# Remote Access VPN to Azure with WireGuard ![Header image](/files/3e98b0232abd2cde93de328de5cbc23eafcbe6a5) ### **Introduction** When working with Microsoft Azure, it is common to deploy resources that should not be publicly accessible, such as Windows Servers or internal services. These resources are typically hosted within a **Virtual Network (VNet)** and secured using subnets and network security rules. The key challenge is: **how can you securely access these private resources from outside Azure?** Azure provides a native solution through **Azure VPN Gateway**. However, this option can become costly as the number of users, devices, or connections increases. A lightweight and cost-effective alternative is to use **WireGuard®** in combination with **Netmaker**. This approach allows you to build a secure private network and remotely access Azure resources without relying on expensive managed VPN services. > **Note:** Azure Active Directory is now known as **Microsoft Entra ID**. This guide focuses on network-level access and does not require identity-based integration. By the end of this guide, you will have a **secure VPN gateway deployed in Azure**, enabling remote access to private resources using a WireGuard client. ## Scenario In this scenario: * A **Windows Server 2019 Datacenter** instance is deployed in Azure * The server is **not exposed to the public internet** * It is accessible only via its **private IP address** (e.g., `10.0.0.4`) within the Virtual Network #### **Objective** Establish secure access to the Windows Server using **Remote Desktop Protocol (RDP)** over a **WireGuard VPN tunnel**, routed through an Azure-based gateway device. ![Virtual network subnet](/files/ba26d5199c3f8165e4694c2ef863c3117920b456) ### **Architecture Overview** * A gateway device (running Netmaker and WireGuard) is deployed on an Azure Virtual Machine * The gateway resides within the same Virtual Network as the target resources * A client device connects securely to the gateway using WireGuard * Traffic is routed through the tunnel, enabling private access to Azure resources ### **Implementation Steps** #### **Deploy the Gateway Device (Egress Node)** Deploy a Virtual Machine in Azure that will act as the VPN gateway (egress node). #### **Recommended Configuration** * **Deployment Type:** Virtual Machine (recommended for simplicity and stability) * **Operating System:** Ubuntu 24.04 LTS or newer * **Instance Size:** Small (e.g., B1s or equivalent) * **Networking Configuration:** * Must be part of the **same Virtual Network and subnet** as the target resources * Must have a **Public IP address** assigned * Must allow inbound traffic for: * **SSH (TCP 22)** — for administrative access * **WireGuard (UDP 51821)** — default Netmaker port\ \&#xNAN;*(Optional: allow a range such as 51821–51830/UDP if needed for multiple peers)* *** ### **Gateway Requirements Checklist** Ensure that the gateway VM meets the following requirements: * Connectivity to internal Azure resources (same VNet/subnet) * Public IP address assigned * SSH access enabled (port 22) * WireGuard UDP port exposed (default: 51821) * Linux-based operating system (Ubuntu recommended) {% stepper %} {% step %} ### Add the Egress Device to Netmaker 1. Sign up at (or self-host Netmaker). 2. Use the default network and access key (the account will typically have a network named “netmaker” and an access key named “netmaker”). In the author’s screenshots the network/key are named “azure-gw” — either is fine. 3. In the Netmaker admin UI: click on Add device. 4. Follow the on-screen instructions: SSH to the VM, download and install the netclient, and join the network.\
{% endstep %} {% step %} ### **Create an Egress Route** In the **Netmaker Admin UI**: 1. Go to your **Network** 2. Open the **Egress / Routes section** 3. Click **“Add Route”**
4. In the **Create New Egress Route** window:
* Enter a **Name** * (Optional) Add a **Description** * Configure **NAT (Direct)** * Set the **Egress Target** (e.g., your Azure subnet `10.0.0.0/24`)
5. Click **Next** 6. Select the **node (gateway device)** that will act as the Egress
7. (Optional) Configure **access policies**
8. Click **Finish** After creation, the device is prepared to serve traffic to the target destination. {% endstep %} {% step %} ### Configure Gateway 1. The Gateway allows generating WireGuard config files that route through the gateway device into the network. 2. Download the generated WireGuard config file and run it using any standard WireGuard client on your local machine. {% content-ref url="/pages/p29XsHMCd06A3OOepszC" %} [How to Create and Configure Gateways](/getting-started/walkthrough/how-to-create-and-configure-gateways.md) {% endcontent-ref %} If everything is configured correctly you should be able to RDP to the Windows Server using its private IP (10.0.0.4 in the example) over the WireGuard tunnel. ![RDP over private IP screenshot](/files/3423f7bf18aeac9a8fd329a89281539e9124d3d7) You can generate additional clients to provide access for multiple users. {% endstep %} {% endstepper %} ## Summary {% stepper %} {% step %} Configured Azure for a remote access gateway. {% endstep %} {% step %} Configured an Azure VM instance to act as the remote access gateway. {% endstep %} {% step %} Generated and ran a WireGuard config file locally to access a private Windows server via the gateway. {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.netmaker.io/how-to-guides/remote-access-vpn-to-azure-with-wireguard.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.