Use a GUI to Set Up WireGuard Point-to-Site

This article will show you how to set up a Point to Site WireGuard VPN (Virtual Private Network) with the Pro Custodibus GUI (Graphical User Interface). In our example scenario, we’ll use the GUI to configure WireGuard on a VPN server; this VPN server will provide remote access to some internal applications at a cloud site from my laptop and phone.

The diagram below illustrates this scenario:

WireGuard Point-to-Site Diagram

The VPN Server, running in the cloud site and listening at the public IP address of 18.237.177.185 on UDP port 51820, will accept WireGuard connections from My Laptop and My Phone, and forward the packets tunneled through WireGuard from My Laptop and My Phone to hosts at the cloud site that otherwise aren’t publicly accessible.

The other hosts in the cloud site have IP addresses in the 10.90.0.0/16 block, like the “Internal App” shown in the above diagram with an IP address of 10.90.1.89. Within the WireGuard VPN, we’ll use an IP address of 10.0.0.1 for the VPN server, an IP address of 10.0.0.2 for My Laptop, and an IP address of 10.0.0.3 for My Phone.

When I access the Internal App on My Laptop or My Phone, I’ll use its internal IP address of 10.90.1.89 to connect to it — like by entering http://10.90.1.89/ into the address bar of a browser on My Laptop or My Phone. The VPN Server will masquerade packets from the WireGuard VPN when it forwards them into the cloud site; so from the perspective of the Internal App, those packets will appear to originate from the VPN Server itself, which has an IP address of 10.90.2.67 within the cloud site.

If you compare this to the Manual Point to Site Configuration Guide, My Laptop would be Endpoint A in that guide, the VPN Server would by Host β, and the Internal App would be Endpoint B.

These are the steps we’ll follow to set this up:

Prep the VPN Server

Pretty much any old Linux server will work fine as a VPN server for WireGuard. You can set up one specifically as a VPN server, or you can use an existing server that’s also being used for other purposes (like one also being used as an outbound NAT gateway). Follow these steps to set it up:

Provision the Server

Whether you set up a new server or use an existing one, make sure you provision the server with the following attributes:

  1. The server needs a publicly-accessible UDP port on which it can accept new connections.

  2. The server needs network access to the your internal apps (like the Internal App host in our scenario).

  3. You need root access on the server.

See the Point to Cloud WireGuard with AWS Private Subnets and Point to Cloud WireGuard With an Azure Hub VNet articles for detailed guides about how to launch and set up the cloud networking components for a server like this in AWS or Azure.

Install WireGuard

Install WireGuard on the VPN server. The VPN server in our example will run Ubuntu 20.04, so for it you just need to SSH into it as an sudoer user and run the following command:

$ sudo apt install wireguard

Sign Up to Pro Custodibus

Sign Up for a Pro Custodibus account if you haven’t done so yet; see the Getting Started With Pro Custodibus guide if you need detailed instructions (but it’s just a simple one-page form, so you probably won’t need instructions).

Deploy the Pro Custodibus Agent

In the Pro Custodibus UI, register a host for the VPN server, and deploy the Pro Custodibus agent to the VPN server. Follow the Register a WireGuard Host and Deploy the Pro Custodibus Agent sections of the Getting Started guide for this; or refer to the docs for Adding a Host, Downloading the Agent, and Installing the Agent.

Add a WireGuard Interface for the VPN Server

Now you should have a host page for the VPN Server in the Pro Custodibus web UI that looks like this:

Host Page With No Interfaces
Figure 1. Host Page for VPN Server

(You can navigate to the list of hosts in Pro Custodibus by clicking the Hosts link in the navigation bar at the top of the page — click VPN Server in that list to navigate to the above page.)

Click the Add icon in the Interfaces panel to add a new WireGuard interface to the host:

Host Page With Add-Interface Icon Highlighted
Figure 2. Add Interface Icon

On the “Add Interface” page, enter a basic interface name like “wg0” into the Name field; and optionally enter a description like “access to internal cloud” into the Description field.

