Introduction
An AWS account typically consists of multiple VPC’s and private subnets. You may wish to provide remote access to private subnets or endpoints on AWS without exposing them publicly.
AWS has their own remote access VPN solution called “AWS Client VPN”. However, this can be unnecessarily expensive. With several users and endpoints, you can easily spend hundreds of dollars per month.
Luckily, it is pretty easy to build your own solution using WireGuard® and Netmaker for free. Follow these steps, and you should be up and running in about 30 minutes.
By the end of this tutorial, you will have a gateway device running on AWS, on which you can easily attach WireGuard clients to access private AWS resources.
The Problem
In our example scenario, we have Rocket Chat running on AWS, which is only accessible over the VPC address (172.31.95.26). We want a developer to be able to log into Rocket Chat using this address.
For your setup, this can be any private IPs or subnets on AWS, as long as the addresses are accessible from the gateway device (EC2 instance).
Part 1: Deploy the Gateway Instance
Select a device in AWS to act as your VPN gateway. This can be a container or EC2 instance, but must be linux-based. You can use an existing instance, but if deploying a new instance, we recommend using the latest Ubuntu (22.04 as of this writing). You can use t2.micro, as it is not resource intensive.
This device must have access to the target devices or subnets, so make sure it is deployed in the correct availability zone, and that the target devices’ security settings allow traffic from the gateway device.
Lastly, the device must be accessible publicly over the WireGuard port, which by default for Netmaker is 51821, so open 51821/udp to 0.0.0.0/0 in the Security settings, and make sure it has a publicly reachable IP (e.g. Elastic IP address).
Gateway Requirements:
- Device Type: EC2 Instance or Container (EC2 Instance recommended)
- OS: Linux (Ubuntu 22.04 recommended)
- Size: any (t2.micro recommended)
- Network Settings: Must have a public endpoint, and expose 51821/udp publicly
Part 2: Setup the Gateway with Netmaker
Now that you’ve configured a suitable gateway device, you must add this device to Netmaker. You can self-host Netmaker, but to get started quickly (and for free), simply sign up at https://app.netmaker.io.
By default, your account will have a virtual network named “netmaker” and an access key, also named “netmaker”. You should use these for the remainder of the tutorial, but note that in our example and screenshots these are named “rocket-chat”.
Click on the network, click on “hosts”, and then click the “Add a new host” button:
Follow the steps to add the gateway device to Netmaker, by downloading and installing the netclient, and joining the network.
Once the device is visible in your “hosts” lists, you can continue to configure the device as a Gateway.
Part 3: Configure Egress Gateway
Click on “Egress” and then “Create Egress”. We will set the gateway device as an egress to the target IP address in AWS. In our example this is 172.31.95.26/32, but modify this as appropriate, providing multiple ranges if necessary.
The device is now prepared to serve traffic to the target destination.
Part 4: Configure the WireGuard Client Gateway
The last step is to provide remote access via a “Client Gateway”. The Client Gateway simply allows you to generate WireGuard config files, which are routed through the gateway device and into the network. So, after configuring, a user will be able to reach the Egress range via the Client Gateway.
Our device on AWS will act as both an “Egress Gateway” and a “Client Gateway”, so that it can accept traffic from WireGuard, and forward it to the private subnet.
Click on “Clients” and then “Create Client”. Since you do not have a Client Gateway yet, it will prompt you to select a device to act as the gateway, and will generate your first client (WireGuard config file) on top of this gateway.
You can now download this config file, and run it using any standard WireGuard client.
If everything has gone correctly, the private address should now be accessible from the local device:
Accessing the private Rocket Chat instance in the browser
You can generate additional clients as necessary, so that your gateway provides access for a whole team.
Conclusion
In this tutorial, we:
- Configured AWS for a remote access gateway
- Configured an EC2 instance to act as the remote access gateway
- Generated and ran a WireGuard config file locally, to access AWS via the gateway
There is much more you can do with Netmaker and WireGuard, so I hope this was a good first experience. The above steps are also available as a click-through tutorial at the following link: https://www.netmaker.io/tutorials#remote-access-gateway
If you have any questions or feedback, let me know in the comments!
Top comments (2)
great read! Netmaker makes this simple
An awesome write-up!