Deploy a WireGuard VPN Server in Performance Cloud VMware (NSX-T)

TABLE OF CONTENTS

Description
Important Notes
Requirements
Procedures
References

Description

A WireGuard VPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).

In this article, we will deploy WireGuard in a virtual machine running Ubuntu and WG Easy in a Docker container.

Important Notes

- Some steps assume that you have a foundation about Linux and for creating virtual machines, virtual networks and network rules. Some steps also assume the deployment of a dedicated additional virtual machine in a working environment. Please refer to main articles in the Getting Started Guide if needed.

- Please note that Sherweb' support for third-party software, like WireGuard, is very limited.

- This setup may not work correctly with more than two hundred and fifty three (253) VPN clients.

- There is no "user authentication" in WireGuard. There is no concept of "users" but clients and a server with secret and public keys.

- Please make sure to store, send, deploy and use WireGuard configuration files using a secure method.

Requirements

- Have a virtual machine running Linux in your virtual data center (vDC) to host the WireGuard VPN server.

If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).

To facilitate the work, we strongly recommend connecting to the Linux virtual machine using the SSH protocol.
If needed, please see this article for guidance to configure the Edge Gateway for this purpose.

Procedures

WireGuard VPN server setup

Log in to your virtual machine using a root account
Download and install Docker

Run the following command lines:

curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $(whoami)
Deploy the "WG-Easy" docker image

Run the following command lines.

Edit the template below to match with your setup (WAN IP address of the Edge Gateway or fully qualified domain name (FQDN), the desired console password, the network to use for VPN clients, ports to use, network(s) to allow using the VPN, DNS server to use, etc.).

Notes:
- WG_ALLOWED_IPS=0.0.0.0/0 would allow and route all traffic on the client through the VPN tunnel.
- To allow multiple networks to VPN clients, specify all network ranges separated with a comma. Example: WG_ALLOWED_IPS=192.168.50.0/24,192.168.51.0/24,192.168.52.0/24,192.168.53.0/24
- Please avoid the following characters for the console password: !($\&")

docker run -d \--name=wg-easy \
-e WG_HOST=WAN_SERVER_IP_OR_FQDN \
-e PASSWORD=CONSOLE_PASSWORD \
-e WG_PERSISTENT_KEEPALIVE=30 \
-e WG_DEFAULT_ADDRESS=10.7.0.x \
-e WG_DEFAULT_DNS=1.1.1.1 \
-e WG_ALLOWED_IPS=10.0.0.0/8 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
weejewel/wg-easy

Then, your WireGuard server configuration files will be saved in the folder ~/.wg-easy

Configure the Edge Gateway for WireGuard

If needed, please see this article for guidance with firewall and NAT rules to open ports for WireGuard.

In this example, the default ports (51820/UDP, 51821/TCP) were kept, and the following steps were performed (IP sets for the virtual machine and external IP address were previously created to create rules for SSH):

Creation of custom applications
Creation of DNAT rules
Creation of firewall rules

You should now be able to access the web interface.

Notes

In a production environment, we do not recommend configuring "Any" as the Source for the console access from the WAN IP address for security reasons.

That rule permitting the access of the console from the WAN IP address can be enabled on demand or completely disabled in the firewall rules section.

If the console access from the WAN IP address is blocked, you will need to access the user interface using the LAN IP address. In this example, by browsing to http://10.0.0.100:51821

WireGuard VPN server configuration

Enter the user interface of WireGuard with your password
Add a new client
Name the client and click on Create
Once the new client is created, the client configuration file can be downloaded or a QR code can be shown for mobile devices.

Repeat steps to create additional clients

Client Setup (Windows)

On a client machine, install the WireGuard client software. Setup files can be found here: https://www.wireguard.com/install/
Download the client configuration file on the client machine
Import the client configuration file in the WireGuard client software
Connect the VPN

The VPN is now connected.

With the VPN connected, test the network access to make sure the configuration is working as expected.

Client management

Enter the user interface of WireGuard with your password
From the console, a VPN client can be disabled or removed if needed.

Maintenance

To update the WG Easy Docker image or to change deployment settings, you can remove and deploy again the WG Easy Docker image.

Note: Redeploying the WG Easy Docker image will not delete VPN clients.

To stop all Docker images on the server, run the following command line.

docker stop $(docker ps -a -q)
To remove all Docker images on the server, run the following command line.

docker rm $(docker ps -a -q)
To get the latest image, run the following command line.

docker pull ghcr.io/wg-easy/wg-easy
Deploy the WG-Easy Docker image again with steps above.

References

https://www.wireguard.com/

https://github.com/wg-easy/wg-easy

Helpdesk