About

Events

Blog

Team

Azure Wireguard Setup

January 13, 2023 · 7 minutes read

Getting Started

This a guide on how to setup a VPN server in a go check this out an Azure instance and connect to it via WireGuard. One server is enough for 5-7 people comfortably, so once set up, feel free to share you configs :). You will need azure credits to avail VPN services through the azure wireguard setup. For this, you need to create an azure account (using a student Microsoft Account - link, you get 100$ worth of free credits), which enables you to create a virtual machine server.

Getting started

This a guide on how to setup a VPN server in a go check this out an Azure instance and connect to it via WireGuard. One server is enough for 5-7 people comfortably, so once set up, feel free to share you configs :). You will need azure credits to avail VPN services through the azure wireguard setup. For this, you need to create an azure account (using a student Microsoft Account - link, you get 100$ worth of free credits), which enables you to create a virtual machine server.

Information on how to set up your azure students account

Virtual Machine

Once you’ve created an Azure account, access the portal, select the “Create a resource” column in the menu and create VM by searching for “virtual machine”

  • Basics tab

    • Under the heading “Project Details,” choose your subscription pack (Azure For Students) and provide your resource group name (any name will suffice).
    • Under the heading “Instance Details,” provide the name of your virtual machine, server region for the virtual machine, and size, preferably according to your usage and subscription plan. You get one B1s instance free with your student account, and it is more than enough for hosting 5 clients. Make sure to select B1s, the rest of the instances are costly and will eat up your subscription pack. If B1s is unavailable, consider getting a server that runs under Rs.500 per month. Anything above that is considered costly
    • Under the heading “Administrator Account,” select SSH public key as your authentication type, type in your username, and you can leave the rest to default.

  • Disks tab

    • Under the heading “OS Disk Type,” select the “Standard SSD(locally-redundant storage)” option from the dropdown box, and tick the delete with VM checkbox

  • Review +create tab

    • Here you can review the pricing of your VM based on the package and subscription you had selected in Basics tab. You can review and change it here. Once crossing this stage, you cannot undo your prices, so be careful while reviewing this tab.
    • Fill in your credentials name, phone number and email id for creating the virtual machine, which can be used in creating the vpn. Anything that does not have a red star on top of it can be left blank.

It is advisable to keep the things not mentioned here, such as the management tab, networking tab and advanced to default. Given below is how the summary for the tabs will like (inclusive of the tabs not mentioned before) :

Wg-Easy

After reviewing the VM attributes, click create and wait till your VM is deployed. Download the .pem file(which should be visible right after you create the server); this will be used to ssh into your server. After the VM is deployed, copy the Public IP Address(This is a number that looks similar to this: 21.196.33.5) in the right column under the heading essentials.

In case you did not copy the Public IP, you can always go back to Home - Microsoft Azure and click on the Virtual Machine Resource(see highlighted option).

Once you have the .pem file, change the permissions of the .pem file. Right-click on the file, go to properties. In Properties, go to the Security tab and click on Advanced. Click on Disable Inheritance, and Remove all inherited properties from this object in the Pop-Up*.* Click on *Add*, then *Select a Principal.* Type in your username (To get your username, open the terminal and type in *whoami.* Your username will be displayed in the format *computer-name/user-name.* ) and press Ok. The final screenshot is below

Click on Apply to save, and then OK.

Once the .pem file is created, we can ssh into our server. To ssh into the server, open your terminal (Windows Powershell, search in the start menu or use Win + R followed by powershell) and use the command.

ssh -i .\<path to .pem file> <azure username>@<server-ip-address>

Deploying Wg-Easy on the server

After successfully ssh-ing into your server, you will be greeted with a terminal interface similar to this:

Wg-easy takes you to a GitHub repository, which has a set of commands. Copy those commands and run them in the terminal after sshing

