WireGuard on Windows Server
Today I have some spare time in weekend holiday. Therefore, I decided to test WireGuard VPN on windows server. WireGuard is a free opensource and light weight VPN application.
I will skip how WireGuard is working and what is different from OpenVPN. You can find from google, there are ton of articles describe about WireGuard VPN. Example WireGuard supports UDP protocol instead of TCP. In here I want to share about my experience how to deploy WireGuard on Windows Server.
Here is my use case requirement. I have to deploy robot POC at my customer’s plant. Robot supports WiFi 2.4 GHz only. That robot will be controlled by a cloud web application. Therefore, I decided to use 4G LTE WiFi router to get internet access to robot. But 4G SIM card cannot provide public static IP by service provider. For the security reason as well, we need to use VPN enable router and create a virtual private network with robot and cloud server.
I planned to use windows server and WireGuard VPN application. I used two VMs on Azure Cloud (You can use any cloud platform such as AWS or Digital Ocean.) and 4G LTE router with WireGuard client application. I used GL.iNET XE300 router. But in the article I will focus on the WireGuard server deployment on the Windows Server.
Here are task list to deploy WireGuard on windows Server.
- Define VPN network IPs and port
- Open firewall port at cloud VM level and windows OS level
- Download and install WireGuard
- Change default windows network SharedAccess to WireGuard VPN server IP
- Create a windows registration name “EnableRebootPersistConnection” with value 1 for SharedAccess
- Set Internet Connection Sharing windows Service start up type to Automatics and make run the service
- Configuration and deploy WireGuard tunnel
- Set WireGuard tunnel adaptor as a private network
- Share internet from VM Ethernet adaptor to WireGuard tunnel adaptor
1. Define VPN network IPs and port
I defined VPN network IPs as 10.8.0.1 and VPN port as 34567.
2. Open firewall port at cloud VM level and windows OS level
I used Azure Cloud VM for WireGuard VPN server. Therefore, go to https://portal.azure.com and add inbound security rule for port 34567.
I also added inbound rule for UDP port 34567 at windows firewall
3. Download and install WireGuard
Go to https://www.wireguard.com/install/ and download WireGuard windows installer and install it. WireGuard support windows 7 to windows server 2022. Installation is too fast.
After installed WireGuard, click on the “Add emty tunnel” menu from button-left “Add Tunnel” drop-down list. The “Create new tunnel” popup windows will be opened to configure a tunnel for VPN clients and server.
WireGuard UI generated Public Key and Private Key for you. Copy Public Key and Private Key in Notepad which have to use in next step.
Click on the “Cancel” button and close the WireGuard application.
From step 4 to 9, we can do with PowerShell commands. I created PowerShell scripts and windows batch file. You can download from my GitHub.
4. Step 4 to 9
After download all files from GitHub, put inside C:\wireguard folder.
Open wgserver.conf file from Notepad and update Server PrivateKey and Peer information such as PublicKey and AllowedIPs.
You can get VPN client’s PublicKey from each clients. There is a WireGuard application for Android as well.
If your WireGuard server name is different from this lesson, please change inside PreConfigureWindowsSettings.ps1.
After that run 1.setup_prequisite_configuration.bat, 2.start.wgserver.bat as an administrator. Or, you can run PreConfigureWindowsSettings.ps1 and InstallWireGuardAdaptor.ps1 from Microsoft PowerShell with administrator right.
Now your WireGuard VPN server is ready.
If you want to uninstall WireGuard Tunnel, please run 3.stop_wgserver.bat or UninstallWireGuardAdaptor.ph1.
If any questions are clarification, please drop in comment or feel free to send email to me. But you need to take your own risk! Never try on production environment before you understanding clearly.