Setup Wireguard WAG VPN with MFA enable on AWS EC2

Dhrumil GohilDhrumil Gohil
5 min read

Table of contents

What is a VPN?

A VPN, or Virtual Private Network, is a secure technology that allows you to create a private and encrypted connection over the internet. It enables you to protect your online privacy, hide your location, and securely access websites and services as if you were in a different location.It hides your online activities by routing your data through a remote server, encrypting it along the way. This makes your connection private and secure, protecting you from prying eyes, whether you're at home or using public Wi-Fi. VPNs are often used to access region-restricted content, maintain online privacy, and enhance online security.

What is a Wireguard?

WireGuard is a modern and secure open-source VPN (Virtual Private Network) protocol that offers fast and efficient encrypted connections. It's designed for simplicity and ease of use, providing a lightweight yet robust solution for secure data transmission over the internet. WireGuard's simplicity makes it an attractive choice for individuals and organizations looking to establish a secure and private network connection.

What is WAG?

Wag is an opensource tool. Wag adds 2fa and device enrolment to wireguard.It allows you to restrict routes based on 2fa while allowing other routes to remain public if a client has a valid public key.

Let's setup the VPN server on ec2

Launch Ec2

  • Go to the EC2 page and click on Launch Instance.

  • Give the EC2 name at your convenience.

  • Select Ubuntu image(22.04).

  • Select the Instance type at your convenience. (Recommended: t2.micro)

  • Create an SSH key pair if you don't have one.

It will download the SSH private key. Keep it with you. It will be useful when you want to ssh into ec2.

  • Keep all settings as their default values as we are focusing on deployment.

  • Click on Launch instance.

  • Connect with EC2.

  • Install iptables , libpam and jq .
apt update
apt install iptables
apt install libpam0g
apt install jq
  • Check If it is installed or not.
iptables -L

๐Ÿ’ก
Wag must be run as root, to manage iptables and the wireguard device.
  • Forwarding must be enabled in sysctl.
sysctl -w net.ipv4.ip_forward=1
๐Ÿ’ก
Create another ec2 for the testing purpose and install apache on it - apt install apche2.

Setup WAG

  • Create directory to install WAG.
mkdir -p /opt/wag
cd /opt/wag
  • Download WAG(Binary release (requires glibc 2.31+)).
curl -L $(curl -s https://api.github.com/repos/NHAS/wag/releases/latest | jq -M -r '.assets[0].browser_download_url') -o wag
chmod 700 wag
  • Generate configuration file.
sudo ./wag gen-config

๐Ÿ’ก
external IP address(VPN server IP): public_ip_of_ec2
  • Change the config file name.
mv config.json.* config.json
  • Change the wireguard port to 51820 and add ACL in the config file.
"Wireguard": {
        "DevName": "wg0",
        "ListenPort": 51820,
        "PrivateKey": "W/q3O0qATduQAau81GjkmA7Z71CuGPBguW36gZl2Vtk=",
        "Address": "10.1.2.1/24",
        "MTU": 1420,
        "PersistentKeepAlive": 25,
        "DNS": ["8.8.8.8"]
    }
  • Add ACL's rule.

Here, a group named "admin" is being created and the user "dhrumil" is being added to it. The user will be permitted to access the Internet without the need for 2-factor authentication, but will be required to authenticate to access the host 172.31.16.255.