In the command. In case you haven’t downloaded docker

sudo snap install docker

sudo chmod 666 /var/run/docker.sock

docker run \-d \\--name=wg-easy \\-e WG\_HOST=🚨YOUR\_SERVER\_IP \\-e PASSWORD=t\_123 \\-v \~/.wg-easy:/etc/wireguard \\-p 51820:51820/udp \\-p 51821:51821/tcp \\--cap-add=NET\_ADMIN \\--cap-add=SYS\_MODULE \\--sysctl="net.ipv4.conf.all.src\_valid\_mark=1" \\--sysctl="net.ipv4.ip\_forward=1" \\--restart unless-stopped \\weejewel/wg-easy

make sure that you replace 🚨YOUR_SERVER_IP with your server IP and 🚨YOUR_ADMIN_PASSWORD with a password. This will be later used to login into the WebUI and create configuration files for the VPN.

For the initial connection, we will be opening all our ports so that the configuration menu(WebUI) of WGeasy is visible. Go to Home - Microsoft Azure and open the virtual machine(see image). Network Settings to check the inbound and outbound ports.

Create 2 inbound port rules- 1) 51820(For Wg-easy) and 2)51821(For the WebUI of Wg-easy) as destination port ranges and select UDP for 51820 port and any 51821 port as protocol. Create 1 outbound port rule- defaulting everything and preferably naming it “AllowAll”. See the two inbound rules below that you have to create.

Copy the Public IP address of the virtual machine and in a new tab type <publicIPAddress>:51821. It should open the WG-easy UI (If it doesn’t open, switch to Mobile Data and try again). Type in the admin password to access the UI and create .config files for clients. Once you have config files, use them to add a tunnel to Wireguard for it to work. This is how the WebUI will look like:

Enter your password and log in. Once logged in, create a new client by pressing the new button.

Once created, download the config file using the download icon. This config will be used for our VPN for Wireguard.

Follow this guide to setup WireGuard using a config file (ignore expanding the configuration and setting up client keys,WGEasy automatically takes care of all that): How to configure a WireGuard Windows 10 VPN client - Server Side Up. One server is enough for 5-7 people comfortably, so once set up, fell free to share you configs :).

Congratulations, you now have you own private VPN!! Do note that all traffic is monitored through Azure and you will be charged according to usage. 100 dollars of credit should comfortably last you through the year, but do keep occasionally checking on how much you are spending, and make sure you don’t have it running in the background unknowingly.

For security reasons, ensure that you change the source ip for 51821 port (in the network security rules of your server) from any to 10.0.0.0/24(once you have at least one config file downloaded). Now, to access the webUI, activate the Wireguard tunnel, and go to 10.0.0.4:51821. See below for the final inbound and outbound rules. This is very important

[P.S.: If the WG-EASY UI webpage doesn’t open with IITH wi-fi, try opening it with mobile data or an added VPN to the IITH wi-fi.]

Frequently Asked Questions

Q) How do I claim my student credits for my Azure Account?

A) Follow this link for more information:Creating Azure for Students Account (c-sharpcorner.com)

Q) What is a terminal? How do we ssh using a terminal

A) How to Connect to a Remote Server Over SSH on Windows | Linode This tells you how to ssh into a server using Powershell or Windows Command Prompt. Note here is that we use a .pem file instead of a password, so the command to be used will be

ssh -i <path-to-pem-file> <azure-username>@<server-ip-address>

Make sure to replace path-to-pem-file, azure-user-name and ip-address

Q) How do I install Wireguard?

A) Follow this guide to setup WireGuard using a config file (ignore expanding the configuration and setting up client keys,WGEasy automatically takes care of all that): How to configure a WireGuard Windows 10 VPN client - Server Side Up

Q) Unable to connect to the server

A) Ensure all the network rules are correctly configured. Else try connecting via Mobile data

Q) Unable to ssh into the server

A) Double-check the permissions section of the document

Q) After downloading docker and running the docker commands, it says permission denied

A) Type in this command sudo chmod 666 /var/run/docker.sock and re-run the commands or press the up arrow twice.