Setup & Configure a VPN Server for Secure Remote Access of Public Cloud Resources
Despite the popularity of public cloud resources and the benefits they provide, there’s still a need to setup and manage those public resources securely. We here at the Cloud Engagement Hub are showing clients how to set this up, and securely connect to remote resources. This has been especially relevant these days when more and more people are accessing those resources from new locations, such as from a home office.
The goal of this article is to show you one method of how to setup secure access to remote resources in the Public Cloud. In this case, we’ll be setting up a WireGuard VPN server as a ‘jumpbox’ that you’ll use to securely access Openshift clusters and nodes residing in a VPC that do not have Internet inbound connections allowed in IBM Cloud. Once setup, you’ll use a WireGuard client on your laptop/desktop to connect to your WireGuard server and access any of the resources that in that VPC.
This process will consist of 3 main setup steps:
- Create your VPN server instance
- Access, Install, and Configure WireGuard Server
- Install WireGuard Client, Configure, and Add your system for access
Create VM Instance for VPN Server
First, to gain access to and administer your VPC resources, you need to first create a VM instance inside your VPC (with an external IP) where you’ll install and configure your WireGuard VPN server.
Assumptions
- You have an existing VPC & subnet to deploy to
- You want to access your resources from your home network
Creating your VM instance to run the VPN server is mostly a standard affair, but there are a few specific options to take note of.
Navigate to the VPC subnet you want to gain remote access to and select, attached resources, and hit Create:
Give a descriptive name maybe with ‘vpn’ in it and enter your tags, location, and server type.
Select Ubuntu OS for the commands in this guide and the server profile most applicable for your intended use case:
Note: There is a difference in bandwidth available based on the profile you select.
You’ll need to use a public/private ssh key pair to securely access your WireGuard server’s external ip address.
If you haven’t generated SSH keys yet for the machine you’ll be connecting from, see here:
After locating or generating your machine’s key pair, select New Key, give it a name, and paste in your machine’s public key:
Under Networking, make sure both the correct VPC and subnet that correspond to the resources you want to access are selected:
At this point, you’re ready to click ‘Create virtual server instance’ on the right-hand column:
This returns you to the list of virtual server instances for your selected region. Refresh your browser window and you should see your newly created server instance created and status ‘Running’ shortly:
Access, Install, and Configure WireGuard Server
Now we will gain access to our newly created instance, update, install, and configure Wireguard server and firewall to serve VPN sessions.
Gain secure external access to your server
At the moment, your server is running, but not reachable from the internet. You need to have an external IP address assigned to it in order to connect to and establish your VPN sessions.
Select your server instance, scroll to the bottom of the page to the Network interfaces section, and click the pencil icon to edit your eth0 interface:
Select the Floating IP address dropdown and select ‘Reserve a new floating IP’ and hit save
Note: you can select an existing if available/free
You should now see a floating IP address along with the Private IP that was originally listed.
Now you need to connect to your server for the first time using that floating IP address. Make sure to specify the path to your local private key that is a pair with the public key you selected when creating your server instance earlier.
- Path should correspond to the location you saved your private key to
- IP address should be your floating IP address of your server
- Open Terminal (Mac) or Command Prompt (PC)
- You’ll have to type ‘yes’ to agree to the connection the first time, then you should be greeted with a prompt similar to the below:
Congratulations — You’ll successfully logged into and connected to your remote server and are ready to install and configure WireGuard VPN.
NOTE: If you are using an SSH Key shared with a small team, you may need to run this when you add the private key to give it the proper permissions:
chmod 600 <sshprivatekey>
Install & Configure WireGuard Server
Prepare the Environment
Before installing Wireguard, check for any updates to your existing software packages:
sudo apt update && sudo apt upgrade
If there are updates, you will be asked to confirm, type ‘y’ and enter and wait.
You will see ‘done’ when complete
Check to see if your updates require a reboot:
cat /var/run/reboot-required
If yes, reboot!
sudo reboot
After waiting a few mins for the reboot, reconnect via your ssh command from the prior section.
Install WireGuard
sudo apt install wireguard --> hit ‘y’ and Enter
You should see something like:
Configure Your WireGuard Server
Next you’ll need to generate your Wireguard server ssh keys (public/private) for your client(s) to use when connecting into your secure Wireguard VPN service (the prior keys were used to securely login and administer your VM).
