Securing Remote Access with WireGuard: A Practical Guide

After giving a hands-on workshop at Open Source Summit Europe 2024, I wanted to share some practical insights about using WireGuard for remote access. As someone who's been traveling around Colombia, India, Mexico, and the US while building Netmaker, I've learned a thing or two about secure remote access.

Why WireGuard?

WireGuard is a game-changer for modern VPNs. It's Linux-native, blazing fast (you can get near-unencrypted network speeds), and uses modern cryptography. Plus, it's now supported on pretty much every major OS and many routers. The best part? It's extremely configurable - you can build peer-to-peer networks, site-to-site connections, or remote access solutions.

Setting Up Basic Remote Access: A Step-by-Step Guide

Let's walk through a common scenario: You have a private network (maybe in a VPC or office) with some internal services, and you want to access them remotely. Here's the detailed setup process:

1. Server Setup

First, install WireGuard tools on your server:

apt install wireguard-tools

2. Key Generation and Interface Configuration

Navigate to the WireGuard directory and generate your keypair:

cd /etc/wireguardwg genkey | tee privatekey | wg pubkey > publickey

Create a config file (wg0.conf) with this structure:

[Interface]
PrivateKey = <your-private-key>Address = 10.191.143.x/32  # Replace x with your server number
ListenPort = 51820 

# Enable IP forwarding and NAT
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

Pro tip: If you're using nftables instead of iptables, you can use these alternative commands:

PostUp = nft add rule ip nat postrouting oifname "eth1" masquerade
PostDown = nft delete rule ip nat postrouting oifname "eth1" masquerade

3. Setting Up Peer Access

Here's where it gets interesting. For each client that needs access:

1. Generate a client keypair:

cd /etc/wireguard/peerswg genkey | tee privatekey | wg pubkey > publickey

2. Add the peer to your server config:

[Peer]
PublicKey = <peer-public-key>AllowedIPs = 10.191.143.2/32PersistentKeepalive = 25

3. Create a client config file:

[Interface]
PrivateKey = <peer-private-key>Address = 10.191.143.2/32DNS = 10.101.0.6  # Your private DNS server

[Peer]
PublicKey = <server-public-key>Endpoint = <server-public-address>:51820
AllowedIPs = 10.191.143.x/32,10.101.0.0/16
PersistentKeepalive = 25

4. Starting the Interface

On the server:

wg-quick up wg0

Check the connection status:

wg

You should see your peer listed with a recent handshake time if everything's working correctly.

Building a Peer-to-Peer Network

Here's where WireGuard really shines. You can create a full mesh network where every peer can directly communicate with each other. During our workshop, we had participants exchange public keys and build their own mini mesh networks.

To add another peer to your network:

1. Get their public key and IP address
2. Add a new peer section to your config:

[Peer]
PublicKey = <peer-public-key>
Endpoint = <peer-ip-address>:51820
AllowedIPs = <peer-private-address>/32
PersistentKeepalive = 25

Remember: WireGuard connections are bidirectional - both peers need to add each other for the connection to work.

Fun with Docker: Running a Secret Message Server

Want to test your mesh network? Here's a fun exercise we did in the workshop:

docker run -d -e MESSAGE="YOUR SECRET MESSAGE HERE" \  
-p <your-wg-private-address>:8080:80 nginx:alpine \  
sh -c "echo \$MESSAGE > /usr/share/nginx/html/index.html && nginx -g 'daemon off;'"

Then have your peers try to access your secret message:

curl <peer-private-ip>:8080

Working Around Network Restrictions

One challenge I've encountered while traveling is dealing with restrictive networks. Maybe you're behind CGNAT, or your corporate firewall is locked down. Here's a neat trick: Set up a cloud relay.

Deploy a WireGuard server in the cloud that both your local network endpoint and remote clients can reach. Your local endpoint reaches out to establish the connection (no port forwarding needed!), and remote clients connect through the cloud server to reach your local network.

Scaling Challenges

While WireGuard is amazing, it does have some limitations by design. It's intentionally minimal - no built-in user management, no automatic key distribution, no service discovery. This is where things get interesting at scale.

When you're managing more than a few endpoints, manually distributing keys and updating configs becomes a pain. That's actually why we built Netmaker - to automate all this stuff while keeping WireGuard's security and performance benefits.

Real-World Use Cases

I've seen some creative uses of WireGuard in the wild. One of my favorites was setting up secure bank access for fellow travelers I met on the road - just a simple full-tunnel VPN with a cloud server. It's incredible how a few dollars a month for a VPS and some basic WireGuard config can solve real problems.

Looking Ahead

The ecosystem around WireGuard is growing rapidly. From simple helper scripts to full mesh network managers, people are building amazing tools on top of this foundation. The core stays small and secure, while higher-level tools add the features enterprises need.

Want to try this yourself? The complete tutorial is available here, and if you're managing WireGuard at scale, well, that's what we built Netmaker for!

Stay secure, and happy networking!