Create a WireGuard Peer between a VDC and an on-premises Gateway

Introduction

A VPN Gateway enables secure, encrypted communications between roaming users, on-premises networks, and cloud resources. This tutorial demonstrates configuring the VPN Gateway in IONOS Cloud to create a site-to-site setup between an IONOS Cloud VDC and a simulated on-premises installation. It uses a managed WireGuard instance to provide secure, encrypted connectivity between an IONOS Cloud VDC and a simulated on-premises setup.

Overview

This tutorial demonstrates the use of the following:

Components

Description

Two VDCs

- de/txl as IONOS Cloud's VDC. - gb/ldn simulates a user-managed on-premises setup.

Managed gateways

We use a single managed gateway in de/txl for the cloud side. For a user-managed gateway, we use on-premises simulation, install the components, and manually configure WireGuard on a virtual server to complete the setup.

Before you begin

The following information is necessary to set up a connection between a WireGuard VDC and an on-premises VDC:

Components

IONOS Cloud (Left) (de/txl)

User On-Premises (Right) (gb/ldn)

Gateway Public Address

203.0.113.10

LAN ID

2 (Not applicable in this use case)

LAN Subnet

192.10.1.0/24

192.10.2.0/24

WireGuard Subnet

172.16.1.0/30

Gateway WireGuard Address

172.16.1.1/30

172.16.1.2/30

Gateway LAN Address

192.10.1.5

192.10.2.2

Gateway Private Key

abcdefABC12345=

kHKHABcC+67891=

Pre-Shared Key

defDEFhiH/98765=

lmnoLMNO/89762=

Reserve IP addresses

Before proceeding, ensure you have an IP block with at least one free IP address to assign to each gateway. For more information, see Reserve an IPv4 Address.

IONOS Cloud (Left) (de/txl) Gateway Public Address

User On-Premises (Right) (gb/ldn) Gateway Public Address

203.0.113.10

203.0.113.20

Configure LAN

This tutorial uses 192.10.1.0/24 and 192.10.2.0/24 for private LANs in IONOS Cloud (Left) and User On-Premises (Right), respectively. Remember to assign an IP address from the subnet to each gateway. We will use 192.10.1.5 as the VPN Gateway is not DHCP-aware. Remember to assign an IP address from the subnet to each gateway. The chosen IP address must be outside the DHCP pool and range from .2 to .9.

Note: gb/ldn is a simulating user-managed gateway that uses its LAN host address of 192.10.2.3 instead. Hence, the above statement does not apply to this data center.

Components

IONOS Cloud (Left) (de/txl)

User On-Premises (Right) (gb/ldn)

LAN ID

2 (But not applicable here)

LAN Subnet

192.10.1.0/24

192.10.2.0/24

Gateway LAN Address

192.10.1.5

192.10.2.2

WireGuard interface IP address and subnet information

Each participant in a WireGuard VPN setup requires its own WireGuard interface address and subnet, which are unrelated to the networks you use in the cloud. It should be a subnet that does not conflict with anything already in the cloud or on the client side.

Components

IONOS Cloud (Left) (de/txl)

User On-Premises (Right) (gb/ldn)

WireGuard Subnet

172.16.1.0/30

Gateway Wireguard Address

172.16.1.1/30

172.16.1.2/30

Generate Keypairs

WireGuard requires a key pair for the gateway and each connected peer. You can generate them using the WireGuard utilities or the OpenSSL command-line tools. Although we describe both approaches below, we recommend the former because it is a more straightforward procedure.

Components

IONOS Cloud (Left) (de/txl)

User On-Premises (Right) (gb/ldn)

Gateway Private Key

abcdefABC12345=

kHKHABcC+67891=

Gateway Public Key

defDEFhiH/98765=

lmnoLMNO/89762=

Use wg genkey to create the private key and wg pubkey to derive the public key content from the private key. You can also perform it via a single command, as shown below. Repeat the process for the gateway and each peer.

demo: wg genkey |tee gateway_private_key | wg pubkey > gateway_public_key
demo: cat gateway_private_key
abcdefABC12345=
demo: cat gateway_public_key
defDEFhiH/98765=

Use openssl to generate der keys and convert them to the required format for WireGuard. We will use this to create the roaming users' keypair:

demo: openssl genpkey -algorithm X25519 -outform der -out user_private.der
demo: openssl pkey -inform der -in user_private.der -pubout -outform der -out user_public.der
demo: cat user_private.der |tail -c 32 | base64 > user_private_key
demo: cat user_public.der |tail -c 32 | base64 > user_public_key
demo: rm *.der
demo: cat user_private_key
kHKHABcC+67891=
demo: cat user_public_key
lmnoLMNO/89762=

With both these tools available locally, we can verify the OpenSSL-generated key by using the WireGuard tools to derive the public key from the OpenSSL-generated private key.

demo: wg pubkey < user_private_key
lmnoLMNO/89762=

As we can see, the public key content matches the one generated by OpenSSL.

