A step-by-step guide on how to implement a Private Endpoint (only) OpenShift cluster on a VPC using WireGuard VPN on IBM Cloud!

Red Hat OpenShift

1-Create a VPC, subnet, OpenShift Cluster …

We suppose that you have already created the following resources:

  • a VPC
  • one subnet
  • one VM inside the VPC
  • one security group
  • One OpenShift cluster inside the VPC
  • all resources are running in one zone — Frankfurt for this example

2-Create a VM as a Jumbox for WireGuard

Create a specific VM (2 vCPU x 8 GB) for WireGuard in the VPC:

  • 2 vCPU, 8 GB RAM, 25 GB storage (or the least storage and configuration proposed by IBM Cloud)
  • Ubuntu 20 minimal
  • Add a floating IP to this VM for the public IP
ssh -i <sshkey-filename> root@161.156.171.206
apt update 
apt upgrade
cat /var/run/reboot-required

reboot
ssh -i <sshkey-filename> root@161.156.171.206

3-Install and Configure WireGuard

Install WireGuard with apt:

apt install wireguard
mkdir -p /etc/wireguard/keys
wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey | tee /etc/wireguard/keys/server.key.pub
cat /etc/wireguard/keys/server.key
cat /etc/wireguard/keys/server.key.pub
root@nice-wg:~# cat /etc/wireguard/keys/server.key
gCgg2VPH8QbzoUb3IwMtrp2/+d/iRb9y9YaTcGn+J1s=
root@nice-wg:~# cat /etc/wireguard/keys/server.key.pub
8efZqWpWNYWE8dV3bYnuYWstyDXHBTg/9SDR7mECvzs=
ip -o -4 route show to default | awk '{print $5}'# ip -o -4 route show to default | awk '{print $5}'
ens3
ens3
nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 172.16.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = 4JYiMcICcJLbD1YKsAcn0SUczSgp60B8U3bfaLda4lE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = O3OJ8zmIlHmQGn8GF7QbYCLuR8t2CjWZoTKZ5ia69EA=
AllowedIPs = 9.134.182.146/32
chmod 600 /etc/wireguard/wg0.conf /etc/wireguard/keys/server.key
wg-quick up wg0
wg
systemctl enable wg-quick@wg0
nano /etc/sysctl.conf
uncomment : net.ipv4.ip_forward=1
sysctl -p
ufw allow 51820/udp
ufw allow 22/tcp
ufw enable
ufw status verbose

3-Create a Security Group for WireGuard

Create a security group nice-sec-vpn (your security group name here)

4-Install WireGuard Client on your laptop

Install the WireGuard Client on your laptop:

Address = 192.168.3.217/32

[Peer]
PublicKey = 8efZqWpWNYWE8dV3bYnuYWstyDXHBTg/9SDR7mECvzs=
AllowedIPs = 166.8.0.0/14, 166.9.0.0/14, 172.16.0.0/24, 10.241.0.0/24, 10.241.64.0/24, 10.241.128.0/24, 10.243.64.13/24
Endpoint = 161.156.171.206:51820
nano /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = gA25aKDY2f0Je7vSKLKopLD/sVUytlxBkbkPyKACwEE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = O3OJ8zmIlHmQGn8GF7QbYCLuR8t2CjWZoTKZ5ia69EA=
AllowedIPs = 9.134.182.146/32


wg-quick down wg0
wg-quick up wg0
wg show wg0

5-Check the VPN

From the Virtual server instances for VPC, take a note of the IP address from the WireGuard VM and ping it:

ping nice-openshift-ba36b2ed0b6b09dbc627b56ceec2f2a4-i000.eu-de.containers.appdomain.cloud

Congrats :p) all done!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alain Airom (Ayrom)

Alain Airom (Ayrom)

IT guy for a long time, looking for technical challenges everyday!