A step-by-step guide on how to implement a Private Endpoint (only) OpenShift cluster on a VPC using WireGuard VPN on IBM Cloud!

Red Hat OpenShift

1-Create a VPC, subnet, OpenShift Cluster …

  • a VPC
  • one subnet
  • one VM inside the VPC
  • one security group
  • One OpenShift cluster inside the VPC
  • all resources are running in one zone — Frankfurt for this example

2-Create a VM as a Jumbox for WireGuard

  • 2 vCPU, 8 GB RAM, 25 GB storage (or the least storage and configuration proposed by IBM Cloud)
  • Ubuntu 20 minimal
  • Add a floating IP to this VM for the public IP
ssh -i <sshkey-filename> root@161.156.171.206
apt update 
apt upgrade
cat /var/run/reboot-required

reboot
ssh -i <sshkey-filename> root@161.156.171.206

3-Install and Configure WireGuard

apt install wireguard
mkdir -p /etc/wireguard/keys
wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey | tee /etc/wireguard/keys/server.key.pub
cat /etc/wireguard/keys/server.key
cat /etc/wireguard/keys/server.key.pub
root@nice-wg:~# cat /etc/wireguard/keys/server.key
gCgg2VPH8QbzoUb3IwMtrp2/+d/iRb9y9YaTcGn+J1s=
root@nice-wg:~# cat /etc/wireguard/keys/server.key.pub
8efZqWpWNYWE8dV3bYnuYWstyDXHBTg/9SDR7mECvzs=
ip -o -4 route show to default | awk '{print $5}'# ip -o -4 route show to default | awk '{print $5}'
ens3
ens3
nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 172.16.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = 4JYiMcICcJLbD1YKsAcn0SUczSgp60B8U3bfaLda4lE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = O3OJ8zmIlHmQGn8GF7QbYCLuR8t2CjWZoTKZ5ia69EA=
AllowedIPs = 9.134.182.146/32
chmod 600 /etc/wireguard/wg0.conf /etc/wireguard/keys/server.key
wg-quick up wg0
wg
systemctl enable wg-quick@wg0
nano /etc/sysctl.conf
uncomment : net.ipv4.ip_forward=1
sysctl -p
ufw allow 51820/udp
ufw allow 22/tcp
ufw enable
ufw status verbose

3-Create a Security Group for WireGuard

4-Install WireGuard Client on your laptop

Address = 192.168.3.217/32

[Peer]
PublicKey = 8efZqWpWNYWE8dV3bYnuYWstyDXHBTg/9SDR7mECvzs=
AllowedIPs = 166.8.0.0/14, 166.9.0.0/14, 172.16.0.0/24, 10.241.0.0/24, 10.241.64.0/24, 10.241.128.0/24, 10.243.64.13/24
Endpoint = 161.156.171.206:51820
nano /etc/wireguard/wg0.conf
[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = gA25aKDY2f0Je7vSKLKopLD/sVUytlxBkbkPyKACwEE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = O3OJ8zmIlHmQGn8GF7QbYCLuR8t2CjWZoTKZ5ia69EA=
AllowedIPs = 9.134.182.146/32


wg-quick down wg0
wg-quick up wg0
wg show wg0

5-Check the VPN

ping nice-openshift-ba36b2ed0b6b09dbc627b56ceec2f2a4-i000.eu-de.containers.appdomain.cloud

Congrats :p) all done!

--

--

--

IT guy for a long time, looking for technical challenges everyday!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Deploying Flutter iOS apps with fastlane and GitHub Actions

Northcoders Bootcamp: Weeks 7–8… Projects, Projects, Projects

Easy User Profile| CSS | Flex

Kea Host Reservation with MySQL database

How to get Started with Open Source.!?

Does Domain service lead to destruction? — DDD

Journey of my coding

Using Wayback Time Machine to Revive an Old Site

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alain Airom (Ayrom)

Alain Airom (Ayrom)

IT guy for a long time, looking for technical challenges everyday!

More from Medium

What is the Command Line Interface and how do we use it?

How to deploy an application on IBM Kubernetes Services (a.k.a. IKS)

Now is not the time for DevSecOps. Or is it?

BYO Certs for TKG 1.4.1+ Auth