HomepageStake NowLog in ->

Bastion Host Setup

This documentation describes how to fully configure a WireGuard VPN Bastion Host on Ubuntu and allow macOS or Windows clients to connect using their own keys and access the bastion server over SSH only. The VPN is configured to allow only SSH access to the bastion host (192.168.1.100) via the tunnel. All other traffic (e.g. web browsing or general internet access) uses the client's normal internet connection.

Server: Ubuntu Bastion Host (192.168.1.100)

Install WireGuard

sudo apt update
sudo apt install wireguard -y

Generate Server Keys

WireGuard uses Curve25519 public-key cryptography for authentication. The server needs a private key (kept secret) and a public key (shared with clients).

umask 077
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

The private key must remain secret and secure. The public key will be shared with clients to establish the VPN connection.

Save These for Later

SERVER_PRIVATE_KEY=$(cat /etc/wireguard/server_private.key)
SERVER_PUBLIC_KEY=$(cat /etc/wireguard/server_public.key)
echo "Server Public Key: $SERVER_PUBLIC_KEY"

Identify Network Interface

Find your main network interface

Common interfaces: eth0, ens3, enp0s3, etc. Note this for later use.

Configure WireGuard Interface

Example WireGuard Configuration for Bastion Server

Configuration Breakdown:

  • Address: VPN IP of the bastion server (10.10.0.1/24)

  • ListenPort: WireGuard listening port (51820/udp)

  • PrivateKey: Server's private key (replace with actual key)

  • SaveConfig = false: Prevents automatic config changes

  • PostUp/PostDown: Firewall rules for SSH-only access

  • PublicKey: Client's public key (replace with actual key)

  • AllowedIPs: Client's VPN IP range (10.10.0.2/32)

Replace YOUR_SERVER_PRIVATE_KEY_HERE with the content of /etc/wireguard/server_private.key Replace YOUR_CLIENT_PUBLIC_KEY_HERE with the client's public key (will be provided by Alan)

Enable Forwarding (Required for Routing)

This must remain enabled for the bastion to allow SSH forwarding.

To verify forwarding status at any time:

Expected output:

Configure Firewall (UFW)

Allow WireGuard port:

Reload UFW

Start WireGuard

Setup WireGuard Client

Install WireGuard Client

Download and install WireGuard from the official website:

Visit https://www.wireguard.com/install/ and download the appropriate version for your platform:

  • Windows: Download the Windows installer

  • macOS: Download from App Store and install Wireguard tools via Homebrew brew install wireguard-tools

  • Linux: Use your distribution's package manager

Generate Client Keys

For Mac:

For Windows:

For Linux:

Share the public key content with the system administrator

macOS/Linux:

Windows:

Create Client Configuration

Create a new file named bastion-tunnel.conf with the following content:

Replace YOUR_CLIENT_PRIVATE_KEY_HERE with content of your private key file Replace YOUR_SERVER_PUBLIC_KEY_HERE with the server's public key (provided by admin) AllowedIPs: Replace 192.168.1.200/32 with your target server IP (e.g., testnet server, mainnet server, etc.)

Import and Activate Tunnel

Once you have installed the WireGuard client and created the configuration file, you need to import this configuration into the WireGuard application.

For macOS:

  1. Open WireGuard application

  2. Click Import tunnel from file

  3. Select your configuration file

  4. Click Activate

For Windows:

  1. Open WireGuard application

  2. Click Import tunnel(s) from file

  3. Select your configuration file

  4. Click Activate

Firewall Configuration for Target Servers

To restrict SSH access to only the bastion host, configure the firewall on your target servers:

Troubleshooting

Server-side checks:

PreviousServer HardeningNextPentest to the server

Last updated

Was this helpful?