Important

The WireGuard interface name is used internally by the host’s operating system as an identifier for the interface, so it should be short and sweet (and usually you don’t ever want to rename it). The description is just for your own use, however, so it can be long and meandering, and you can change it as often as you like.

If we had already created a peer identity for the VPN Server, we’d select that identity in the Peer field. We haven’t, so click the New button adjoining the Peer field:

First Part of Add Interface Form
Figure 3. Add Interface Page

This peer is for the identity of the interface itself. The X25519 public-key pair associated with the peer identifies it globally and uniquely.

So enter “VPN Server” (or some other descriptive name) into the Name field of the “Add Peer” dialog. Then click the Generate button adjoining the Private Key field to generate a new random public-key pair:

Add Peer Form With Generate Button Highlighted
Figure 4. Add Peer Dialog
Note

The Private Key field is optional. However, Pro Custodibus will not be able to create the interface for you if you do not supply the private key — you’ll have to first create the interface on the host manually (and then, once created, you can use Pro Custodibus to manage it).

See the docs for the Private Key Field of the Add Peer form for more information.

Then click the Add button at the bottom of the dialog:

Add Peer Form With Add Button Highlighted
Figure 5. Add Peer Dialog pt 2

Next, enter the UDP port number on which the interface will listen, like “51820”, into the Port field.

Important

The port you select must be publicly accessible from the Internet. You’ll probably need to adjust some firewall rules at the site to allow access to this port.

Enter the private IP address or addresses that the interface will use within the WireGuard network, like “10.0.0.1”, into the Addresses field:

Middle Part of Add Interface Form
Figure 6. Add Interface Page pt 2
Note

The other fields in this form are only necessary for advanced use — we can skip them in this scenario.

Finally, enter the following Pre Up Script content:

sysctl -w net.ipv4.ip_forward=1
iptables -t mangle -A PREROUTING -i %i -j MARK --set-mark 0x10
iptables -t nat -A POSTROUTING ! -o %i -m mark --mark 0x10 -j MASQUERADE

The first line will make sure packet forwarding is enabled on the VPN server. The next two lines will apply masquerading (aka SNAT, Source Network Address Translation) to any packets that are forwarded from this WireGuard interface out any other network interface. Masquerading will make those forwarded packets appear to have come from the VPN server itself (which means the hosts which receive those packets will just send any packets in reply back to the VPN server — so you don’t have to configure any special routing rules at the site to get replies back to the VPN server).

Then enter the following Post Down Script content to remove these firewall rules when the interface is shut down:

iptables -t mangle -D PREROUTING -i %i -j MARK --set-mark 0x10
iptables -t nat -D POSTROUTING ! -o %i -m mark --mark 0x10 -j MASQUERADE

And then click the Add button at the bottom of the form:

Last Part of Add Interface Form
Figure 7. Add Interface Page pt 3

This will queue the new WireGuard interface for creation. In a minute or two, the Pro Custodibus agent running on the VPN Server will pull this queued update and apply it to the VPN server, creating the interface.

For more details about the “Add Interface” form, see the Add an Interface docs.

Add an Endpoint to My Laptop on the VPN Server

The new WireGuard interface on the VPN Server won’t have any peers able to connect to it yet, however. To allow My Laptop to connect to the VPN Server, we can use the Pro Custodibus UI to add an endpoint to My Laptop on the VPN Server.

On the main page for the interface, click the Add icon in the Endpoints panel:

Interface Page With Add-Endpoint Icon Highlighted
Figure 8. Add Endpoint Icon

If we had already created a peer identity for My Laptop, we’d select it in the Peer field. We haven’t, so click the New button adjoining the Peer field:

First Part of Add Endpoint Form
Figure 9. Add Endpoint Page

Enter “My Laptop” (or some other descriptive name) into the Name field of the “Add Peer” dialog. Then click the Generate button adjoining the Private Key field to generate a new random public-key pair:

Add Peer Form With Generate Button Highlighted
Figure 10. Add Peer Dialog

Then click the Add button at the bottom of the dialog:

Add Peer Form With Add Button Highlighted
Figure 11. Add Peer Dialog pt 2

Optionally, click the Generate button adjoining the Preshared Key field to generate a new random preshared key to use for the connection:

Middle Part of Add Endpoint Form
Figure 12. Add Endpoint Page pt 2
Note

You don’t need to use preshared keys with WireGuard (but Pro Custodibus makes them easy to use and manage). See the Preshared Keys docs for a discussion about why you would want to use them.

