This Terraform solution deploys a Wireguard VPN instance that serves as a secure jump host for your infrastructure. It improves the security by minimizing the use of Public IPs and limiting access to the rest of the environment.
-
Install Nebius CLI:
curl -sSL https://storage.ai.nebius.cloud/nebius/install.sh | bash
-
Reload your shell session:
exec -l $SHELL
or
source ~/.bashrc
-
Configure Nebius CLI (we recommend using service account):
nebius init
-
Install JQuery (for Debian-based distributions):
sudo apt install jq -y
To deploy the solution, follow these steps:
- Load environment variables:
source ./environment.sh
- Initialize Terraform:
terraform init
- Replace the placeholder content in
terraform.tfvars
with the configuration values that you need. See the details below. - Preview the deployment plan:
terraform plan
- Apply the configuration:
Wait for the operation to complete.
terraform apply
Update the following variables in the terraform.tfvars
file with your own values:
parent_id
subnet_id
ssh_user_name
ssh_public_key
This step allows you to retain the IP address even if the VM is deleted. If you don’t need to keep the IP adress, skip section.
- Create a public IP allocation:
nebius vpc v1 allocation create --ipv-4-public \ --parent-id <project-id> --name wireguard_allocation_pub \ --format json | jq -r '.metadata.id'
- Assign the value from the previous step to the
public_ip_allocation_id
variable in variables.tf:
public_ip_allocation_id = <public_ip_allocation_id>
-
SSH into the Wireguard instance:
ssh -i <path_to_private_ssh_key> <ssh_user_name>@<instance_public_ip>
-
Retrieve the Wireguard UI password:
sudo cat /var/lib/wireguard-ui/initial_password
-
Open the Wireguard UI in your browser:
http://<instance_public_ip>:5000
-
Log in with the following credentials:
- Username:
admin
- Password: [password retrieved in step 2]
- Username:
- Apply Config: After creating, deleting or changing Wireguard users, select "Apply Config".
- Allowed IPs: When adding new users, specify the CIDRs of your existing infrastructure in the "Allowed IPs" field.