Create a WireGuardÂ® Peer between a VDC and an on-premises Gateway

13 min

overview this tutorial demonstrates configuring the vpn gateway in to create a site to site setup between an vdc and a simulated on premises installation it uses a managed wireguard® instance to provide secure, encrypted connectivity between an vdc and a simulated on premises setup trademark notice all references to wireguard in this guide refer to the wireguard® protocol and software wireguard is a registered trademark of jason a donenfeld this tutorial demonstrates the use of the following components description two vdcs ionos cloud txl as space vars ionos cloud's vdc \ user on prem lhr simulates a user managed on premises setup managed gateways we use a single managed gateway in ionos cloud txl for the cloud side for a user managed gateway, we use on premises simulation, install the components, and manually configure wireguard on a virtual server to complete the setup target audience this tutorial is intended to help both developers and technical decision makers what you will learn by following this tutorial, you will learn how to set up a managed wireguard vpn gateway in simulate an on premises wireguard gateway using a virtual server generate and manage wireguard key pairs for secure connectivity configure vpn peers and endpoints for site to site communication deploy and configure wireguard on a user managed gateway manually add routing rules to enable traffic flow between cloud and on premises lans verify end to end connectivity between the two sites before you begin note sample keys are used as example in this document do not use this key for real world scenarios the following information is necessary to set up a connection between a wireguard vdc and an on premises vdc components ionos cloud (left) ionos cloud txl user on premises (right) user on prem lhr vdc name ionos cloud txl user on prem lhr gateway public address 203 0 113 10 203 0 113 20 lan id 1 2 (not applicable in this use case) lan subnet 192 168 1 0/24 192 168 2 0/24 gateway lan address 192 168 1 5 192 168 2 5 lan host 1 192 168 1 11 192 168 2 11 lan host 2 192 168 1 12 192 168 2 12 wireguard subnet 172 16 1 0/30 172 16 1 0/30 gateway wireguard address 172 16 1 1/30 172 16 1 2/30 gateway private key abcdefabc12345= khkhabcc+67891= pre shared key defdefhih/98765= lmnolmno/89762= reserve ip addresses before proceeding, ensure you have an ip block with at least one free ip address to assign to each gateway for more information, see reserve an ipv4 address https //docs ionos com/cloud/network services/vdc networking/how tos/ip addresses ionos cloud (left) ionos cloud txl gateway public address user on premises (right) user on prem lhr gateway public address 203 0 113 10 203 0 113 20 configure lan this tutorial uses 192 168 1 0/24 for the private lan in space vars ionos cloud (left) and 192 168 2 0/24 for user on premises (right) assign an ip address from each subnet to its respective gateway for example, use 192 168 1 5 for the vpn gateway, as it is not dhcp aware the chosen ip address must be outside the dhcp pool and should be in the range from 2 to 9 user on prem lhr is a simulating user managed gateway that uses its lan host address of 192 168 2 5 instead hence, the above statement does not apply to this data center components ionos cloud (left) ionos cloud txl user on premises (right) user on prem lhr lan id 1 2 (not applicable here) lan subnet 192 168 1 0/24 192 168 2 0/24 gateway lan address 192 168 1 5 192 168 2 5 wireguard interface ip address and subnet information each participant in a wireguard vpn setup requires its own wireguard interface address and subnet, which are unrelated to the networks you use in the cloud it should be a subnet that does not conflict with anything already in the cloud or on the client side components ionos cloud (left) ionos cloud txl user on premises (right) user on prem lhr wireguard subnet 172 16 1 0/30 172 16 1 0/30 gateway wireguard address 172 16 1 1/30 172 16 1 2/30 generate keypairs wireguard requires a key pair for the gateway and each connected peer you can generate them using the wireguard utilities or the openssl command line tools although we describe both approaches below, we recommend the former because it is a more straightforward procedure components ionos cloud (left) ionos cloud txl user on premises (right) user on prem lhr gateway private key abcdefabc12345= khkhabcc+67891= gateway public key defdefhih/98765= lmnolmno/89762= use wg genkey to create the private key and wg pubkey to derive the public key content from the private key you can also perform it via a single command, as shown below repeat the process for the gateway and each peer demo wg genkey |tee gateway private key | wg pubkey > gateway public key demo cat gateway private key abcdefabc12345= demo cat gateway public key defdefhih/98765= use openssl to generate der keys and convert them to the required format for wireguard we will use this to create the keypair demo openssl genpkey algorithm x25519 outform der out user private der demo openssl pkey inform der in user private der pubout outform der out user public der demo cat user private der |tail c 32 | base64 > user private key demo cat user public der |tail c 32 | base64 > user public key demo rm der demo cat user private key khkhabcc+67891= demo cat user public key lmnolmno/89762= with both these tools available locally, we can verify the openssl generated key by using the wireguard tools to derive the public key from the openssl generated private key demo wg pubkey < user private key