This Terraform solution deploys a Wireguard VPN instance intended to be used as a secure jump host for your infrastructure. By minimizing the use of Public IPs and limiting access to the rest of your environment, it enhances security.
-
Install Nebius CLI:
curl -sSL https://storage.ai.nebius.cloud/nebius/install.sh | bash
-
Reload your shell session:
exec -l $SHELL
or
source ~/.bashrc
-
Configure Nebius CLI (it's recommended to use service account for configuration):
nebius init
-
Install JQuery (example for Debian based distros):
sudo apt install jq -y
Follow these steps to deploy the Solution:
- Load environment variables:
source ./environment.sh
- Initialize Terraform:
terraform init
- Replace the placeholder content
in
terraform.tfvars
with actual configuration values to fit your specific requirements. See the details bellow. - Preview the deployment plan:
terraform plan
- Apply the configuration:
Wait for the operation to complete.
terraform apply
Update the following variables in the terraform.tfvars
file with your specific values:
parent_id
subnet_id
ssh_user_name
ssh_public_key
This step will allow to retain the IP address if the VM will be deleted, you can skip section if you don't need to keep the IP address.
- Create a public IP allocation:
nebius vpc v1 allocation create --ipv-4-public \ --parent-id <project-id> --name wireguard_allocation_pub \ --format json | jq -r '.metadata.id'
- Assign value from the previous step to
public_ip_allocation_id
variable in variables.tf:
public_ip_allocation_id = <public_ip_allocation_id>
-
SSH into the Wireguard instance:
ssh -i <path_to_private_ssh_key> <ssh_user_name>@<instance_public_ip>
-
Retrieve the Wireguard UI password:
sudo cat /var/lib/wireguard-ui/initial_password
-
Access the Wireguard UI in your browser:
http://<instance_public_ip>:5000
-
Log in with the following credentials:
- Username:
admin
- Password: [password retrieved in step 2]
- Username:
- Apply Config: After creating, deleting, or changing Wireguard users, press the "Apply Config" button.
- Allowed IPs: When adding new users, specify the CIDRs of your existing infrastructure in the "Allowed IPs" field.