Execution

The execution process is divided into the following steps:

Set up IONOS Cloud
Simulate on-premises setup
Provision the VPN Gateway
Configure the VPN peer
Deploy on-premises WireGuard instance
Configure routing on LAN hosts

1. Set up IONOS Cloud

Below are some screenshots from the DCD that contains the required VDCs.

To begin with, two virtual servers on the IONOS Cloud are provisioned and connected to each other via a private LAN. In this instance, LAN1 uses a custom subnet of 192.10.1.0/24. We designate these two servers as 192.10.1.10 and 192.10.1.11, respectively.

2. Simulate on-premises setup

Imagine the gb/ldn VDC as a user-managed site where you provision two virtual servers. Here, we will use the subnet 192.10.2.0/24. Host 1 has been configured with internet access (IP address: 203.0.113.20) and will function as the on-premises host acting as a user-managed gateway. We address these two servers as 192.10.2.2 and 192.10.2.3, respectively.

3. Provision the VPN Gateway

In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
Click Create VPN Gateway from the VPN Gateways window.
Enter the following details:

Components

Description

Example

Name

Enter a descriptive name for the gateway instance. It is not required to be globally unique but must be limited to 255 characters.

wg-txl

Description

Enter a descriptive text for the gateway. It is limited to 1024 characters.

VPN Gateway for creating a WireGuard Peer between a VDC and on-premises gateway.

Location

Select a location from the drop-down list of available locations for VPN Gateway.

de/txl

IP Address

Select an IP address from the drop-down list of available public IPv4 addresses.

203.0.113.10

Select WireGuard protocol and specify the following:

Components

Description

Example

Private Key

The gateway_private_key value generated earlier in this document.

abcdefABC12345=

Interface IPv4

The IPv4 address of the WireGuard interface.

172.16.1.1/30

Interface IPv6

The IPv6 address of the WireGuard interface. This demonstration does not contain IPv6 addresses.

Not applicable

ListenPort

The UDP port on which WireGuard will listen for encrypted VPN packets. The tutorial uses the default value 51280.

The default value is 51280.

Click Save and wait for the gateway to complete provisioning. The process typically takes about 8-10 minutes, but further operations on the gateway will be instantaneous.

4. Configure the VPN peer

Now that the VPN Gateway instance is provisioned, next step is to configure a peer to permit the two sides to talk with each other. We will need to configure a peer on both gateways but the on-premises will be configured using WireGuard configuration files.

Click Create Peers to begin configuring a new peer.

Enter the following details to configure a peer:

Components

Description

Example

Peer Name

Specify a name for the peer. It does not need to be globally unique and can be up to 255 characters long.

customer_site

Description

Enter more descriptive text for the peer, not exceeding 1024 characters.

Not applicable

Remote Host

The gateway public IPv4 address of the remote VPN Gateway.

194.10.2.2

Configure the endpoint so the gateway knows with which remote address the connection must be established. We will configure this as the public IPv4 address of the gateway to be created in gb/ldn.

The peers section specifies which networks are permitted across the peer. Here we will specify the WireGuard subnet in CIDR notation as described earlier.

Components

Description

Example

Allowed IPs

Enter a comma separated list of subnets in CIDR notation that are permitted to send traffic to the given peer. It is the subnet used on the peer side.

10.10.2.0/24

Public Key

The public key of the peer as we generated earlier in this tutorial.

lmnoLMNO/89762=

Click Save to save the peer configuration. This operation should typically be completed within a minute or two.

5. Deploy on-premises WireGuard instance

In this tutorial, host 1 in gb/ldn acts as a user-managed gateway. The host has internet access, so SSH can be used instead of the web console. Start by establishing an SSH connection to host 1's public IPv4 address in London.

Install pre-requisite software

Note: This tutorial performs a basic install and setup of WireGuard. It is neither an in-depth guide nor does it contain detailed information about the configuration files' content. It is an exercise for the reader to determine the correct installation procedure for a secure production environment.

Update the package lists and install the required packages:

apt-get update
apt-get install wireguard wireguard-tools -y

Enable IP forwarding

The VPN gateway acts as a router and, therefore, is required to forward packets:

sysctl -w net.ipv4.ip_forward=1

This tutorial does not use an IPv6 address. If you intend to use one, ensure net.ipv6.config.all.forwarding=1 exists.