lmnolmno/89762= as we can see, the public key content matches the one generated by openssl process set up ionos cloud below are some screenshots from the dcd that contains the required vdcs to begin with, two virtual servers on the are provisioned and connected to each other via a private lan in this instance, lan1 uses a custom subnet of 192 168 1 0/24 we designate these two lan hosts as 192 168 1 11 and 192 168 1 12 , respectively simulate on premises setup imagine the user on prem lhr vdc as a user managed site where you provision two virtual servers here, we will use the subnet 192 168 2 0/24 host 1 has been configured with internet access (ip address 203 0 113 20 ) and will function as the on premises host acting as a user managed gateway we address these two lan hosts as 192 168 2 11 and 192 168 2 12 , respectively and the user managed vpn gateway is assigned the following ip address 192 168 2 5 provision the vpn gateway 1 in the dcd , go to menu > network services > vpn gateway 2 click create vpn gateway from the vpn gateways window 3 enter the following details components description example name enter a descriptive name for the gateway instance it is not required to be globally unique but must be limited to 255 characters ionos cloud txl description enter a descriptive text for the gateway it is limited to 1024 characters vpn gateway for creating a wireguard peer between a vdc and on premises gateway location select a location from the drop down list of available locations for vpn gateway de/txl ip address select an ip address from the drop down list of available public ipv4 addresses 203 0 113 10 the enhanced vpn tier is selected by default the number of lans and peers differ for each tier you can also enable high availability for a chosen tier, allowing vms to operate in an active passive mode it minimizes downtime during a failover and ensures an uninterrupted connection note you can only upgrade the tier or switch between high availability (ha) and non ha variants during editing select wireguard protocol and specify the following components description example private key the gateway private key value generated earlier in this document abcdefabc12345= interface ipv4 the ipv4 address of the wireguard interface 172 16 1 1/30 interface ipv6 the ipv6 address of the wireguard interface this demonstration does not contain ipv6 addresses not applicable listenport the udp port on which wireguard will listen for encrypted vpn packets the tutorial uses the default value 51280 51280 attach a vpn gateway to lans in space vars ionos cloud you can only connect to lans in the exact location where the vpn gateway was provisioned take a look at the following mandatory parameters components description example datacenter select a data center from the drop down that lists vdcs in the same location as the gateway ionos cloud txl connections after selecting a data center, click add lan connection to launch an additional pop up window to set the properties see below enter the following in the edit lan connection pop up window components description example lan the id of the lan to connect to 1 ipv4 cidr the lan ipv4 address assigned to the subnet's gateway in cidr notation 192 168 1 5 ipv6 cidr the lan ipv6 address assigned to the subnet's gateway in cidr notation not applicable 4 click save and wait for the gateway to complete provisioning the process typically takes about 8 10 minutes, but further operations on the gateway will be instantaneous configure the vpn peer now that the vpn gateway instance is provisioned, next step is to configure a peer to permit the two sides to talk with each other we will need to configure a peer on both gateways but the on premises will be configured using wireguard configuration files 1 click create peers to begin configuring a new peer enter the following details to configure a peer components description example peer name specify a name for the peer it does not need to be globally unique and can be up to 255 characters long customer site description enter more descriptive text for the peer, not exceeding 1024 characters not applicable configure the endpoint so the gateway knows with which remote address the connection must be established we will configure this as the public ipv4 address of the gateway to be created in user on prem lhr components description example endpoint host the gateway public ipv4 address of the remote on prem gateway 203 0 113 20 endpoint port the endpoint port on which wireguard will listen for incoming encrypted vpn packets the tutorial uses the default value 51280 51280 the peers section specifies which networks are permitted across the peer here we will specify the wireguard subnet in cidr notation as described earlier components description example allowed ips enter a comma separated list of subnets in cidr notation that are permitted to send traffic to the given peer it is the subnet used on the peer side 192 168 2 0/24 public key the public key of the peer as we generated earlier in this tutorial lmnolmno/89762= 2 click save to save the peer configuration this operation should typically be completed within a minute or two deploy on premises wireguard instance in this tutorial, the on premises "user vpn gw" host acts as a user managed gateway the host has internet access, so ssh can be used instead of the web console start by establishing an ssh connection to the on premises "user vpn gw" hosts public ipv4 address demo ssh 203 0 113 20 l root linux userlanhost1 6 1 0 26 cloud amd64 #1 smp preempt dynamic debian 6 1 112 1 (2024 09 30) x86 64 the programs