Next, enter the IP address or addresses that the host should route to the endpoint into the Allowed IPs field. For the endpoint from the “site” to a “point” in a point-to-site scenario, this will just be the internal WireGuard IP address (or addresses) we’ve chosen for the point; for My Laptop, it’s 10.0.0.2.

Finally, click the Add button at the bottom of the form:

Last Part of Add Endpoint Form
Figure 13. Add Endpoint Page pt 3

This will queue the endpoint to be added to the interface on the VPN Server. In a minute or two, the Pro Custodibus agent running on the VPN Server will pull this queued update and apply it.

For more details about the “Add Endpoint” form, see the Add an Endpoint docs.

Add an Endpoint to My Phone on the VPN Server

Now that we’ve configured the VPN server to allow My Laptop to connect to it, we’ll do the same thing for My Phone.

To get back to the main page for the “wg0” interface of the VPN Server, click the wg0 link in the breadcrumbs of the page for the endpoint we just created (the My Laptop endpoint):

Endpoint Page for Connection Between VPN Server and My Laptop
Figure 14. wg0 Link in Breadcrumbs

Back on the main page for the interface, click the Add icon in the Endpoints panel:

Interface Page With Add-Endpoint Icon Highlighted
Figure 15. Add Endpoint Icon

If we had already created a peer identity for My Phone, we’d select it in the Peer field. We haven’t, so click the New button adjoining the Peer field:

First Part of Add Endpoint Form
Figure 16. Add Endpoint Page

Next, enter “My Phone” (or some other descriptive name) into the Name field of the “Add Peer” dialog. Then click the Generate button adjoining the Private Key field:

Add Peer Form With Generate Button Highlighted
Figure 17. Add Peer Dialog

Then click the Add button at the bottom of the dialog:

Add Peer Form With Add Button Highlighted
Figure 18. Add Peer Dialog pt 2

Optionally, click the Generate button adjoining the Preshared Key field to generate a new random preshared key to use for the connection:

Middle Part of Add Endpoint Form
Figure 19. Add Endpoint Page pt 2

Next, enter the IP address or addresses that the host should route to the endpoint into the Allowed IPs field. For the endpoint from the “site” to a “point” in a point-to-site scenario, this will just be the internal WireGuard IP address (or addresses) we’ve chosen for the point; for My Phone, it’s 10.0.0.3.

Finally, click the Add button at the bottom of the form:

Last Part of Add Endpoint Form
Figure 20. Add Endpoint Page pt 3

This will queue the endpoint to be added to the interface on the VPN Server. In a minute or two, the Pro Custodibus agent running on the VPN Server will pull this queued update and apply it.

For more details about the “Add Endpoint” form, see the Add an Endpoint docs.

Add a WireGuard Interface for My Laptop

Now that the VPN Server is configured and ready to go, we’ll configure My Laptop. We first need to create a host entry for it in Pro Custodibus; then we can add a WireGuard interface to it.

Click the Hosts link in the navigation bar at the top of the page to navigate to the main hosts list:

Endpoint Page for Connection Between VPN Server and My Laptop
Figure 21. Hosts Link

Then click the Add icon in the Hosts panel:

Hosts List
Figure 22. Add Host Icon

Then enter a name for the host, like “My Laptop”, in the Name field; and click the Add button:

Hosts List
Figure 23. Add Host Page

We’ll do the agent setup later; so click the My Laptop link in the breadcrumbs of the “Set Up” page to get to the main page for the new host:

Host Page With No Interfaces
Figure 24. Set Up Page for My Laptop

Click the Add icon in the Interfaces panel to add a new WireGuard interface to the host:

Host Page With Add-Interface Icon Highlighted
Figure 25. Add Interface Icon

On the “Add Interface” page, enter a basic interface name like “wg0” into the Name field; and optionally enter a description like “connection to our internal cloud” into the Description field.