Configure the user-managed WireGuard server

This tutorial will walk you through specific options for configuring WireGuard, but the rest of the configuration remains an exercise for the reader. This section contains the configuration files and content specific to this installation and peer setup.

1. Set up the roaming users local installation

Let us first examine an empty WireGuard configuration file:


[Interface]
PrivateKey =
Address =
ListenPort =
[Peer]
PublicKey =
AllowedIPs =
Endpoint =

2. Evaluate and configure sections parameters

Let us evaluate each section parameter to understand what they are and what the values should be to configure the client:

Components

Value

Description

Example

Interface

PrivateKey

The user-managed gateway private key. Ensure it matches the public key we used when creating the peer in the DCD.

kHKHABcC+67891=

Interface

Address

The IP address to assign to the WireGuard interface on the user-managed gateway.

172.16.1.2/30

Interface

ListenPort

The UDP Port that was configured on the managed gateway, by default this is 51820.

51820

Peer

PublicKey

The public key of the IONOS managed gateway. Ensure it matches the private key we used when creating the IONOS managed gateway.

defDEFhiH/98765=

Peer

AllowedIPs

IP addresses allowed across the VPN. This should permit the subnet in use at the de/txl location.

192.10.1.0/24

Peer

Endpoint

The public IP address and port of the managed VPN gateway instance.

192.10.1.5:51820

Result: This results in a final configuration file as follows, which must be saved to the /etc/wireguard/wg0.conf file:

[Interface]
PrivateKey = kHKHABcC+67891=
Address = 172.16.1.2/30
ListenPort = 51820
 
[Peer]
PublicKey = defDEFhiH/98765=
AllowedIPs = 192.10.1.0/24
Endpoint = 192.10.1.5:51820

3. Start Wireguard on the user-managed gateway

Let us start WireGuard on the user-managed gateway using wg utilities. It enables the wg0 interface and adds the required routing entries:


root@london-lan-host-1:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.16.1.2/30 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 192.10.1.0/24 dev wg0

Now execute wg show to see the status:


root@london-lan-host-1:~# wg show
interface: wg0
  public key: lmnoLMNO/89762=
  private key: (hidden)
  listening port: 51820
peer: defDEFhiH/98765=
  endpoint: 192.10.1.5:51820
  allowed ips: 192.10.1.0/24

6. Configure routing on LAN hosts

Currently, it is impossible to automate the addition of routes to LAN hosts to route the required subnets over the VPN Gateway. In this section, we will manually add the required routes. Remember to add them to the LAN hosts in both the VDCs.

Configure de/txl Route

1. Establish a console session to the LAN host(s)

Because we did not provide internet access for the LAN hosts, our only route is via the web console. Open up a console session and test connectivity to the LAN Address assigned to the VPN gateway; in our case, it is 192.10.1.5. Hence, let us first test if we can ping this IP address:

2. Configure the VPN route

The LAN host(s) must know where to route the return traffic. To accomplish this, we will add a route for the gb/ldn LAN subnet (192.10.2.0/24) via the de/txl gateway's LAN address (192.10.1.5):

ip route add 192.10.2.0/24 via 192.10.1.5

Currently, we cannot ping hosts in the gb/ldn region because those servers do not yet know how to route the return traffic. Continue adding routes for LAN hosts in gb/ldn to resolve this issue.

Configure on-premises route

1. Establish a console session to the LAN hosts

Note: Perform the configuration on the host acting as the user-managed gateway, as it already knows how to route based on the WireGuard configuration. This section relates only to the other on-premises hosts connected to the same LAN.

Currently, the only way to access the system is through the web console, as we did not provide internet access for the second LAN host in our on-premises setup. First, open a console session and test the connectivity to the LAN address assigned to the VPN Gateway. In this case, the address is 192.10.2.2 (which corresponds to LAN Host 1, the user-managed gateway). Let us begin by attempting to ping this IP address.

2. Configure the VPN route

The LAN host(s) must know where to route return traffic. To accomplish this, we will add a route for the de/txl LAN subnet (192.10.1.0/24) via the gb/ldn gateway's LAN address (192.10.2.2):

ip route add 192.10.1.0/24 via 192.10.2.2

Repeat this process for all on-premises LAN hosts that need to send or receive traffic over the peer. At this point, we should have full connectivity between the two sites via the VPN Gateway.

Verify Connectivity

You should now be able to ping hosts in the simulated on-premises setup in gb/ldn from cloud hosts in de/txl and vice-versa.

Summary

You have successfully configured a site-to-site VPN connection between IONOS Cloud and your on-premises setup by utilising a Managed VPN Gateway in the cloud and a user-managed on-premises gateway.

PreviousCreate an IPSec Tunnel between two VDCs NextFAQs

Last updated 21 days ago

Was this helpful?