/AzureWireGuard

An Azure Bicep template to quickly setup your own WireGuard VPN Server.

Primary LanguageBicepMIT LicenseMIT

AzureWireGuard - Azure Bicep Template

The quickest way to setup your own modern VPN server.

WireGuard VPN is a rethink of how VPN software are designed and is receiving genuine appreciation from the community. This Azure Bicep template helps you to setup a WireGuard VPN server quickly, taking care of all the configuration steps.

What does this Azure Bicep template do ?

  • Create an Azure Resource Group. The name of all resources are generated automatically to avoid any conflicts.
  • Create an Ubuntu Server Virtual Machine.
    • You will be prompted for a password during the deployment.
  • A Network Security Group with firewall rules is attached to the Virtual Machine.
    • Port 51820 is enabled for WireGuard
    • Port 22 is enabled for SSH. Disable this port once you download the config files and enable it only for maintenance.
  • Install WireGuard Server.
  • Configure WireGuard Server
    • Create Private and Public Keys for Server and Client.
    • Create the Server Configuration.
    • The WireGuard interface IP address is set to 10.13.13.1.
  • Setup NAT on the server to forward client traffic to the internet.
  • Start the WireGuard Interface.
  • Configure WireGuard to auto start.
  • Generate ten client configuration files, which you can download and start using.
    • The ten clients are given the IP addresses 10.13.13.101 to 10.13.13.110.
    • The Client DNS server is set to 1.1.1.1.
  • Enable UFW firewall.
  • Install Ubuntu Server Upgrades.
  • Schedule a Reboot after 24 hours, to ensure all Ubuntu Server Upgrades are applied.

How to deploy ?

Some knowledge of how Azure Bicep templates work is really helpful.

Method 1 - From Azure CLI

  • Clone the git repository.

  • Login to your Azure subscription

    az login

  • (Optional Step ... In case you have multiple Azure subscriptions) List your Azure subscriptions

    az account list --output table

  • (Optional Step ... In case you have multiple Azure subscriptions) Set your default Azure subscription to which this Bicep template will be deployed

    az account set --subscription <SubscriptionId>

  • (Optional Step ... In case you want to validate the template) Run a what-if check

    az deployment sub create --name wireguard --location eastus --template-file .\AzureWireGuard\AzureWireGuard.bicep --what-if

  • Deploy the Bicep template with defaults. For customization refer to this.

    az deployment sub create --name wireguard --location eastus --template-file .\AzureWireGuard\AzureWireGuard.bicep

Other Methods

Customizing the deployment

  • While deploying the Bicep template you can pass a parameters file

    az deployment sub create --name wireguard --location eastus --template-file .\AzureWireGuard\AzureWireGuard.bicep --parameters "@AzureWireGuard\AzureWireGuard.parameters.json"

  • The template parameters available for customization are

    Parameter Description Defaults
    code A string used in the resource names Random string to avoid resource conflicts. uniqueString Based on the Subscription Id and Location
    adminUsername Admin Username for the Virtual Machine vmadmin
    adminPassword Password for the Virtual Machine Prompts during deployment
    location Location to deploy the resources. The location specified in the az deployment command does not control the location of the resources. It is the location of the Azure Deployment eastus
    vmSize Size of the Virtual Machine Standard_DS2_v2
    tags Tags that are attached to the resources created DeployedOn

How to download WireGuard Client Configuration files ?

  • The client configuration files are named wg0-client-1.conf, wg0-client-2.conf, ..., wg0-client-9.conf and wg0-client-10.conf.

  • They are located in the administrator users home folder (~/).

  • You can use tools like scp and pscp to download the client configuration files directly from the server.

    scp <admin-user>@<server-fqdn>:/home/<admin-user>/wg0-client-1.conf /local/dir/

    pscp <admin-user>@<server-fqdn>:/home/<admin-user>/wg0-client-1.conf c:\local\

    Example:

    scp vmadmin@pip-wg-j5lzwixbj3ng.westus.cloudapp.azure.com:/home/vmadmin/wg0-client* /local/dir/

Windows Clients

  • The client configuration files generated have Linux Line Endings (LF) while Windows WireGuard clients would expect DOS Line Endings (CRLF).

General Recommendations

  • While editing the AzureWireGuard.sh script file on Windows use Linux EOL. Windows EOL will cause script failure.
  • Recommended to have a VM with atleast two cores.
  • Once the configuration files are downloaded, you can disable the SSH port 22 on the Azure Network Security Group for added security.
  • Azure Accelerated Networking is enabled by default for better network performance, this limits the choice of Azure VM sizes.

Azure ARM Version

The earlier version of AzureWireGuard used Azure ARM templates. It is no longer maintained but is available on the branch named arm-retired

Contributing

  • Fork the repo on GitHub
  • Clone the project to your own machine
  • Commit changes to your own branch
  • Push your work back up to your fork
  • Submit a Pull Request so that changes can be reviewed and merged

NOTE: Be sure to pull the latest from "upstream" before making a pull request!