A cost-optimized, serverless Telegram Bot that deploys disposable WireGuard VPN servers on Google Cloud Platform (GCP) on-demand. Designed for personal use with extreme cost efficiency using f1-micro Spot Instances.
- Zero Idle Cost: Serverless architecture (Cloud Functions 2nd Gen) scales to zero.
- Menu-Driven UI: Interactive Telegram Inline Keyboards for region and peer selection.
- Global Reach: Deploy to 9 GCP regions including Taiwan, Tokyo, Singapore, US (Iowa, Oregon, S. Carolina), UK (London), Germany (Frankfurt), and Netherlands.
- Instant Access: Automatically generates WireGuard configs and QR Codes sent directly to chat.
- Cost Optimized: Uses Spot
f1-microinstances (~$0.004/hour) with auto-shutdown capability (manual/del). - Multi-User Support: Strict authorization via Secret Manager (User ID whitelist).
- Smart Management: Tracks active instances, enforces quotas (max 5), and allows 1-click destruction.
graph TD
User((User)) -->|/new| TG[Telegram Bot API]
TG -->|Webhook| GCF[Cloud Function]
GCF -->|Auth| SM[Secret Manager]
GCF -->|Provision| GCE[Compute Engine]
GCE -->|Create| VM[f1-micro VM]
VM -->|Startup Script| WG[WireGuard Setup]
WG -->|Upload QR| TG
TG -->|QR Code| User
- Google Cloud Platform Project: Create a new project.
- Telegram Bot: Create a bot via @BotFather and get the token.
- User ID: Get your numeric Telegram User ID (use @userinfobot).
This bot relies on Google Secret Manager for security. You must create the following secrets in your GCP project:
| Secret Name | Value Example | Description |
|---|---|---|
TELEGRAM_BOT_TOKEN |
123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11 |
Your Telegram Bot Token. |
AUTHORIZED_USER_ID |
123456789,987654321 |
Comma-separated list of allowed User IDs. |
Note: GCP_PROJECT_ID is set as an environment variable during deployment.
Run the following commands in Cloud Shell or your local terminal:
gcloud services enable \
cloudfunctions.googleapis.com \
run.googleapis.com \
artifactregistry.googleapis.com \
cloudbuild.googleapis.com \
compute.googleapis.com \
secretmanager.googleapis.comReplace the values with your actual data:
printf "YOUR_BOT_TOKEN" | gcloud secrets create TELEGRAM_BOT_TOKEN --data-file=-
printf "YOUR_USER_ID" | gcloud secrets create AUTHORIZED_USER_ID --data-file=-The Cloud Function needs permission to access secrets and manage VM instances.
PROJECT_ID=$(gcloud config get-value project)
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
SERVICE_ACCOUNT="${PROJECT_NUMBER}-compute@developer.gserviceaccount.com"
# Grant Secret Accessor
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT \
--role roles/secretmanager.secretAccessor
# Grant Compute Admin (to create/delete VMs)
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT \
--role roles/compute.admin
# Create Firewall Rule (Allow WireGuard UDP)
gcloud compute firewall-rules create allow-wireguard \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=udp:51820 \
--source-ranges=0.0.0.0/0 \
--target-tags=vpn-serverDeploy the function using the 2nd Gen runtime. We use gcloud config get-value project to automatically set your current Project ID.
Note: We allocate 512MB memory to prevent Out-Of-Memory errors during Python dependency loading.
gcloud functions deploy vpn-bot \
--gen2 \
--runtime=python311 \
--region=asia-northeast1 \
--source=. \
--entry-point=deploy_vpn \
--trigger-http \
--allow-unauthenticated \
--set-env-vars GCP_PROJECT_ID=$(gcloud config get-value project) \
--memory=512MB \
--timeout=60sAfter deployment, get the Function URL (e.g., https://...run.app) and register it:
curl "https://api.telegram.org/bot<YOUR_TOKEN>/setWebhook?url=<YOUR_FUNCTION_URL>"/start- Welcome message./new- Open the deployment menu (Region Selection)./status- Show active VPN servers and connection details./del- Destroy all active instances immediately./log- Show system diagnostics (Project ID, Active VM count, etc.).
Disclaimer: This project is for educational purposes. Ensure you comply with GCP Terms of Service regarding Spot Instances and Network usage.