Remote Access VPN to Azure with WireGuard

Header image

Introduction

When working with Microsoft Azure, it is common to deploy resources that should not be publicly accessible, such as Windows Servers or internal services. These resources are typically hosted within a Virtual Network (VNet) and secured using subnets and network security rules.

The key challenge is: how can you securely access these private resources from outside Azure?

Azure provides a native solution through Azure VPN Gateway. However, this option can become costly as the number of users, devices, or connections increases.

A lightweight and cost-effective alternative is to use WireGuard® in combination with Netmaker. This approach allows you to build a secure private network and remotely access Azure resources without relying on expensive managed VPN services.

Note: Azure Active Directory is now known as Microsoft Entra ID. This guide focuses on network-level access and does not require identity-based integration.

By the end of this guide, you will have a secure VPN gateway deployed in Azure, enabling remote access to private resources using a WireGuard client.

Scenario

In this scenario:

  • A Windows Server 2019 Datacenter instance is deployed in Azure

  • The server is not exposed to the public internet

  • It is accessible only via its private IP address (e.g., 10.0.0.4) within the Virtual Network

Objective

Establish secure access to the Windows Server using Remote Desktop Protocol (RDP) over a WireGuard VPN tunnel, routed through an Azure-based gateway device.

Virtual network subnet

Architecture Overview

  • A gateway device (running Netmaker and WireGuard) is deployed on an Azure Virtual Machine

  • The gateway resides within the same Virtual Network as the target resources

  • A client device connects securely to the gateway using WireGuard

  • Traffic is routed through the tunnel, enabling private access to Azure resources

Implementation Steps

Deploy the Gateway Device (Egress Node)

Deploy a Virtual Machine in Azure that will act as the VPN gateway (egress node).

  • Deployment Type: Virtual Machine (recommended for simplicity and stability)

  • Operating System: Ubuntu 24.04 LTS or newer

  • Instance Size: Small (e.g., B1s or equivalent)

  • Networking Configuration:

    • Must be part of the same Virtual Network and subnet as the target resources

    • Must have a Public IP address assigned

    • Must allow inbound traffic for:

      • SSH (TCP 22) — for administrative access

      • WireGuard (UDP 51821) — default Netmaker port (Optional: allow a range such as 51821–51830/UDP if needed for multiple peers)


Gateway Requirements Checklist

Ensure that the gateway VM meets the following requirements:

  • Connectivity to internal Azure resources (same VNet/subnet)

  • Public IP address assigned

  • SSH access enabled (port 22)

  • WireGuard UDP port exposed (default: 51821)

  • Linux-based operating system (Ubuntu recommended)

1

Add the Egress Device to Netmaker

  1. Sign up at https://app.netmaker.io (or self-host Netmaker).

  2. Use the default network and access key (the account will typically have a network named “netmaker” and an access key named “netmaker”). In the author’s screenshots the network/key are named “azure-gw” — either is fine.

  3. In the Netmaker admin UI: click on Add device.

  4. Follow the on-screen instructions: SSH to the VM, download and install the netclient, and join the network.

2

Create an Egress Route

In the Netmaker Admin UI:

  1. Go to your Network

  2. Open the Egress / Routes section

  3. Click “Add Route”

  4. In the Create New Egress Route window:

    • Enter a Name

    • (Optional) Add a Description

    • Configure NAT (Direct)

    • Set the Egress Target (e.g., your Azure subnet 10.0.0.0/24)

  5. Click Next

  6. Select the node (gateway device) that will act as the Egress

  7. (Optional) Configure access policies

  8. Click Finish

After creation, the device is prepared to serve traffic to the target destination.

3

Configure Gateway

  1. The Gateway allows generating WireGuard config files that route through the gateway device into the network.

  2. Download the generated WireGuard config file and run it using any standard WireGuard client on your local machine.

How to Create and Configure Gatewayschevron-right

If everything is configured correctly you should be able to RDP to the Windows Server using its private IP (10.0.0.4 in the example) over the WireGuard tunnel.

RDP over private IP screenshot

You can generate additional clients to provide access for multiple users.

Summary

1

Configured Azure for a remote access gateway.

2

Configured an Azure VM instance to act as the remote access gateway.

3

Generated and ran a WireGuard config file locally to access a private Windows server via the gateway.

Last updated

Was this helpful?