included with the debian gnu/linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/ /copyright debian gnu/linux comes with absolutely no warranty, to the extent permitted by applicable law last login wed oct 16 09 29 05 2024 from 123 123 123 123 root\@userlanhost1 # 1 install pre requisite software note this tutorial performs a basic install and setup of wireguard it is neither an in depth guide nor does it contain detailed information about the configuration files' content it is an exercise for the reader to determine the correct installation procedure for a secure production environment update the package lists and install the required packages apt get update apt get install wireguard wireguard tools y 2 enable ip forwarding the vpn gateway acts as a router and, therefore, is required to forward packets sysctl w net ipv4 ip forward=1 this tutorial does not use an ipv6 address if you intend to use one, ensure net ipv6 config all forwarding=1 exists 3 configure the user managed this tutorial will walk you through specific options for configuring wireguard, but the rest of the configuration remains an exercise for the reader this section contains the configuration files and content specific to this installation and peer setup configure routing on lan hosts currently, it is impossible to automate the addition of routes to lan hosts to route the required subnets over the vpn gateway in this section, we will manually add the required routes remember to add them to the lan hosts in both the vdcs step 1 configure routing on lan hosts 1 establish a console session to the lan host(s) we will use the web console to test connectivity for the lan hosts without internet access open a console session and ping the lan address assigned to the vpn gateway, 192 168 1 5 begin by pinging the ip address connected with the ionos cloud txl cloudlanhost1 in berlin root\@cloudlanhost1 # ping c 3 192 168 1 5 ping 192 168 1 5 (192 168 1 5) 56(84) bytes of data 64 bytes from 192 168 1 5 icmp seq=1 ttl=64 time=0 626 ms 64 bytes from 192 168 1 5 icmp seq=2 ttl=64 time=0 527 ms 64 bytes from 192 168 1 5 icmp seq=3 ttl=64 time=0 336 ms \ 192 168 1 5 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2035ms rtt min/avg/max/mdev = 0 336/0 496/0 626/0 120 ms root\@cloudlanhost1 # 2 configure the vpn route the lan host(s) must know where to route the return traffic to accomplish this, we will add a route for the on premises lan subnet 192 168 2 0/24 through the gateway's lan address 192 168 1 5 ip route add 192 168 2 0/24 via 192 168 1 5 currently, we cannot ping the on premises lan hosts because those servers do not yet know how to route the return traffic continue to configure on premises route in user on prem lhr to resolve this issue step 2 configure on premises route 1 establish an ssh session to the lan hosts note perform the configuration on the host acting as the user managed gateway, as it already knows how to route based on the wireguard configuration connected to the two lan hosts we will use the web console to test connectivity for the lan hosts without internet access open a console session and ping the lan address assigned to the vpn gateway, 192 168 2 5 begin by pinging the ip address connected with the user on prem lhr userlanhost2 in london root\@userlanhost2 # ping c 3 192 168 2 5 ping 192 168 2 5 56(84) bytes of data 64 bytes from 192 168 2 5 icmp seq=1 ttl=64 time=0 333 ms 64 bytes from 192 168 2 5 icmp seq=2 ttl=64 time=0 370 ms 64 bytes from 192 168 2 5 icmp seq=3 ttl=64 time=0 307 ms \ 192 168 2 5 ping statistics 3 packets transmitted, 3 received, 0% packet loss, time 2043ms rtt min/avg/max/mdev = 0 307/0 336/0 370/0 025 ms root\@userlanhost2 # 2 configure the vpn route the lan host(s) must know where to route return traffic to accomplish this, we will add a route to the lan subnet (192 168 1 0/24) through the user managed gateway's lan address (192 168 2 5) ip route add 192 168 1 0/24 via 192 168 2 5 repeat this process for all on premises lan hosts that need to send or receive traffic over the peer at this point, we should have full connectivity between the two sites via the vpn gateway final result you should now be able to ping hosts in the simulated on premises setup in user on prem lhr from cloud hosts in ionos cloud txl and vice versa on a cloud lan host cloudlanhost1 , test connectivity to an on premises lan host root\@cloudlanhost1 # ping c 5 192 168 2 12 ping 192 168 2 12 56(84) bytes of data 64 bytes from 192 168 2 12 icmp seq=1 ttl=62 time=18 3 ms 64 bytes from 192 168 2 12 icmp seq=2 ttl=62 time=18 6 ms 64 bytes from 192 168 2 12 icmp seq=3 ttl=62 time=18 3 ms 64 bytes from 192 168 2 12 icmp seq=4 ttl=62 time=18 3 ms 64 bytes from 192 168 2 12 icmp seq=5 ttl=62 time=18 0 ms \ 192 168 2 12 ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 18 034/18 291/18 562/0 168 ms on an on premises lan host userlanhost1 , test connectivity to a cloud lan host root\@userlanhost2 # ping c 5 192 168 1 11 ping 192 168 1 11 56(84) bytes of data 64 bytes from 192 168 1 11 icmp seq=1 ttl=62 time=19 9 ms 64 bytes from 192 168 1 11 icmp seq=2 ttl=62 time=18 6 ms 64 bytes from 192 168 1 11 icmp seq=3 ttl=62 time=18 2 ms 64 bytes from 192 168 1 11 icmp seq=4 ttl=62 time=18 2 ms 64 bytes from 192 168 1 11 icmp seq=5 ttl=62 time=18 6 ms \ 192 168 1 11 ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 18 182/18 704/19 938/0 644 ms conclusion you have successfully configured a site to site vpn connection between and your on premises setup by utilising a managed vpn gateway in the cloud and a user managed on premises gateway