Deploy a WireGuard VPN Server in Performance Cloud VMware (NSX-T)
TABLE OF CONTENTS
Description
A WireGuard VPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).
In this article, we will deploy WireGuard in a virtual machine running Ubuntu and WG Easy in a Docker container.
Important Notes
- Some steps assume that you have a foundation about Linux and for creating virtual machines, virtual networks and network rules. Some steps also assume the deployment of a dedicated additional virtual machine in a working environment. Please refer to main articles in the Getting Started Guide if needed.
- Please note that Sherweb' support for third-party software, like WireGuard, is very limited.
Requirements
- Have a virtual machine running Linux in your virtual data center (vDC) to host the WireGuard VPN server.
If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).
To facilitate the work, we strongly recommend connecting to the Linux virtual machine using the SSH protocol.
If needed, please see this article for guidance to configure the Edge Gateway for this purpose.
Procedures
WireGuard VPN server setup
- Login to your virtual machine using a root account
- Download and install Docker
Run the following command lines:
curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $(whoami) - Deploy the "WG-Easy" docker image
Run the following command lines.
Edit the template below to match with your setup (WAN IP address/FQDN, desired console password, ports to use, network(s) to allow using the VPN, DNS server to use, etc)
Note: WG_ALLOWED_IPS=0.0.0.0/0 would allow and route all traffic on the client through the VPN tunnel.
docker run -d \--name=wg-easy \
-e WG_HOST=WAN_SERVER_IP \
-e PASSWORD=CONSOLE_PASSWORD \
-e WG_PERSISTENT_KEEPALIVE=30 \
-e WG_DEFAULT_ADDRESS=10.7.0.x \
-e WG_DEFAULT_DNS=1.1.1.1 \
-e WG_ALLOWED_IPS=10.0.0.0/8 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
weejewel/wg-easy
Then, your WireGuard server configuration files will be saved in the folder ~/.wg-easy
Configure the Edge Gateway for WireGuard
If needed, please see this article for guidance with firewall and NAT rules to open ports for WireGuard.
In this example, the default ports (51820/UDP, 51821/TCP) were kept, and the following steps were performed (IP sets for the virtual machine and external IP address were previously created to create rules for SSH) :
- Creation of custom applications
- Creation of DNAT rules
- Creation of firewall rules
You should now be able to access the web interface.
Note: In a production environment, we do not recommend configuring "Any" as the Source for WireGuard UI access for security reasons.
WireGuard VPN server configuration
- Enter the user interface of WireGuard with your password
- Add a new client (user)
- Name the client and click on Create
- Once the new client is created, the client configuration file can be downloaded or a QR code can be shown for mobile devices.
Repeat steps to create additional users
Client Setup (Windows)
- On a client machine, install the WireGuard client software. Setup files can be found here: https://www.wireguard.com/install/
- Download the client configuration file on the client machine
- Import the client configuration file in the WireGuard client software
- Connect the VPN
The VPN is now connected.
With the VPN connected, test the network access to make sure the configuration is working as expected.
User management
- Enter the user interface of WireGuard with your password
- From the console, a VPN client (or VPN user) access can be disabled or removed if needed.
Maintenance
To update the WG Easy Docker image or to change deployment settings, you can remove and deploy again the WG Easy Docker image.
Note: Redeploying the WG Easy Docker image will not delete VPN clients.
- To stop all Docker images on the server, run the following command line.
docker stop $(docker ps -a -q)
- To remove all Docker images on the server, run the following command line.
docker rm $(docker ps -a -q) - Deploy the WG-Easy Docker image again with steps above.
References
https://github.com/wg-easy/wg-easy