Remote Access VPN to a Private Azure Windows Server with WireGuard and Netmaker

Alex Feiszli
netmaker
Published in
5 min readJul 20, 2023

Intro

If you use Azure, you may deploy resources that you don’t want to expose publicly. For instnace, a Windows Server. In these scenarios, the resource will be contained in an Azure Virtual Network and Subnet. But how do you access these resources remotely from your devices?

Azure has their own remote access VPN solution called “Azure VPN Gateway”. However, this can be unnecessarily expensive. With several users and endpoints, you can easily spend hundreds of dollars per month.

Luckily, it is pretty easy to build an alternative to Azure VPN Gateway using WireGuard® and Netmaker for free. Follow these steps, and you should be up and running in about 30 minutes.

By the end of this tutorial, you will have a gateway device running on Azure, which you can use to access your private Azure resources using a WireGuard VPN client.

Scenario

Windows Server in Azure

In our example scenario, we have Windows Server 2019 Datacenter running on Azure, which is only accessible via RDP over the Virtual Network subnet address (10.0.0.4). We want RDP access to the server using this address.

For your setup, this could be any private IPs or subnets on Azure, as long they are accessible from the gateway device, which we will set up next.

Inbound RDP rule
Our virtual network subnet

Step 1: Deploy the Gateway Device

Deploy a device in Azure to act as your VPN gateway. We recommend using the latest Ubuntu on the smallest possible instance type, since it is not resource intensive. However, any linux distro or instance type should work.

This device must have access to the target devices or subnets, so add it to the same subnet. Reminder, make sure the Inbound Port rules on the target device or subnet will allow traffic from the gateway device.

Lastly, the device must be accessible over the WireGuard port, which by default for Netmaker is 51821, so open 51821/udp from Any source in the Inbound Port Rules (we’re doing 51821–51830/udp to be on the safe side), and make sure it has a Public IP Address.

Gateway Device Requirements:
- Device Type: VM or Container (VM recommended)
- OS: Linux (Ubuntu 22.04 recommended)
- Size: any
- Network Settings: Must have a public IP, be a part of the virtual network, and expose 51821/udp publicly (as well as port 22 for SSH access)

Step 2: Add Gateway Device to Netmaker

Now that you’ve deployed a suitable gateway device, you must add this device to Netmaker. You can self-host Netmaker, but to get started quickly (and for free), simply sign up at https://app.netmaker.io.

By default, your account will have a virtual network named “netmaker” and an access key, also named “netmaker”. You should use these for the remainder of the tutorial, but note that in our example and screenshots these are named “azure-gw”.

Click on the network, click on “hosts”, and then click the “Add a new host” button:

The network hosts list. Your’s will be empty at this point
Add a Host instructions

Follow the steps to add the gateway device to Netmaker: SSH to the device, download and installing the netclient, and joining the network.

Output from installing netclient

Once the device is visible in your “hosts” lists, you can continue to configure the device as a Gateway.

Device listed in Hosts list

Step 3: Configure Egress

Click on “Egress” and then “Create Egress”. We will set the gateway device as an egress to the virtual network subnet range in Azure. However, we could just as easily set it to a single IP or list of IPs within the subnet.

The device is now prepared to serve traffic to the target destination.

Step 4: Configure Client Gateway

The last step is to provide remote access via a “Client Gateway”. The Client Gateway simply allows you to generate WireGuard config files, which are routed through the gateway device and into the network. So, after configuring, a user will be able to reach the Egress range via the Client Gateway.

Our gateway device on Azure will act as both an “Egress Gateway”, to forward traffic to the private subnet, and a “Client Gateway”, so that it can accept traffic from WireGuard.

Click on “Clients” and then “Create Client”. Since you do not have a Client Gateway yet, it will prompt you to select a device to act as the gateway, and will generate your first client (WireGuard config file) on top of this gateway.

You can now download this config file, and run it using any standard WireGuard client.

Click on the Client ID to view details

If everything has gone correctly, you should now be able to RDP to the device using the private IP address:

You can generate additional clients as necessary, so that your gateway provides access for a whole team.

Summary

In this tutorial, we:

  1. Configured Azure for a remote access gateway
  2. Configured an Azure VM instance to act as the remote access gateway
  3. Generated and ran a WireGuard config file locally, to access a private Windows server via the gateway

There is much more you can do with Netmaker and WireGuard, so I hope this was a good first experience.

If you have any questions or feedback, let me know in the comments!

--

--

Alex Feiszli
netmaker

Alex is CEO of Netmaker (https://netmaker.io), a cloud networking company building the next-gen virtual networking platform.