Then for the Peer field, select the “My Laptop” peer we created when we set up the endpoint to My Laptop on the VPN Server:

First Part of Add Interface Form
Figure 26. Add Interface Page

Next, enter the private IP address or addresses that the interface will use within the WireGuard network, like “10.0.0.2”, into the Addresses field:

Middle Part of Add Interface Form
Figure 27. Add Interface Page pt 2

Finally, scroll down to the bottom of the page and click the Add button:

Last Part of Add Interface Form
Figure 28. Add Interface Page pt 3

This will queue the new WireGuard interface for creation. It will be applied when we install the Pro Custodibus agent on My Laptop.

For more details about the “Add Interface” form, see the Add an Interface docs.

Add an Endpoint to the VPN Server on My Laptop

To complete the connection between My Laptop the VPN Server, we need to add an endpoint to the VPN Server on My Laptop.

On the main page of the new interface for My Laptop, click the Add icon in the Endpoints panel:

Interface Page With Add-Endpoint Icon Highlighted
Figure 29. Add Endpoint Icon

Then for the Peer field, select the “VPN Server” peer we created when we set up the WireGuard interface on the VPN Server:

First Part of Add Endpoint Form
Figure 30. Add Endpoint Page

Next, enter the public IP address (or DNS name, if you’ve set up a DNS entry for it) of the VPN server, like “18.237.177.185”, into the Hostname field. This is the address at which My Laptop will connect to the VPN server over the Internet (specifically, it’s the public-facing IP address of the publicly-accessible UDP port you set up when you provisioned the VPN Server).

Then enter “51820” into the Port field (or whatever publicly-accessible UDP port you set up when you provisioned the VPN Server — Pro Custodibus will fill in this field automatically based on the VPN Server’s interface settings when you select the VPN Server peer).

Then enter the private IP blocks of the cloud site to which the VPN Server will provide My Laptop access into the Allowed IPs field. For this example scenario, it’s 10.90.0.0/16 (a range which includes the private 10.90.1.89 IP address of our example Internal App host).

Then click the Add button at the bottom of the form:

Last Part of Add Endpoint Form
Figure 31. Add Endpoint Page pt 2

This will queue the endpoint to be added to the interface on My Laptop. It will be applied when we install the Pro Custodibus agent on My Laptop.

For more details about the “Add Endpoint” form, see the Add an Endpoint docs.

Deploy the Agent to My Laptop

Now the pending WireGuard interface on My Laptop is fully configured in Pro Custodibus — we just need to install the Pro Custodibus agent on My Laptop, and the agent will apply the configuration automatically.

First, make sure WireGuard is installed on My Laptop. In our example, My Laptop is running Fedora 34, so you just need to log into it and run the following:

$ sudo dnf install wireguard-tools

Next, go back to the main page for My Laptop in Pro Custodibus, by clicking the My Laptop link in the breadcrumbs of page for the endpoint we just created (My Laptop’s VPN Server endpoint):

Endpoint Page for Connection Between My Laptop and VPN Server
Figure 32. My Laptop Link

Then click the Set Up Agent link in the Agent panel:

My Laptop Host Page
Figure 33. Set Up Agent Link

And download the procustodibus.conf and procustodibus-setup.conf files from the “Set Up” page:

My Laptop Set Up Page
Figure 34. Agent Setup Files

Then follow the Deploy the Pro Custodibus Agent section of the Getting Started guide to download and install the agent onto My Laptop (or just follow the instructions in the Download the Agent and Install the Agent docs).