To generate your server ssh keys and save them:
sudo mkdir -p /etc/wireguard/keys; wg genkey | sudo tee /etc/wireguard/keys/server.key | wg pubkey | sudo tee /etc/wireguard/keys/server.key.pub
View [and make note of] your ssh keys, you’ll need them later:
- Private:
cat /etc/wireguard/keys/server.key
- Public:
cat /etc/wireguard/keys/server.key.pub
Determine your Default Route — this will be used to ensure your vpn response packets are routed correctly:
ip -o -4 route show to default | awk '{print $5}'
Configure the “wireguard server interface”:
sudo nano /etc/wireguard/wg0.conf
Copy and paste the following config — replacing the bold with your values:
[Interface]Address = 172.16.0.1/24ListenPort = 51820PrivateKey = YOUR_SERVER_PRIVATE_KEYPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADEPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADESaveConfig = true
Set Permissions for root only access to lock down the certificate used to connect:
sudo chmod 600 /etc/wireguard/wg0.conf /etc/wireguard/keys/server.key
Start up your Wireguard Interface:
sudo wg-quick up wg0
Check running status:
sudo wg show wg0
You should see something similar to this:
Set Wireguard to start up automatically in case a reboot is ever needed:
sudo systemctl enable wg-quick@wg0
Configure Networking and Firewall to have the Wireguard server forward packets destined to other machines in the VPC:
sudo nano /etc/sysctl.conf
Scroll down and uncomment “net.ipv4.ip_forward=1” line to allow packet forwarding:
Cntrl-O to write file, Cntrl-X to exit
Apply your change to the system:
sudo sysctl -p
Open WireGuard server port so incoming traffic to the service will be allowed:
sudo ufw allow 51820/udp
Allow SSH to administer the machine via VPN:
sudo ufw allow 22/tcp
Enable Firewall, typing ‘y’ and Enter:
sudo ufw enable
Verify status:
sudo ufw status verbose
Open the incoming Wireguard port in Cloud Interface to your VPN server:
Congratulations! You’ve setup your Wireguard server!
Now you’ll need to allow traffic destined to your Wireguard server on the specified port above (51820) through your public cloud provider and into your VPC.
VPC Infrastructure → Security Groups → Select the region and group that relates to your VPC → Select Rules & click ‘Create’
Fill out the form below
- Select Protocol: UDP and port 51820 to 51820
- Find and enter the external ip address you’ll be reaching your VPN server from
Note: External ip address can be found via something like: https://whatismyipaddress.com/
Your server should now be ready to add clients for access.
Install WireGuard Client, Configure, and Add your client for VPN access
These last steps will setup your client system for VPN access and add those details to your VPN server to allow the connection.
Install WireGuard Client
Download and install the client here: https://www.wireguard.com/install/
Configure Your Client
ON YOUR PC/MAC
Open the WireGuard interface & create new WireGuard Connection.
Select ‘Manage Tunnels’ and hit ‘+’ to create new empty tunnel
Note the ‘Public Key’ generated; You’ll need this when adding clients on the server.
Below the ‘PrivateKey’ line, paste the following and edit appropriately between the < >:
Address = <your unique VPN IP>/32
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = <Server public key>
AllowedIPs = 172.16.0.0/24, 10.241.0.0/24, 10.241.64.0/24, 10.241.128.0/24
Endpoint = <your WireGuard server floating IP>:51820
Note: Your unique VPN IP will be something in the range of 172.16.0.2–250, given we configured your VPN server with 172.16.0.1 address earlier. Each additional client you add should have a unique address.
Note: Enter your VPN server’s public key here
- run cat /etc/wireguard/keys/server.key.pub to view again
Note: your WireGuard floating IP is the address you have been using to SSH to install and configure your server.
Hit ‘Save’
Add Your Client to your VPN Server
ON YOUR VPN SERVER
Prepare the following command to run:
sudo wg set wg0 peer YOUR_CLIENT_PUBLIC_KEY allowed-ips YOUR_CLIENT_VPN_IP
Note: replace text with your client public key and configured VPN IP address
Run to confirm your peer has been added:
sudo wg show wg0
Test Your Connection!
Back on your client machine, in the Wireguard interface and with your created profile selected, hit ‘Activate’.
You should see your status update to Active:
Give your VPN a test by connecting to your VPN server’s private IP address by editing your ssh connect command
Note: You can find your private address by navigating to your VPC subnet and viewing Attached resources or finding your specific server under VPC Infrastructure àVirtual server instances
If successful, you will see a new prompt similar to your original confirming you want to connect and register your client connection on the server. This happens only once for each new connection pair.
You can again check the status of your VPN server via
sudo wg show
where you should see your connected peer, latest handshake, and data transferred, mirrored in your WireGuard Client interface as well.
You are now officially connected to your server’s private ip address over VPN, and should also have access to your other cloud resources in your VPC address space.
Note: If you are having trouble accessing some external addresses/sites when connected to your VPN, you may need to add 0.0.0.0 into the ‘AllowedIPs’ section of your client tunnel configuration.
Congratulations!