A step-by-step guide on how to implement a Private Endpoint (only) OpenShift cluster on a VPC using WireGuard VPN on IBM Cloud!

Red Hat OpenShift

1-Create a VPC, subnet, OpenShift Cluster …

2-Create a VM as a Jumbox for WireGuard

ssh -i <sshkey-filename> root@161.156.171.206
apt update 
apt upgrade
cat /var/run/reboot-required

reboot
ssh -i <sshkey-filename> root@161.156.171.206

3-Install and Configure WireGuard

apt install wireguard
mkdir -p /etc/wireguard/keys
wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey | tee /etc/wireguard/keys/server.key.pub
cat /etc/wireguard/keys/server.key
cat /etc/wireguard/keys/server.key.pub
root@nice-wg:~# cat /etc/wireguard/keys/server.key
gCgg2VPH8QbzoUb3IwMtrp2/+d/iRb9y9YaTcGn+J1s=
root@nice-wg:~# cat /etc/wireguard/keys/server.key.pub
8efZqWpWNYWE8dV3bYnuYWstyDXHBTg/9SDR7mECvzs=
ip -o -4 route show to default | awk '{print $5}'# ip -o -4 route show to default | awk '{print $5}'
ens3
ens3
nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 172.16.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = 4JYiMcICcJLbD1YKsAcn0SUczSgp60B8U3bfaLda4lE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = O3OJ8zmIlHmQGn8GF7QbYCLuR8t2CjWZoTKZ5ia69EA=
AllowedIPs = 9.134.182.146/32
chmod 600 /etc/wireguard/wg0.conf /etc/wireguard/keys/server.key
wg-quick up wg0
wg

you should see both the interface and peer even if the peer (client) has not been created.

systemctl enable wg-quick@wg0
nano /etc/sysctl.conf
uncomment : net.ipv4.ip_forward=1
sysctl -p
ufw allow 51820/udp
ufw allow 22/tcp
ufw enable
ufw status verbose

3-Create a Security Group for WireGuard

IMPORTANT : check that the VG VM is only associated to the created rule (here nice-sec-vpn) !!!

4-Install WireGuard Client on your laptop

Address = 192.168.3.217/32

[Peer]
PublicKey = 8efZqWpWNYWE8dV3bYnuYWstyDXHBTg/9SDR7mECvzs=
AllowedIPs = 166.8.0.0/14, 166.9.0.0/14, 172.16.0.0/24, 10.241.0.0/24, 10.241.64.0/24, 10.241.128.0/24, 10.243.64.13/24
Endpoint = 161.156.171.206:51820

Attention: check the endpoint and port that need to match your WG server IP and Port.

Important : After 10 secondes, you should see Data received, Data sent and latest Handshake.

nano /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = gA25aKDY2f0Je7vSKLKopLD/sVUytlxBkbkPyKACwEE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = O3OJ8zmIlHmQGn8GF7QbYCLuR8t2CjWZoTKZ5ia69EA=
AllowedIPs = 9.134.182.146/32


wg-quick down wg0
wg-quick up wg0
wg show wg0

5-Check the VPN

ping nice-openshift-ba36b2ed0b6b09dbc627b56ceec2f2a4-i000.eu-de.containers.appdomain.cloud

Congrats :p) all done!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store