Once the agent is installed, we can access internal apps, like our example Internal App, through the VPN Server from My Laptop. For example, you can run the following curl command on My Laptop to access our example Internal App:

$ curl -I 10.90.1.89
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.5
Date: Wed, 11 Aug 2021 02:15:42 GMT
Content-type: text/html; charset=utf-8
Content-Length: 338

If you go back to the main page for My Laptop in Pro Custodibus, you’ll see some recent activity for the new WireGuard interface we just set up:

My Laptop Host Page After First Activity
Figure 35. My Laptop Page

As you will if you navigate to the Pro Custodibus dashboard:

Pro Custodibus Dashboard After First Activity
Figure 36. Dashboard Page

Add a WireGuard Interface for My Phone

Now we’ll configure My Phone just like we did My Laptop. We first need to create a host entry for it in Pro Custodibus; then we can add a WireGuard interface to it.

Click the Hosts link in the navigation bar at the top of the page to navigate to the main hosts list:

Pro Custodibus Dashboard
Figure 37. Hosts Link

Then click the Add icon in the Hosts panel:

Hosts List
Figure 38. Add Host Icon

Then enter a name for the host, like “My Phone”, in the Name field; and click the Add button:

Hosts List
Figure 39. Add Host Page

We aren’t going to set up the Pro Custodibus agent on My Phone, however, so just click the My Phone link in the breadcrumbs of the “Set Up” page to navigate to the main page for the new host:

Host Page With No Interfaces
Figure 40. Setup Page for My Phone

Click the Add icon in the Interfaces panel to add a new WireGuard interface to the host:

Host Page With Add-Interface Icon Highlighted
Figure 41. Add Interface Icon

On the “Add Interface” page, enter a basic interface name like “wg0” into the Name field; and optionally enter a description like “connection to our internal cloud” into the Description field.

Then for the Peer field, select the “My Phone” peer we created when we set up the endpoint to My Phone on the VPN Server:

First Part of Add Interface Form
Figure 42. Add Interface Page

Next, enter the private IP address or addresses that the interface will use within the WireGuard network, like “10.0.0.3”, into the Addresses field:

Middle Part of Add Interface Form
Figure 43. Add Interface Page pt 2

Finally, scroll down to the bottom of the page and click the Add button:

Last Part of Add Interface Form
Figure 44. Add Interface Page pt 3

This will queue the new WireGuard interface for creation.

For more details about the “Add Interface” form, see the Add an Interface docs.

Add an Endpoint to the VPN Server on My Phone

To complete the connection between My Phone the VPN Server, we need to add an endpoint to the VPN Server on My Phone.

On the main page of the new interface for My Phone, click the Add icon in the Endpoints panel:

Interface Page With Add-Endpoint Icon Highlighted
Figure 45. Add Endpoint Icon

Then for the Peer field, select the “VPN Server” peer we created when we set up the WireGuard interface on the VPN Server:

First Part of Add Endpoint Form
Figure 46. Add Endpoint Page

Pro Custodibus will automatically fill in the Hostname, Port, and Allowed IPs fields using the settings from the last endpoint created for the same peer (which was the endpoint we added to the VPN Server on My Laptop). All these settings are exactly what we want for My Phone, so we don’t need to adjust any of the pre-filled settings.

Just click the Add button at the bottom of the form:

Last Part of Add Endpoint Form
Figure 47. Add Endpoint Page pt 2

This will queue the endpoint to be added to the interface for My Phone.

For more details about the “Add Endpoint” form, see the Add an Endpoint docs.

Scan the Configuration QR Code on My Phone

Now since we aren’t going to run the Pro Custodibus agent on My Phone, we need to manually copy over the configuration we’ve set up in the Pro Custodibus UI to My Phone. The easiest way to do that is scan the configuration QR code that Pro Custodibus generates for the interface with the WireGuard app on My Phone.

So go back to the main page for “wg0” interface of My Phone, by clicking the wg0 link in the breadcrumbs of the page for the endpoint we just created (the VPN Server endpoint):

Endpoint Page for Connection Between My Phone and VPN Server
Figure 48. wg0 Link in Breadcrumbs

Then click the Download Configuration icon in the Interface panel:

My Phone wg0 Interface Page
Figure 49. Download Configuration Icon

This will present you with a page containing a QR code you can scan, as well as a WireGuard configuration file you can copy or download:

My Phone wg0 Interface QR Code
Figure 50. QR Code Page

You can also right-click the QR code to save it as a GIF file, to scan it later.

