TL;DR: Oracle Cloud’s always-free VMs make a great WireGuard VPN host — if you know the gotchas. Here’s how I set mine up in Sydney with working internet access, correct firewall rules, and a tuned MTU so it doesn’t crawl.
Note that this is more of a learning exercise, and a setup to play around with, than a serious VPN for everyday use. The problem being the lowly-spec’d free Oracle cloud server that is used. If you are lucky and manage to get a free Ampere VM from Oracle, that should be somewhat faster.
1. Create a Free Oracle Cloud VM
- Sign in to Oracle Cloud. Make a new account if you don’t have one. Some of the VM types (including what I used) are completely free forever, unlike nearly all other cloud VM providers. However, you need to be careful that you don’t select options which are paid/nonfree. For the free plan you can only have one region, and you can’t change it, so it’s better to pick one that isn’t that popular if you want to get the better-spec Ampere VM type (see below).
- Go to Compute → Instances → Create Instance.
- The VM ‘shape’ called
VM.Standard.A1.Flex(Ampere) is the best free one. It is often out of capacity (meaning you can’t create another one until someone else terminates one). If you can’t get one, this one should work:Still free, just slower. This is what I used, though if I had known to pick a less in-demand region from the start, I would have done that. - Choose the Canonical Ubuntu image (latest LTS).
- Use the default VCN/Subnet — make sure it’s public.
- Add your own SSH keys, or generate one but remember to save them (you won’t be able to see them again after the initial generation step), so you can log in later with ssh.
2. Open the WireGuard Port
In the Oracle Cloud console, in your VM’s Subnet Security List or Network Security Group (NSG), make sure these rules are present. The all traffic out (egress) is likely to be already there, but you will need to create the incoming (ingress) rule for port 51280 on UDP:
-
Ingress Rule
- Protocol: UDP
- Source CIDR:
0.0.0.0/0 - Destination Port Range:
51820
-
Egress Rule
- Allow all traffic (or at least UDP to anywhere).
3. Install WireGuard on the Server
|
|
If you haven’t already done so, you can install it on the client like here: How to Build a Peer-to-Peer Mesh VPN with WireGuard and Linux. The example is for a Linux client — if you want to use a Windows client, this is also possible if you install the Windows app for Wireguard and set it up in a similar fashion.
Generate keys:
|
|
4. Server Config (/etc/wireguard/wg0.conf)
Paste the actual contents of the keys (the long encrypted strings) below, not their filenames. The public IP address of the Oracle server can be found from the Oracle Cloud console.
|
|
5. Client Config (Linux or Windows)
|
|
On Windows, paste the above into the WireGuard GUI as a new tunnel.
6. Enable IP Forwarding on the Server
|
|
Make it permanent:
|
|
7. Fix Oracle’s Default iptables Block
Oracle’s Ubuntu image ships with INPUT rules that block most inbound traffic — which will silently break WireGuard.
Check current rules:
|
|
If you see REJECT rules for icmp-host-prohibited or udp, flush them:
|
|
Make this persist on reboot:
|
|
8. Start WireGuard
|
|
Check status:
|
|
9. Test the VPN
From the client:
|
|
If ifconfig.me shows your Oracle Cloud public IP, all traffic is routing through the VPN.
Why MTU Matters Here
OCI + WireGuard + nested NAT can cause packet fragmentation if MTU stays at the default 1500. This kills page loads but leaves Google searches feeling “fast.”
Setting MTU to 1280 on both server and client fixed this for me. You might be able to get away with a larger number (like 1380) if you don’t have any other VPNs or nested NAT networks in your route to the outside internet.
Done. You now have a free, persistent WireGuard VPN running in Oracle Cloud!