Deploy a WireGuard VPN Server in Performance Cloud VMware (NSX-T)

TABLE OF CONTENTS

• Description
• Important Notes
• Requirements
• Procedures 
  • WireGuard VPN server setup 
  • Configure the Edge Gateway for WireGuard
  • WireGuard VPN server configuration
  • Client Setup (Windows)
  • User management
  • Maintenance
• References

Description

A WireGuard VPN server can be deployed in your virtual data center to allow remote clients, including mobile devices, to connect to your Performance Cloud VMware (NSX-T) environment using a virtual private network (VPN).

In this article, we will deploy WireGuard in a virtual machine running Ubuntu and WG Easy in a Docker container.

Important Notes

- Some steps assume that you have a foundation about Linux and for creating virtual machines, virtual networks and network rules. Some steps also assume the deployment of a dedicated additional virtual machine in a working environment. Please refer to main articles in the Getting Started Guide if needed.

- Please note that Sherweb' support for third-party software, like WireGuard, is very limited.

- This setup may not work correctly with more than two hundred and fifty three (253) VPN clients.

Requirements

- Have a virtual machine running Linux in your virtual data center (vDC) to host the WireGuard VPN server.

If needed, please see this article for guidance on creating a virtual machine using a prebuilt template and a vApp with Performance Cloud VMware (NSX-T).

To facilitate the work, we strongly recommend connecting to the Linux virtual machine using the SSH protocol.
If needed, please see this article for guidance to configure the Edge Gateway for this purpose.

Procedures
 

WireGuard VPN server setup
 

1. Log in to your virtual machine using a root account
   
   
   
2. Download and install Docker
   
   Run the following command lines:
   
   curl -sSL https://get.docker.com | sh
   sudo usermod -aG docker $(whoami)
   
   
   
3. Deploy the "WG-Easy" docker image
   
   Run the following command lines.
   
   Edit the template below to match with your setup (WAN IP address of the Edge Gateway or fully qualified domain name (FQDN), the desired console password, the network to use for VPN clients, ports to use, network(s) to allow using the VPN, DNS server to use, etc.).
   
   Notes:
   - WG_ALLOWED_IPS=0.0.0.0/0 would allow and route all traffic on the client through the VPN tunnel.
   - To allow multiple networks to VPN users, specify all network ranges separated with a comma. Example: WG_ALLOWED_IPS=192.168.50.0/24,192.168.51.0/24,192.168.52.0/24,192.168.53.0/24
   - Please avoid the following characters for the console password: !($\&")
   
   
   docker run -d \--name=wg-easy \
   -e WG_HOST=WAN_SERVER_IP_OR_FQDN \
   -e PASSWORD=CONSOLE_PASSWORD \
   -e WG_PERSISTENT_KEEPALIVE=30 \
   -e WG_DEFAULT_ADDRESS=10.7.0.x \
   -e WG_DEFAULT_DNS=1.1.1.1 \
   -e WG_ALLOWED_IPS=10.0.0.0/8 \
   -v ~/.wg-easy:/etc/wireguard \
   -p 51820:51820/udp \
   -p 51821:51821/tcp \
   --cap-add=NET_ADMIN \
   --cap-add=SYS_MODULE \
   --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
   --sysctl="net.ipv4.ip_forward=1" \
   --restart unless-stopped \
   weejewel/wg-easy

Then, your WireGuard server configuration files will be saved in the folder ~/.wg-easy


 

Configure the Edge Gateway for WireGuard

If needed, please see this article for guidance with firewall and NAT rules to open ports for WireGuard.

In this example, the default ports (51820/UDP, 51821/TCP) were kept, and the following steps were performed (IP sets for the virtual machine and external IP address were previously created to create rules for SSH):
 

• Creation of custom applications
  
  
  
  
  
• Creation of DNAT rules
  
  
  
  
• Creation of firewall rules
  
  
  
  
  You should now be able to access the web interface.
  
  
  
  
  Notes
  
  In a production environment, we do not recommend configuring "Any" as the Source for the console access from the WAN IP address for security reasons.
  
  That rule permitting the access of the console from the WAN IP address can be enabled on demand or completely disabled in the firewall rules section.
  
  If the console access from the WAN IP address is blocked, you will need to access the user interface using the LAN IP address. In this example, by browsing to http://10.0.0.100:51821
  
  
  

WireGuard VPN server configuration

1. Enter the user interface of WireGuard with your password
    
2. Add a new client (user)
   
   
   
   
   
3. Name the client and click on Create
   
   
   
   
   
4. Once the new client is created, the client configuration file can be downloaded or a QR code can be shown for mobile devices.
   
   
   
   

Repeat steps to create additional users
 

Client Setup (Windows)

1. On a client machine, install the WireGuard client software. Setup files can be found here: https://www.wireguard.com/install/
   
   
   
2. Download the client configuration file on the client machine
   
    
3. Import the client configuration file in the WireGuard client software
   
   
   
    
4. Connect the VPN
   
   
   
   The VPN is now connected.
   
   With the VPN connected, test the network access to make sure the configuration is working as expected.
   
   
   

User management

1. Enter the user interface of WireGuard with your password
   
    
2. From the console, a VPN client (or VPN user) access can be disabled or removed if needed.
   
   
   
   
   
   

Maintenance

To update the WG Easy Docker image or to change deployment settings, you can remove and deploy again the WG Easy Docker image.

Note: Redeploying the WG Easy Docker image will not delete VPN clients.

1. To stop all Docker images on the server, run the following command line.
   
   docker stop $(docker ps -a -q)
   
    
2. To remove all Docker images on the server, run the following command line.
   
   docker rm $(docker ps -a -q)
   
   
   
3. Deploy the WG-Easy Docker image again with steps above.

References

https://www.wireguard.com/

https://github.com/wg-easy/wg-easy