Skip to content

Latest commit

 

History

History
112 lines (87 loc) · 2.88 KB

README.md

File metadata and controls

112 lines (87 loc) · 2.88 KB

Wireguard VPN Instance

This Terraform solution deploys a Wireguard VPN instance intended to be used as a secure jump host for your infrastructure. By minimizing the use of Public IPs and limiting access to the rest of your environment, it enhances security.

Prerequisites

  1. Install Nebius CLI:

    curl -sSL https://storage.ai.nebius.cloud/nebius/install.sh | bash
  2. Reload your shell session:

    exec -l $SHELL

    or

    source ~/.bashrc
  3. Configure Nebius CLI (it's recommended to use service account for configuration):

    nebius init
  4. Install JQuery (example for Debian based distros):

    sudo apt install jq -y

Installation

Follow these steps to deploy the Solution:

  1. Load environment variables:
    source ./environment.sh
  2. Initialize Terraform:
    terraform init
  3. Replace the placeholder content in terraform.tfvars with actual configuration values to fit your specific requirements. See the details bellow.
  4. Preview the deployment plan:
    terraform plan
  5. Apply the configuration:
    terraform apply
    Wait for the operation to complete.

Configuration Variables

Update the following variables in the terraform.tfvars file with your specific values:

  • parent_id
  • subnet_id
  • ssh_user_name
  • ssh_public_key

Create and using a public IP allocation

This step will allow to retain the IP address if the VM will be deleted, you can skip section if you don't need to keep the IP address.

  1. Create a public IP allocation:
    nebius vpc v1 allocation create  --ipv-4-public \
    --parent-id <project-id> --name wireguard_allocation_pub \
    --format json | jq -r '.metadata.id'
  2. Assign value from the previous step to public_ip_allocation_id variable in variables.tf:
public_ip_allocation_id = <public_ip_allocation_id>

Usage

Logging into Wireguard UI

  1. SSH into the Wireguard instance:

    ssh -i <path_to_private_ssh_key> <ssh_user_name>@<instance_public_ip>
  2. Retrieve the Wireguard UI password:

    sudo cat /var/lib/wireguard-ui/initial_password
  3. Access the Wireguard UI in your browser:

    http://<instance_public_ip>:5000
    
  4. Log in with the following credentials:

    • Username: admin
    • Password: [password retrieved in step 2]

Notes

  • Apply Config: After creating, deleting, or changing Wireguard users, press the "Apply Config" button.
  • Allowed IPs: When adding new users, specify the CIDRs of your existing infrastructure in the "Allowed IPs" field.