WireGuard VPN - Secure Remote Access Solution
Secure Remote Access Implementation
A comprehensive lab demonstrating how to securely access a private internal network from a remote location using WireGuard VPN. This project solves the problem of exposing internal resources to the public internet by using an encrypted tunnel through a bastion gateway.
AWSWireGuardLinuxVPCSecurity
Architecture Diagram
Network Architecture
Encrypted Tunnel (UDP 51820)
Public Subnet
Private Subnet
10.200.0.2
Remote Client
192.168.1.2
Encrypted Tunnel
AWS Cloud VPC (10.0.0.0/16)
Internet Gateway
18.60.100.177
Public Subnet
10.200.0.1
WireGuard Server
10.0.0.12
Private Subnet
Internal Server
10.0.1.33
AWS Cloud VPC (10.0.0.0/16)
Public Subnet (10.0.0.0/24)
Private Subnet (10.0.1.0/24)
VPN: 10.200.0.2
Remote Client
IP: 192.168.1.2
Encrypted Tunnel
Internet
ISP
Internet Gateway
18.60.100.177
VPN: 10.200.0.1
WireGuard Server
10.0.0.12
Internal Server
10.0.1.33
The Problem
A remote employee needs to access the company private network from remote location securely without exposing the company internal network to internet. No other traffic should have access to company internal subnet.
The Solution
VPC & Networking Setup
- Created VPC with IP block 10.0.0.0/16 for sufficient address range
- Built public subnet with EC2 VPN Gateway (internet-facing) + IGW route for connectivity
- Built private subnet for company resources/services, accessible only via VPN tunnel
- Added VPN overlay network route to private subnet route table (prevents packet drops)
Security Configurations
- Configured security groups for allowed traffic rules
- Applied NACLs at subnet level for granular control
WireGuard Implementation
- Launched EC2 instance in public subnet as WireGuard VPN server (gateway)
- Generated server/client public/private key pairs using wg genkey
- Created /etc/wireguard/wg0.conf with server private key, VPN subnet, UDP port 51820
- Enabled IP forwarding, started with wg-quick up wg0
- Built client configs: client private key + server public key/EC2 IP + AllowedIPs=10.0.0.0/16 for VPC access
WireGuard Configurations
/etc/wireguard/wg0.conf (Server)
[Interface] PrivateKey = <private-key> Address = 10.200.0.1/24 ListenPort = 51820 [Peer] PublicKey = 0zFzXiF1Zu66gaKXVTOU4pKKGHh9aoxGKbMce5WafmE= AllowedIPs = 10.200.0.2/32
wg0.conf (Client)
[Interface] PrivateKey = (hidden) Address = 10.200.0.2/24 [Peer] PublicKey = HFBtRCBepMCW++VCHoHu9+IU2x1jyuwiP2v06GFn4QQ= AllowedIPs = 10.200.0.0/24, 10.0.1.0/24 Endpoint = 18.60.100.177:51820
Validation Results
- Handshake successful - authentication and encryption working
- Data transfer confirmed - tunnel is active
- Traffic to VPN subnet (10.200.0.0/24) through tunnel verified
- Traffic to internal server (10.0.1.0/24) through tunnel verified