This documentation describes how to fully configure a WireGuard VPN Bastion Host on Ubuntu and allow macOS or Windows clients to connect using their own keys and access the bastion server over SSH only. The VPN is configured to allow only SSH access to the bastion host (192.168.1.100) via the tunnel. All other traffic (e.g. web browsing or general internet access) uses the client's normal internet connection.
Server Setup
Requirements
The bastion host has very low hardware requirements:
One virtual CPU (vCPU) setup or better
2GB of RAM or more
10GB disk or more
A static IP address
Ubuntu 24.04 or higher
Access to a user with sudo access to run the setup and configuration.
Install WireGuard
First, install WireGuard on the Bastion Host server:
sudoaptupdatesudoaptinstallwireguard-y
Generate Server Keys
WireGuard uses Curve25519 public-key cryptography for authentication. The server needs a private key (kept secret) and a public key (shared with clients).
The private key must remain secret and secure. The public key will be shared with clients to establish the VPN connection.
Configure environment variables for these keys. We'll use these later:
Find your main network interface
Common interfaces: eth0, ens3, enp0s3, etc. Note this for later use.
Configure WireGuard
Create the WireGuard config file and make the necessary configurations
Add this config to the newly created config file:
Where to get the workstation WireGuard's public key?
Each peer block in the configuration, is the "allow list" for who can connect through the WireGuard tunnel. Each workstation must be configured here, and must also provide its WireGuard Public Key (which is different from the workstation SSH key).
Share the public key content with the system administrator
macOS/Linux:
Windows:
Workstation Configuration
In the workstation, the configuration needs to specify which targeted traffic to route through WireGuard, as we don't want all the traffic, but only those targeting the destination servers protected by the Bastion Host.
First, create a new file named bastion-tunnel.conf
... paste with the following content:
Activate Tunnel on Workstation
Once you have installed the WireGuard client and created the configuration file, you need to import this configuration into the WireGuard app.
For macOS:
Open WireGuard application
Click Import tunnel from file
Select your configuration file
Click Activate
For Windows:
Open WireGuard application
Click Import tunnel(s) from file
Select your configuration file
Click Activate
Protecting Target Servers
To restrict SSH access to only the bastion host, configure the firewall on your target servers:
##Create an empty bastion-tunnel config file
nano bastion-tunnel.conf
[Interface]
## Replace with content of your private key file
PrivateKey = YOUR_CLIENT_PRIVATE_KEY_HERE
## Replace with the workstation's peer IP server config
Address = 10.10.0.2/24
## Leave as is, or use your custom DNS
DNS = 1.1.1.1
[Peer]
## Replace with the server's public key (provided by admin)
PublicKey = YOUR_SERVER_PUBLIC_KEY_HERE
## Replace wit the server's public IP; leave the same port
Endpoint = XXX.XXX.XXX.XXX:51820
## Replace with your target server IPs or subnets (e.g., testnet server, mainnet server, etc.)
AllowedIPs = XXX.XXX.XXX.XXX/32,XXX.XXX.XXX.XXX/32,
## Leave as is
PersistentKeepalive = 25
# Allow SSH only from the bastion host IP
sudo ufw allow from XXX.XXX.XXX.XXX to any port 2522 proto tcp comment "bastion host"
# Deny SSH from all other sources
sudo ufw deny 2522/tcp
# Reload UFW
sudo ufw reload
# Check WireGuard status
sudo wg show
# Check if tunnel is up
ip addr show wg0
# Check firewall rules
sudo ufw status numbered
# Check forwarding
sysctl net.ipv4.ip_forward
# Check WireGuard service
sudo systemctl status wg-quick@wg0
