Don't forget to connect back to the WiFi now that you've changed it, and then refresh the page.
Part 4 - Configuring the router
We're in the home stretch now! First, we go to the Clients tab. There should be 2 things here - your miner, and the device you are connecting to the GL-iNet from. Copy the MAC address of your Helium hotspot, and paste it into your staging reference.
Next, go down to More Settings > LAN IP, and paste your MAC address to the Static IP Address Binding section. In the next field, set a static IP address. If you're not sure what IP to use, 192.168.8.2 will work just fine. Click Apply.
Now we need to reboot the GL-iNet router so that the miner starts using that IP address right away. At the very top of the page, click Reboot. Be sure to connect to the GL-iNet WiFi once again after rebooting. When it's finished, log back into the GL-iNet router.
Following the reboot, we are going to configure a VPN policy. This will prevent any other devices from going across the VPN tunnel. We want to limit this to only the miner because any additional traffic has the potential to slow down our Virtual Machine.
Click VPN Click VPN Policies Click "Enable VPN Policy" Disable "Use VPN for Guest Network" Disable "Use VPN for All Processes on the Router" Leave "Please Choose Policy" set to "MAC Address" Leave "Please Choose Rules" set to "Only allow the following use VPN" Paste the miner's MAC address here once again Click Add Click Apply
Once your VPN Policy is in place, we can configure the WireGuard connection.
On the left, click WireGuard Client Click Set Up WireGuard manually Click Manual Input
Under Interface for IP Address, input 10.0.0.2/32 for Private Key, grab the router-privatekey from your reference, and paste it here for Listen Port, put 51820 for DNS, put 188.8.131.52 for MTU, put 1420
Under Peer for Public Key, grab the server-publickey from your reference, and paste it here for Endpoint Host, put your VMIPADDRESS:51820 (the first IP in your reference) (Example: 10.16.74.42:51820) for Allowed IPs, put 0.0.0.0/0 for PreShared Key, leave this field blank Click Next
Name the client using your friendly animal name for ease of identification in the case that you have more than one hotspot.
Click Add Click Yes Click Connect
One last configuration we need to make is port forwarding rule to take the traffic from your GL-iNet router's VPN tunnel interface, and port forward that to the miner on the LAN.
Click Firewall Name the rule Helium for Internal IP, click the drop down and select the IPADDRESS of the miner. (This guide used 192.168.8.2) for External Zone, Click WireGuard (Note: If you do not see WireGuard, this usually indicated that your VPN is not connected.) for External Port, put 44158 for Internal Port, put 44158 for Internal Zone, set it to LAN for Protocol, select TCP for Status, verify that it says Enable Click Apply
Part 5 - Testing That it works
That's right, all that is left is to test to see if it works! Head over to https://portchecker.co. Once you're there, you may notice that there is already an IP address in the field. We do not want to use this IP address, as it is grabbing that from the network you are browsing from. Instead, we want to copy your VMIPADDRESS from your reference notes and put it into the IP address field. Next, put 44158 in the field below the IP address. Do a little drumroll for yourself .... and click test. If the result says Open, CONGRATULATIONS! You have successfully configured a Virtual, Private, WireGuard VPN server with port forwarding.
If you weren't so lucky as to get it open on the first time, don't stress over it too much! You can run through the guide again and just double check that you got every step. If you'd like some more practice, you can just as easily delete the droplet and start from square 1. Remember, by using my referral link you get $100 credit for the first 60 days. That will give you plenty of time to go through this all and figure it out.
If you're still having trouble, swing by our Discord server and someone is sure to offer a helping hand. You can get an invite to the server by clicking here: https://discord.hntacademy.com/