"Acls":{
      "Groups":{
         "group:admin":[
            "dhrumil"
         ]
      },
      "Policies":{
         "group:admin":{
            "Mfa":[
               "172.31.16.255/20"
            ],
            "Allow":[
             "0.0.0.0/0"
            ]
         }
      }
   }
  • Your configuration file should look like this.
{
    "Proxied": false,
    "NAT": null,
    "HelpMail": "dhrumil@gmail.com",
    "Lockout": 5,
    "ExternalAddress": "54.224.191.174",
    "MaxSessionLifetimeMinutes": 1440,
    "SessionInactivityTimeoutMinutes": 60,
    "ManagementUI": {
        "ListenAddress": "",
        "Enabled": false
    },
    "Webserver": {
        "Public": {
            "ListenAddress": ":8080"
        },
        "Tunnel": {
            "Port": "80"
        }
    },
    "Authenticators": {
        "Issuer": "dhrumil-org",
        "Methods": [
            "totp"
        ],
        "DomainURL": "",
        "OIDC": {
            "IssuerURL": "",
            "ClientSecret": "",
            "ClientID": ""
        },
        "PAM": {
            "ServiceName": ""
        }
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 51820,
        "PrivateKey": "W/q3O0qATduQAau81GjkmA7Z71CuGPBguW36gZl2Vtk=",
        "Address": "10.1.2.1/24",
        "MTU": 1420,
        "PersistentKeepAlive": 25,
        "DNS": ["8.8.8.8"]
    },
    "DatabaseLocation": "devices.db",
    "Acls": {
            "Groups":{
         "group:admin":[
            "dhrumil"
         ]
      },
      "Policies":{
         "group:admin":{
            "Mfa":[
               "172.31.16.255/20"
            ],
            "Allow":[
             "0.0.0.0/0"
            ]
         }
    }
}
}
  • Start WAG.
./wag start -config config.json

wag will create a database "devices.db" where it will store all users and their respective keys.

Create service for the wag.

  • Go to system folder.
cd /etc/systemd/system
vi wag.service
  • Create wag.service.
[Unit]
Description=Wireguard configuration

[Service]

User= root

WorkingDirectory=/opt/wag
ExecStart=/opt/wag/wag start

ExecStopPost=/opt/wag/wag cleanup

Restart=on-failure
RestartSee=10

KillingSignal=SIGINT


[Install]
WantedBy=multi-user.target
  • Enable and start service.
systemctl enable wag
systemctl start wag
  • Check the status of service.
systemctl status wag

  • Create user dhrumil, which we mentioned in the admin group.
./wag registration -add -username dhrumil
  • It will give you token to generate client configuration file.

  • Add the rules below to the security group of ec2.

  • Download client configuration.
curl http://ec2_public_ip:8080/register_device?key=<generated token>

  • Restart the WAG service.
systemctl restart wag

Great!!! Your VPN server is ready.

Setup the Wireguard client on Windows.

๐Ÿ’ก
I am showing the setup on windows. You can set up your wireguard client on Ubuntu, windows, mobile phone etc..
  • Download wireguard client for Windows.

https://www.wireguard.com/install/

You can see this type of screen for wireguard.

  • Now, Add client configuration to connect with our VPN server.

Click on Add tunnel -> Add Empty tunnel

Add client configuration, which we have generated.

  • Activate VPN connection.

  • Now, We can access the second ec2 from the VPN.

Opps.. It's not working. Why????

As we mentioned in the configuration, to access this host we need 2fa. Let's setup 2fa with google authenticator.

 "Policies":{
         "group:admin":{
            "Mfa":[
               "172.31.16.255/20"
            ],
            "Allow":[
             "0.0.0.0/0"
            ]
         }
    }

Setup 2fa with Google authenticator.

  • Download Google authenticator on your mobile phone.

Go to the VPN server(10.1.2.1).

๐Ÿ’ก
10.1.2.1 is the private ip of our VPN server. You can see in the configuration of Wireguard.

Scan this QR code from the Google authenticator.

You have connected the Google authenticator with VPN server.

Enter the Number(OTP), Which You can see on your app.

After Entering the OTP, You can see the authorization page.

  • Now, You can see the Apache default page.

Reference

https://github.com/NHAS/wag

Setting up a VPN with Wireguard Server on AWS EC2. - DEV Community

0
Subscribe to my newsletter

Read articles from Dhrumil Gohil directly inside your inbox. Subscribe to the newsletter, and don't miss out.

wireguardvpnAWSwag

Written by

Dhrumil Gohil
Dhrumil Gohil