Build your own Remote Access VPN to AWS with WireGuard and Netmaker

Posted by
published
July 19, 2023
TABLE OF CONTENTS
Unify Your Multi-Cloud Environment
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.

Introduction

An AWS account typically consists of multiple VPC’s and private subnets. You may wish to provide remote access to private subnets or endpoints on AWS without exposing them publicly.

AWS has their own remote access VPN solution called “AWS Client VPN”. However, this can be unnecessarily expensive. With several users and endpoints, you can easily spend hundreds of dollars per month.

Luckily, it is pretty easy to build your own solution using WireGuard® and Netmaker for free. Follow these steps, and you should be up and running in about 30 minutes.

By the end of this tutorial, you will have a gateway device running on AWS, on which you can easily attach WireGuard clients to access private AWS resources.

The Problem

Private Rocket Chat instance on AWS

In our example scenario, we have Rocket Chat running on AWS, which is only accessible over the VPC address (172.31.95.26). We want a developer to be able to log into Rocket Chat using this address.

For your setup, this can be any private IPs or subnets on AWS, as long as the addresses are accessible from the gateway device (EC2 instance).

Part 1: Deploy the Gateway Instance

Select a device in AWS to act as your VPN gateway. This can be a container or EC2 instance, but must be linux-based. You can use an existing instance, but if deploying a new instance, we recommend using the latest Ubuntu (22.04 as of this writing). You can use t2.micro, as it is not resource intensive.

This device must have access to the target devices or subnets, so make sure it is deployed in the correct availability zone, and that the target devices’ security settings allow traffic from the gateway device.

Lastly, the device must be accessible publicly over the WireGuard port, which by default for Netmaker is 51821, so open 51821/udp to 0.0.0.0/0 in the Security settings, and make sure it has a publicly reachable IP (e.g. Elastic IP address).

Gateway Requirements:
- Device Type: EC2 Instance or Container (EC2 Instance recommended)
- OS: Linux (Ubuntu 22.04 recommended)
- Size: any (t2.micro recommended)
- Network Settings: Must have a public endpoint, and expose 51821/udp publicly

Gateway EC2 Instance on AWS

Part 2: Setup the Gateway with Netmaker

Now that you’ve configured a suitable gateway device, you must add this device to Netmaker. You can self-host Netmaker, but to get started quickly (and for free), simply sign up at https://app.netmaker.io.

By default, your account will have a virtual network named “netmaker” and an access key, also named “netmaker”. You should use these for the remainder of the tutorial, but note that in our example and screenshots these are named “rocket-chat”.

Click on the network, click on “hosts”, and then click the “Add a new host” button:

The Netmaker network’s Hosts list
Registration instructions for Netclient

Follow the steps to add the gateway device to Netmaker, by downloading and installing the netclient, and joining the network.

Terminal output from installing the Netclient

Once the device is visible in your “hosts” lists, you can continue to configure the device as a Gateway.

Part 3: Configure Egress Gateway

The Egress Gateway screen

Click on “Egress” and then “Create Egress”. We will set the gateway device as an egress to the target IP address in AWS. In our example this is 172.31.95.26/32, but modify this as appropriate, providing multiple ranges if necessary.

Configure your Egress Gateway

The device is now prepared to serve traffic to the target destination.

Part 4: Configure the WireGuard Client Gateway

The Client Gateway screen

The last step is to provide remote access via a “Client Gateway”. The Client Gateway simply allows you to generate WireGuard config files, which are routed through the gateway device and into the network. So, after configuring, a user will be able to reach the Egress range via the Client Gateway.

Our device on AWS will act as both an “Egress Gateway” and a “Client Gateway”, so that it can accept traffic from WireGuard, and forward it to the private subnet.

Click on “Clients” and then “Create Client”. Since you do not have a Client Gateway yet, it will prompt you to select a device to act as the gateway, and will generate your first client (WireGuard config file) on top of this gateway.

Configure the Client Gateway and WireGuard Client

You can now download this config file, and run it using any standard WireGuard client.

Download the WireGuard config file
Run the WireGuard config file

If everything has gone correctly, the private address should now be accessible from the local device:

Accessing the private Rocket Chat instance in the browser

You can generate additional clients as necessary, so that your gateway provides access for a whole team.

Conclusion

In this tutorial, we:

  1. Configured AWS for a remote access gateway
  2. Configured an EC2 instance to act as the remote access gateway
  3. Generated and ran a WireGuard config file locally, to access AWS via the gateway

There is much more you can do with Netmaker and WireGuard, so I hope this was a good first experience. The above steps are also available as a click-through tutorial at the following link: https://www.netmaker.io/tutorials#remote-access-gateway

If you have any questions or feedback, let me know in the comments!

Enhancing AWS Remote Access with Netmaker

Netmaker offers a cost-effective and efficient solution to securely access private AWS resources without the hefty expenses associated with traditional VPN services like AWS Client VPN. By leveraging WireGuard, Netmaker enables seamless and secure connectivity between remote users and AWS private subnets. Its easy-to-use interface simplifies the setup process, allowing you to establish a VPN gateway on an AWS EC2 instance in minutes. Netmaker's ability to manage and automate WireGuard configurations ensures a smooth and reliable connection, making it an ideal choice for organizations looking to enhance their cloud infrastructure security and access.

In addition to its cost advantages, Netmaker provides robust features such as automatic peer configuration, dynamic DNS, and multi-cloud support, which are crucial for managing complex network environments efficiently. It allows for centralized management of VPN clients, ensuring that all connections are secure and up to date. The flexibility of running Netmaker in containers, such as Docker or Kubernetes, adds to its scalability and ease of deployment across various platforms. For those ready to enhance their AWS remote access with Netmaker's powerful capabilities, you can get started by signing up here.

Unify Your Multi-Cloud Environment
Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker.
More posts

GET STARTED

A WireGuard® VPN that connects machines securely, wherever they are.
Star us on GitHub
Can we use Cookies?  (see  Privacy Policy).