Skip to content
wordpress meta

title: 'Wireguard VPN between Azure and OCI hosts'
date: '2020-10-28T15:33:46-05:00'
status: publish
permalink: /wireguard-vpn-between-azure-and-oci-hosts
author: admin
excerpt: ''
type: post
id: 1682
category:
    - VPN
    - Wireguard
tag: []
post_format: []
ct_author_last_updated:

Wireguard test between Azure and Oracle OCI hosts

REF: https://www.wireguard.com/

Azure VM setup

Ubuntu 18.04.5 LTS

```bash root@wireguard-az:~# dig +short myip.opendns.com @resolver1.opendns.com IPAddress ````

```bash root@wireguard-az:~# apt install wireguard

root@wireguard-az:~# wg version wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/

root@wireguard-az:~# umask 077 root@wireguard-az:~# wg genkey > privatekey root@wireguard-az:~# wg pubkey publickey root@wireguard-az:~# ip link add wg0 type wireguard root@wireguard-az:~# ip addr add 10.0.0.1/24 dev wg0 root@wireguard-az:~# wg set wg0 private-key ./privatekey root@wireguard-az:~# ip link set wg0 up

root@wireguard-az:~# ip addr 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0d:3a:5d:89:a7 brd ff:ff:ff:ff:ff:ff inet 10.1.1.4/24 brd 10.1.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20d:3aff:fe5d:89a7/64 scope link valid_lft forever preferred_lft forever 3: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.0.0.1/24 scope global wg0 valid_lft forever preferred_lft forever

root@wireguard-az:~# wg show interface: wg0 public key: redacted private key: (hidden) listening port: 43971

root@wireguard-az:~# wg set wg0 peer redacted allowed-ips 10.0.0.2/32 endpoint IPAddress:40181

root@wireguard-az:~# wg show interface: wg0 public key: redacted private key: (hidden) listening port: 43971

peer: redacted endpoint: IPAddress:40181 allowed ips: 10.0.0.2/32 transfer: 0 B received, 3.32 KiB sent ````

NOTE: iptables on this server don't need adjustment it is open already

```bash root@wireguard-az:~# ping 10.0.0.2 -c 1 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=10 ttl=64 time=31.7 ms ````

NOTE: open Azure Security Rule for port we are running on
310 wg 43971 Any IPAddress/32 Any

Oracle OCI

Ubuntu 20.04.1 LTS

```bash root@usph-vmli-do01:~# dig +short myip.opendns.com @resolver1.opendns.com IPAddress ````

```bash root@usph-vmli-do01:~# apt install wireguard

root@usph-vmli-do01:~# wg version wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/ ````

  • open Security Rule for port we are running on
    No IPAddress/32 TCP All 40181 TCP traffic for ports: 40181

```bash root@usph-vmli-do01:~# umask 077 root@usph-vmli-do01:~# wg genkey > privatekey root@usph-vmli-do01:~# wg pubkey publickey root@usph-vmli-do01:~# ip link add wg0 type wireguard root@usph-vmli-do01:~# ip addr add 10.0.0.2/24 dev wg0 root@usph-vmli-do01:~# wg set wg0 private-key ./privatekey root@usph-vmli-do01:~# ip link set wg0 up

root@usph-vmli-do01:~# ip addr 2: ens3: mtu 9000 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:00:17:02:8f:09 brd ff:ff:ff:ff:ff:ff inet 10.3.1.8/24 brd 10.3.1.255 scope global ens3 valid_lft forever preferred_lft forever inet6 fe80::200:17ff:fe02:8f09/64 scope link valid_lft forever preferred_lft forever ... 20: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.0.0.2/24 scope global wg0 valid_lft forever preferred_lft forever

root@usph-vmli-do01:~# wg show interface: wg0 public key: redacted private key: (hidden) listening port: 40181

root@usph-vmli-do01:~# wg set wg0 peer redacted allowed-ips 10.0.0.1/32 endpoint IPAddress:43971

root@usph-vmli-do01:~# wg show interface: wg0 public key: redacted private key: (hidden) listening port: 40181

peer: redacted endpoint: IPAddress:43971 allowed ips: 10.0.0.1/32 ````

NOTE: iptables need adjustment port is not open

```bash root@usph-vmli-do01:~# iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT udp -- anywhere anywhere udp spt:ntp 5 ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW,ESTABLISHED 6 ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED 7 ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED 8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 9 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ...

root@usph-vmli-do01:~# iptables -I INPUT 5 -p tcp -m tcp --dport 40181 -m state --state NEW,ESTABLISHED -j ACCEPT

root@usph-vmli-do01:~# iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT udp -- anywhere anywhere udp spt:ntp 5 ACCEPT tcp -- anywhere anywhere tcp dpt:40181 state NEW,ESTABLISHED 6 ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW,ESTABLISHED 7 ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED 8 ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED 9 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 10 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

root@usph-vmli-do01:~# ping 10.0.0.1 -c 1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=31.9 ms

ubuntu@usph-vmli-do01:~/.ssh$ ssh ubuntu@10.0.0.1 ... Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1031-azure x86_64)

  • Documentation: https://help.ubuntu.com
  • Management: https://landscape.canonical.com
  • Support: https://ubuntu.com/advantage

System information as of Wed Oct 28 17:35:39 UTC 2020 ... ````

Permanent steps

For routing/NAT of hosts behind these, creating /etc/wireguard/ config files, systemd starting etc read more here: https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-ubuntu-20-04/