search
APIGitHubYouTubeCommunityWebsite

Remote Access VPN to Azure with WireGuard - deprecated

Header image

hashtag
Intro

If you use Azure, you may deploy resources that you don’t want to expose publicly — for instance, a Windows Server. In these scenarios the resource will be contained in an Azure Virtual Network and Subnet. But how do you access these resources remotely from your devices?

Azure has a remote access VPN solution called “Azure VPN Gateway”, but it can be expensive with several users and endpoints. You can build a free alternative using WireGuard® and Netmaker. Follow the steps below — you should be up and running in about 30 minutes.

By the end of this tutorial you will have a gateway device running on Azure that you can use to access your private Azure resources using a WireGuard VPN client.

hashtag
Scenario

Scenario diagram

In the example, a Windows Server 2019 Datacenter runs on Azure and is only accessible via RDP over the virtual network subnet address (10.0.0.4). The goal is to use RDP to access the server using this private IP via a WireGuard tunnel through an Azure-based gateway device.

Inbound RDP rule
Virtual network subnet

hashtag
Steps

1

hashtag
Deploy the Egress Device

Deploy a device in Azure to act as your Egress. Recommended: Ubuntu (latest) on the smallest possible instance type (VM recommended). The gateway device must:

  • Be in the same virtual network/subnet as the target devices so it can reach them.

  • Allow inbound SSH (port 22) for administration.

  • Have a public IP so clients can connect to it.

  • Expose the WireGuard port used by Netmaker (by default Netmaker uses UDP 51821). Open at least 51821/udp from Any source — the guide opened 51821–51830/udp to be safe.

Deploy VM screenshot
circle-info

Gateway Device Requirements:

  • Device Type: VM or Container (VM recommended)

  • OS: Linux (Ubuntu 22.04 recommended)

  • Size: any

  • Network Settings: public IP, part of the virtual network/subnet, expose 51821/udp publicly (and port 22 for SSH)

2

hashtag
Add the Egress Device to Netmaker

  1. Sign up at https://app.netmaker.io (or self-host Netmaker from http://github.com/gravitl/netmaker).

  2. Use the default network and access key (the account will typically have a network named “netmaker” and an access key named “netmaker”). In the author’s screenshots the network/key are named “azure-gw” — either is fine.

  3. In the Netmaker UI: click your network → Hosts → Add a new host.

  4. Follow the on-screen instructions: SSH to the VM, download and install the netclient, and join the network.

Netmaker hosts list
Add host instructions

After installation you should see output similar to this and the device listed in Hosts.

Installation output
Device listed in Hosts list
3

hashtag
Configure Egress

  1. In the Netmaker UI, click on the gateway device, then click “Egress” → “Create Egress”.

  2. Configure the egress to point to the Azure virtual network subnet range (or to a single IP or list of IPs within the subnet). This makes the gateway forward traffic destined for the private Azure subnet.

Egress button
Create Egress screenshot

After creation, the device is prepared to serve traffic to the target destination.

Egress configured
4

hashtag
Configure Client Gateway

  1. The Client Gateway allows generating WireGuard config files that route through the gateway device into the network.

  2. In Netmaker: Clients → Create Client. If no Client Gateway exists yet, Netmaker will prompt you to select a device to act as the gateway and will generate the first client (the WireGuard config file) attached to that gateway.

  3. Download the generated WireGuard config file and run it using any standard WireGuard client on your local machine.

Create client screenshot
Client generated screenshot

Click the client ID to view details and download configs:

Client details

If everything is configured correctly you should be able to RDP to the Windows Server using its private IP (10.0.0.4 in the example) over the WireGuard tunnel.

RDP over private IP screenshot

You can generate additional clients to provide access for multiple users.

hashtag
Summary

1

Configured Azure for a remote access gateway.

2

Configured an Azure VM instance to act as the remote access gateway.

3

Generated and ran a WireGuard config file locally to access a private Windows server via the gateway.

PreviousSet up a Static IP User VPN for Whitelisting, with WireGuard and NetmakerNextCreate AWS Remote Access VPN with WireGuard - deprecated

Last updated

Was this helpful?