The quickest way to setup your own modern VPN server.
WireGuard VPN is a rethink of how VPN software are designed and is receiving genuine appreciation from the community. This Azure Bicep template helps you to setup a WireGuard VPN server quickly, taking care of all the configuration steps.
- Create an Azure Resource Group. The name of all resources are generated automatically to avoid any conflicts.
- Create an Ubuntu Server Virtual Machine.
- You will be prompted for a password during the deployment.
- A Network Security Group with firewall rules is attached to the Virtual Machine.
- Port 51820 is enabled for WireGuard
- Port 22 is enabled for SSH. Disable this port once you download the config files and enable it only for maintenance.
- Install WireGuard Server.
- Configure WireGuard Server
- Create Private and Public Keys for Server and Client.
- Create the Server Configuration.
- The WireGuard interface IP address is set to 10.13.13.1.
- Setup NAT on the server to forward client traffic to the internet.
- Start the WireGuard Interface.
- Configure WireGuard to auto start.
- Generate ten client configuration files, which you can download and start using.
- The ten clients are given the IP addresses 10.13.13.101 to 10.13.13.110.
- The Client DNS server is set to 1.1.1.1.
- Enable UFW firewall.
- Install Ubuntu Server Upgrades.
- Schedule a Reboot after 24 hours, to ensure all Ubuntu Server Upgrades are applied.
Some knowledge of how Azure Bicep templates work is really helpful.
Method 1 - From Azure CLI
-
Clone the git repository.
-
Login to your Azure subscription
az login
-
(Optional Step ... In case you have multiple Azure subscriptions) List your Azure subscriptions
az account list --output table
-
(Optional Step ... In case you have multiple Azure subscriptions) Set your default Azure subscription to which this Bicep template will be deployed
az account set --subscription <SubscriptionId>
-
(Optional Step ... In case you want to validate the template) Run a what-if check
az deployment sub create --name wireguard --location eastus --template-file .\AzureWireGuard\AzureWireGuard.bicep --what-if
-
Deploy the Bicep template with defaults. For customization refer to this.
az deployment sub create --name wireguard --location eastus --template-file .\AzureWireGuard\AzureWireGuard.bicep
- There are multiple ways to deploy an Azure Bicep template like Powershell, VS Code and Azure Portal Cloud Shell.
-
While deploying the Bicep template you can pass a parameters file
az deployment sub create --name wireguard --location eastus --template-file .\AzureWireGuard\AzureWireGuard.bicep --parameters "@AzureWireGuard\AzureWireGuard.parameters.json"
-
The template parameters available for customization are
Parameter Description Defaults code A string used in the resource names Random string to avoid resource conflicts. uniqueString
Based on the Subscription Id and LocationadminUsername Admin Username for the Virtual Machine vmadmin adminPassword Password for the Virtual Machine Prompts during deployment location Location to deploy the resources. The location specified in the az deployment
command does not control the location of the resources. It is the location of the Azure Deploymenteastus vmSize Size of the Virtual Machine Standard_DS2_v2 tags Tags that are attached to the resources created DeployedOn
-
The client configuration files are named wg0-client-1.conf, wg0-client-2.conf, ..., wg0-client-9.conf and wg0-client-10.conf.
-
They are located in the administrator users home folder (~/).
-
You can use tools like scp and pscp to download the client configuration files directly from the server.
scp <admin-user>@<server-fqdn>:/home/<admin-user>/wg0-client-1.conf /local/dir/
pscp <admin-user>@<server-fqdn>:/home/<admin-user>/wg0-client-1.conf c:\local\
Example:
scp [email protected]:/home/vmadmin/wg0-client* /local/dir/
- The client configuration files generated have Linux Line Endings (LF) while Windows WireGuard clients would expect DOS Line Endings (CRLF).
- While editing the AzureWireGuard.sh script file on Windows use Linux EOL. Windows EOL will cause script failure.
- Recommended to have a VM with atleast two cores.
- Once the configuration files are downloaded, you can disable the SSH port 22 on the Azure Network Security Group for added security.
- Azure Accelerated Networking is enabled by default for better network performance, this limits the choice of Azure VM sizes.
The earlier version of AzureWireGuard used Azure ARM templates. It is no longer maintained but is available on the branch named arm-retired
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that changes can be reviewed and merged
NOTE: Be sure to pull the latest from "upstream" before making a pull request!