Create AWS Remote Access VPN with WireGuard - deprecated
A laptop accessing an AWS VPC via WireGuard
Intro
An AWS account typically consists of multiple VPCs and private subnets. You may wish to provide remote access to private subnets or endpoints on AWS without exposing them publicly.
AWS has their own remote access VPN solution called “AWS Client VPN”. However, this can be unnecessarily expensive. With several users and endpoints, you can easily spend hundreds of dollars per month.
You can build a solution using WireGuard® and Netmaker for free. Follow these steps, and you should be up and running in about 30 minutes.
By the end of this tutorial, you will have a gateway device running on AWS, on which you can easily attach WireGuard clients to access private AWS resources.
Scenario
Private Rocket Chat instance on AWS
In this example, Rocket Chat runs on AWS and is only accessible over the VPC address (172.31.95.26). We want a developer to be able to log into Rocket Chat using this private address.
For your setup, this can be any private IPs or subnets on AWS, as long as the addresses are accessible from the gateway device (EC2 instance).
Step 1: Deploy the Gateway Device
Select a device in AWS to act as your VPN gateway. This can be a container or EC2 instance, but must be Linux-based. You can use an existing instance, but if deploying a new instance, Ubuntu 22.04 is recommended. You can use t2.micro, as it is not resource intensive.
This device must have access to the target devices or subnets, so make sure it is deployed in the correct availability zone, and that the target devices’ security settings allow traffic from the gateway device.
Lastly, the device must be accessible publicly over the WireGuard port, which by default for Netmaker is 51821, so open 51821/udp to 0.0.0.0/0 in the Security settings, and make sure it has a publicly reachable IP (e.g. Elastic IP address).
Gateway Requirements:
Device Type: EC2 Instance or Container (EC2 Instance recommended)
OS: Linux (Ubuntu 22.04 recommended)
Size: any (t2.micro recommended)
Network Settings: Must have a public endpoint, and expose 51821/udp publicly
Gateway EC2 Instance on AWS
Step 2: Add Gateway Device to Netmaker
Now that you’ve configured a suitable gateway device, you must add this device to Netmaker. You can self-host Netmaker, but to get started quickly (and for free), sign up at https://app.netmaker.io/.
By default, your account will have a virtual network named “netmaker” and an access key, also named “netmaker”. Use these for this tutorial (in the example screenshots these are named “rocket-chat”).
Click on the network, click on “hosts”, and then click the “Add a new host” button:
The Netmaker network’s Hosts list
Follow the steps to add the gateway device to Netmaker by downloading and installing the netclient, and joining the network.
Registration instructions for Netclient
Terminal output from installing the Netclient:
Terminal output from installing the Netclient
Once the device is visible in your “hosts” list, you can continue to configure the device as a Gateway.
Step 3: Configure Egress
Click on “Egress” and then “Create Egress”. Set the gateway device as an egress to the target IP address in AWS. In the example this is 172.31.95.26/32; modify as appropriate and provide multiple ranges if necessary.
The Egress Gateway screen
Configure your Egress Gateway:
Configure your Egress Gateway
The device is now prepared to serve traffic to the target destination.
Step 4: Configure Client Gateway
Provide remote access via a “Client Gateway”. The Client Gateway allows you to generate WireGuard config files, which are routed through the gateway device and into the network. After configuring, a user can reach the Egress range via the Client Gateway.
The AWS device will act as both an “Egress Gateway” and a “Client Gateway”, so it can accept traffic from WireGuard and forward it to the private subnet.
Click on “Clients” and then “Create Client”. If you do not have a Client Gateway yet, it will prompt you to select a device to act as the gateway and will generate your first client (WireGuard config file) on top of this gateway.
The Client Gateway screen
Configure the Client Gateway and WireGuard Client:
Configure the Client Gateway and WireGuard Client
You can now download this config file, and run it using any standard WireGuard client.
Download the WireGuard config file
Run the WireGuard config file
If everything has gone correctly, the private address should now be accessible from the local device:
Accessing the private Rocket Chat instance in the browser
You can generate additional clients as necessary, so your gateway provides access for a whole team.
Summary
1
Configure AWS for a remote access gateway.
2
Configure an EC2 instance to act as the remote access gateway.
3
Generate and run a WireGuard config file locally to access AWS via the gateway.