Caution

The configuration file and QR code both contain the private key for the interface (as well as the preshared key for any endpoints that have been configured with a preshared key) — so if you download one or both as a file, make sure you keep the file secret. If you send the file via email or other messaging service, make sure you encrypt the file first, or send it over a secure channel.

Now if you open the WireGuard app on My Phone, tap its Add Interface button, select the Scan From QR Code option, and point its camera at the QR code generated by Pro Custodibus, the WireGuard app will create a new interface on My Phone with the configuration from Pro Custodibus.

Then if you start up that interface on My Phone, open up a browser, and access an internal app at the cloud site — like for our example, enter http://10.90.1.89/ into the browser URL bar to access our example Internal App — you’ll be able to connect to that web app.

And if you go back to the Pro Custodibus dashboard, you’ll see some recent activity for My Phone:

Pro Custodibus Dashboard After First Phone Activity
Figure 51. Dashboard

Monitoring My Phone

Because we haven’t installed the Pro Custodibus agent on My Phone, we won’t be able to monitor activity for My Phone directly — we’ll only see its activity through the other hosts we’re monitoring. For example, you can see its activity on the main page for the VPN Server’s WireGuard interface:

VPN Server Interface Page After First Phone Activity
Figure 52. VPN Server Interface Page

But if you navigate to the top-level hosts list, you’ll see no activity listed for My Phone:

Hosts Page Showing No Activity for My Phone
Figure 53. Hosts List

And the same thing on My Phone’s main host page:

My Phone Host Page Showing No Activity
Figure 54. My Phone Host Page

And same for the interface we set up for My Phone:

My Phone Interface Page Showing No Activity
Figure 55. My Phone Interface Page

Additionally, the changes we’ve made in the Pro Custodibus UI for My Phone will be listed as “Pending”, rather than “Executed”:

My Phone Interface Page Showing Pending Changes
Figure 56. My Phone Interface Change Queue

This is because we applied the changes manually when we scanned the QR code on My Phone — not through the Pro Custodibus agent. And since My Phone is not monitored by the agent, Pro Custodibus can’t tell if the changes queued for My Phone have been applied or not.

To tell Pro Custodibus that we applied the changes manually, click the link in the “Queued” column for each row:

My Phone Interface Page Highlighting Link to Queued Change
Figure 57. Link to Queued Change

Then click the Applied Manually icon in the Queued Change panel:

Queued Change Page With Applied Manually Highlighted
Figure 58. Applied Manually Icon

And click the OK button in the resulting confirmation dialog:

Queued Change Page With Applied Manually Dialog
Figure 59. Applied Manually Dialog

Do this for all the queued changes for My Phone, so that the UI shows all the changes you made as “Executed”:

Queued Change Page With Applied Manually Dialog
Figure 60. Applied Manually Dialog

You can continue to make new changes to My Phone’s WireGuard interface through the Pro Custodibus GUI — you’ll just have to continue to apply them manually (like by generating a new QR code for the interface and scanning it with My Phone).

Bonus: WireGuard Network Map

To check out a nice visual representation of the WireGuard VPN we’ve just set up, navigate to the main host page for one of the hosts:

Hosts Page With VPN Server Highlighted
Figure 61. Hosts List

Then click the Network Map icon in the Host panel of that page:

VPN Server Host Page
Figure 62. Network Map Icon

This will display a network map with all the direct connections from the selected node. To load the entire network map, click the Load All icon in the Network Map panel:

VPN Server Network Map
Figure 63. Load All Icon

This will display the full network map of your WireGuard VPN:

Network Map of Full WireGuard VPN
Figure 64. Full Network Map
Tip

Hover your mouse pointer over a node in the network map to view a tooltip with the name and details for the node; or click a node to load its details in the left-side panel.

Video

Here’s a video version of the content from this article: