Deploy a WireGuard VPN Server in Performance Cloud VMware (NSX-T)

 

TABLE OF CONTENTS

Description

A WireGuard VPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).

In this article, we will deploy WireGuard in a virtual machine running Ubuntu and WG Easy in a Docker container.

Important Notes

- Some steps assume that you have a foundation about Linux and for creating virtual machines, virtual networks and network rules. Some steps also assume the deployment of a dedicated additional virtual machine in a working environment. Please refer to main articles in the Getting Started Guide if needed.

 - Please note that Sherweb' support for third-party software, like WireGuard, is very limited.

Requirements

- Have a virtual machine running Linux in your virtual data center (vDC) to host the WireGuard VPN server.

If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).

To facilitate the work, we strongly recommend connecting to the Linux virtual machine using the SSH protocol.
If needed, please see this article for guidance to configure the Edge Gateway for this purpose.

Procedures
 

WireGuard VPN server setup
 

  1. Log in to your virtual machine using a root account


  2. Download and install Docker

    Run the following command lines:

    curl -sSL https://get.docker.com | sh
    sudo usermod -aG docker $(whoami)



  3. Deploy the "WG-Easy" docker image

    Run the following command lines.

    Edit the template below to match with your setup (WAN IP address/FQDN, desired console password, ports to use, network(s) to allow using the VPN, DNS server to use, etc.).

    Note: WG_ALLOWED_IPS=0.0.0.0/0 would allow and route all traffic on the client through the VPN tunnel.

    docker run -d \--name=wg-easy \
    -e WG_HOST=WAN_SERVER_IP \
    -e PASSWORD=CONSOLE_PASSWORD \
    -e WG_PERSISTENT_KEEPALIVE=30 \
    -e WG_DEFAULT_ADDRESS=10.7.0.x \
    -e WG_DEFAULT_DNS=1.1.1.1 \
    -e WG_ALLOWED_IPS=10.0.0.0/8 \
    -v ~/.wg-easy:/etc/wireguard \
    -p 51820:51820/udp \
    -p 51821:51821/tcp \
    --cap-add=NET_ADMIN \
    --cap-add=SYS_MODULE \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
    --sysctl="net.ipv4.ip_forward=1" \
    --restart unless-stopped \
    weejewel/wg-easy


Then, your WireGuard server configuration files will be saved in the folder ~/.wg-easy


 

Configure the Edge Gateway for WireGuard


If needed, please see this article for guidance with firewall and NAT rules to open ports for WireGuard.

In this example, the default ports (51820/UDP, 51821/TCP) were kept, and the following steps were performed (IP sets for the virtual machine and external IP address were previously created to create rules for SSH):
 

  • Creation of custom applications

    A screenshot of a computer

Description automatically generated


  • Creation of DNAT rules



  • Creation of firewall rules




    You should now be able to access the web interface.

    A screenshot of a computer

Description automatically generated


    Note: In a production environment, we do not recommend configuring "Any" as the Source for WireGuard UI access for security reasons.



WireGuard VPN server configuration

  1. Enter the user interface of WireGuard with your password
     
  2. Add a new client (user)

    A screenshot of a computer

Description automatically generated


  3. Name the client and click on Create

    A screenshot of a computer

Description automatically generated


  4. Once the new client is created, the client configuration file can be downloaded or a QR code can be shown for mobile devices.

    A white rectangular object with a white background

Description automatically generated

Repeat steps to create additional users
 

 

Client Setup (Windows)

  1. On a client machine, install the WireGuard client software. Setup files can be found here: https://www.wireguard.com/install/


  2. Download the client configuration file on the client machine

     
  3. Import the client configuration file in the WireGuard client software

    A screenshot of a computer

Description automatically generated

     
  4. Connect the VPN



    The VPN is now connected.

    With the VPN connected, test the network access to make sure the configuration is working as expected.


 

User management

 

  1. Enter the user interface of WireGuard with your password

     
  2. From the console, a VPN client (or VPN user) access can be disabled or removed if needed.

    A screenshot of a computer

Description automatically generated



Maintenance

 

To update the WG Easy Docker image or to change deployment settings, you can remove and deploy again the WG Easy Docker image.

Note: Redeploying the WG Easy Docker image will not delete VPN clients.

 

  1. To stop all Docker images on the server, run the following command line.

    docker stop $(docker ps -a -q)

     
  2. To remove all Docker images on the server, run the following command line.

    docker rm $(docker ps -a -q)


  3. Deploy the WG-Easy Docker image again with steps above.

References

https://www.wireguard.com/

https://github.com/wg-easy/wg-easy