Ctrlk
APIGitHubYouTubeCommunityWebsite

Create AWS Remote Access VPN with WireGuard - deprecated

A laptop accessing an AWS VPC via WireGuard

Intro

An AWS account typically consists of multiple VPCs and private subnets. You may wish to provide remote access to private subnets or endpoints on AWS without exposing them publicly.

AWS has their own remote access VPN solution called “AWS Client VPN”. However, this can be unnecessarily expensive. With several users and endpoints, you can easily spend hundreds of dollars per month.

You can build a solution using WireGuard® and Netmaker for free. Follow these steps, and you should be up and running in about 30 minutes.

By the end of this tutorial, you will have a gateway device running on AWS, on which you can easily attach WireGuard clients to access private AWS resources.

Scenario

Private Rocket Chat instance on AWS

In this example, Rocket Chat runs on AWS and is only accessible over the VPC address (172.31.95.26). We want a developer to be able to log into Rocket Chat using this private address.

For your setup, this can be any private IPs or subnets on AWS, as long as the addresses are accessible from the gateway device (EC2 instance).

Step 1: Deploy the Gateway Device

Select a device in AWS to act as your VPN gateway. This can be a container or EC2 instance, but must be Linux-based. You can use an existing instance, but if deploying a new instance, Ubuntu 22.04 is recommended. You can use t2.micro, as it is not resource intensive.

This device must have access to the target devices or subnets, so make sure it is deployed in the correct availability zone, and that the target devices’ security settings allow traffic from the gateway device.

Lastly, the device must be accessible publicly over the WireGuard port, which by default for Netmaker is 51821, so open 51821/udp to 0.0.0.0/0 in the Security settings, and make sure it has a publicly reachable IP (e.g. Elastic IP address).

Gateway Requirements:

  • Device Type: EC2 Instance or Container (EC2 Instance recommended)

  • OS: Linux (Ubuntu 22.04 recommended)

  • Size: any (t2.micro recommended)

  • Network Settings: Must have a public endpoint, and expose 51821/udp publicly

Gateway EC2 Instance on AWS

Step 2: Add Gateway Device to Netmaker

Gateways

Step 3: Configure Egress

Click on “Add route”. Set the gateway device as an egress to the target IP address in AWS. In the example this is 172.31.95.26/32; modify as appropriate and provide multiple ranges if necessary.

Configure your Egress Gateway:

The device is now prepared to serve traffic to the target destination.

Step 4: Configure Gateway

How to Create and Configure Gateways
Download the WireGuard config file
Run the WireGuard config file

If everything has gone correctly, the private address should now be accessible from the local device:

Accessing the private Rocket Chat instance in the browser

You can generate additional clients as necessary, so your gateway provides access for a whole team.

Summary

1

Configure AWS for a netmaker gateway.

2

Configure an EC2 instance to act as the remote access gateway.

3

Generate and run a WireGuard config file locally to access AWS via the gateway.

PreviousRemote Access VPN to Azure with WireGuardNextHow to deploy a single Kubernetes cluster across multiple clouds using k3s and WireGuard - deprecate

Last updated

Was this helpful?