Deploy a WireGuard VPN Server in Performance Cloud VMware (NSX-T)
TABLE OF CONTENTS
Description
A WireGuard VPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).
In this article, we will deploy WireGuard in a virtual machine running Ubuntu and WG Easy in a Docker container.
Important Notes
- Some steps assume that you have a foundation about Linux and for creating virtual machines, virtual networks and network rules. Some steps also assume the deployment of a dedicated additional virtual machine in a working environment. Please refer to main articles in the Getting Started Guide if needed.
- Please note that Sherweb' support for third-party software, like WireGuard, is very limited.
- This setup may not work correctly with more than two hundred and fifty three (253) VPN clients.
- There is no "user authentication" in WireGuard. There is no concept of "users" but clients and a server with secret and public keys.
- Please make sure to store, send, deploy and use WireGuard configuration files using a secure method.
Requirements
- Have a virtual machine running Linux in your virtual data center (vDC) to host the WireGuard VPN server.
If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).
To facilitate the work, we strongly recommend connecting to the Linux virtual machine using the SSH protocol.
If needed, please see this article for guidance to configure the Edge Gateway for this purpose.
Procedures
WireGuard VPN server setup
- Log in to your virtual machine using a root account
- Download and install Docker
Run the following command lines:
curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $(whoami) - Deploy the "WG-Easy" docker image
Run the following command lines.
Edit the template below to match with your setup (WAN IP address of the Edge Gateway or fully qualified domain name (FQDN), the desired console password, the network to use for VPN clients, ports to use, network(s) to allow using the VPN, DNS server to use, etc.).
Notes:
- WG_ALLOWED_IPS=0.0.0.0/0 would allow and route all traffic on the client through the VPN tunnel.
- To allow multiple networks to VPN clients, specify all network ranges separated with a comma. Example: WG_ALLOWED_IPS=192.168.50.0/24,192.168.51.0/24,192.168.52.0/24,192.168.53.0/24
- Please avoid the following characters for the console password: !($\&")
docker run -d \--name=wg-easy \
-e WG_HOST=WAN_SERVER_IP_OR_FQDN \
-e PASSWORD=CONSOLE_PASSWORD \
-e WG_PERSISTENT_KEEPALIVE=30 \
-e WG_DEFAULT_ADDRESS=10.7.0.x \
-e WG_DEFAULT_DNS=1.1.1.1 \
-e WG_ALLOWED_IPS=10.0.0.0/8 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
weejewel/wg-easy
Then, your WireGuard server configuration files will be saved in the folder ~/.wg-easy
Configure the Edge Gateway for WireGuard
If needed, please see this article for guidance with firewall and NAT rules to open ports for WireGuard.
In this example, the default ports (51820/UDP, 51821/TCP) were kept, and the following steps were performed (IP sets for the virtual machine and external IP address were previously created to create rules for SSH):
- Creation of custom applications
- Creation of DNAT rules
- Creation of firewall rules
You should now be able to access the web interface.
Notes
In a production environment, we do not recommend configuring "Any" as the Source for the console access from the WAN IP address for security reasons.
That rule permitting the access of the console from the WAN IP address can be enabled on demand or completely disabled in the firewall rules section.
If the console access from the WAN IP address is blocked, you will need to access the user interface using the LAN IP address. In this example, by browsing to http://10.0.0.100:51821
WireGuard VPN server configuration
- Enter the user interface of WireGuard with your password
- Add a new client
- Name the client and click on Create
- Once the new client is created, the client configuration file can be downloaded or a QR code can be shown for mobile devices.
Repeat steps to create additional clients
Client Setup (Windows)
- On a client machine, install the WireGuard client software. Setup files can be found here: https://www.wireguard.com/install/
- Download the client configuration file on the client machine
- Import the client configuration file in the WireGuard client software
- Connect the VPN
The VPN is now connected.
With the VPN connected, test the network access to make sure the configuration is working as expected.
Client management
- Enter the user interface of WireGuard with your password
- From the console, a VPN client can be disabled or removed if needed.
Maintenance
To update the WG Easy Docker image or to change deployment settings, you can remove and deploy again the WG Easy Docker image.
Note: Redeploying the WG Easy Docker image will not delete VPN clients.
- To stop all Docker images on the server, run the following command line.
docker stop $(docker ps -a -q)
- To remove all Docker images on the server, run the following command line.
docker rm $(docker ps -a -q) - To get the latest image, run the following command line.
docker pull ghcr.io/wg-easy/wg-easy - Deploy the WG-Easy Docker image again with steps above.
References
https://github.com/wg-easy/wg-easy