AWS VPC Access with Wireguard VPN - AWS Hands on

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another video guys in this video we're going to use wireguard vpn to access the servers hosted on aws now a big disclaimer um if you have lots and lots of servers or if your enterprise customer for aws then this is not the method that you want to use you would have you know far better different methods that you can use to access your servers but all the indie hackers out there are individual or you know early phase startups if you have a handful of servers or even one or two servers on aws i'm going to show you a best and secure way to access your servers using wireguard now you'd be thinking why do you want to use wire guard i mean i can just use my public ip address and directly ssh or rdp into the server but that's where the problem is usually there are three ways that users take to access their servers one is using the public ip address they directly rdp or ssh into the server and this is the most unsecure way because you're keeping your server open for attacks like um there are hackers on the internet that are scanning ports all the time and if they find that your server is open for ssh or rdp access then they're going to try and access it you know it's just until the time they get the right password uh to connect to it the second method that users use usually is the gem server method where all of their infrastructure like this here is secured in in a virtual private network and there is one particular server that's open to the internet and users connect to it and then from that jump server they connect to rest of the servers this method is good but again you know there are still uh issues with it because you still have one server that's open you know for attackers to attack and the third method is the vpn where you know you put a vpn connection just like this into your infrastructure and let users connect through the vpn and let me tell you this is how the enterprise or big companies manage the access to their servers uh for the users now you'd be thinking like if big companies are enterprised to it then it must be costly right yes and no i mean there are vpn solutions that are costly if you have lots and lots of users that are connecting through vpn then it becomes costly but if you are someone like me you know who have handful of servers you can use wireguard to you know connect to a secure network and that's that's the beauty of fire guard it's lightweight um you can practically run it on a raspberry pi it is as secure as other vpn connections out there um you know you can compare it with openvpn or any other vpn appliances there and wireguard is as much secure as them and third option is even though it will be on your you know public ip address if somebody runs support scan they wouldn't know that there is a wire regard server listening for vpn connections so it's completely secure uh the only thing that you would need to worry about is the access keys um i'll show you when we set up that and you probably need to keep your access keys secure um if those are gone then that's a problem so let's get started all right the first thing that you need to do is be logged into aws management console so i already have a web server running on this um aws let me um go ahead and show it to you guys so this is a instance and let me open the website using the public dna's name so this is a demo website i have this server running and currently uh the security group that it's attached to has open rdp access i mean you know we can rdp into the server using public ipa address and that's that's what we want to avoid so we're going to create a new instance install wireguard on it and then remove this from the security group so that public rdp access is disabled and then we're going to access the server through wireguard vpn in order to do that let's go to ec2 dashboard let's launch a new instance here i'm going to select ubuntu with um 64-bit arm processor and then click on select uh we're probably okay with t4g nano this is the um you know cheapest virtual machine with half a gig ram two vcpus and it's it's sufficient if you are just like one or you know less than five users that wants to connect let's go ahead and configure instance details i'm going to keep everything else to default right now let's go to add storage again leave everything to default again default now we need to create a new security group so we have you know we already have ssh open over here right now uh we will need ssh port open or like port 22 open so we can you know install the wire guard on the server no instance and later on we will go ahead and disable this apart from this there are a couple of more rules that we need to add so let me first add a port uh you know open a port that's for wire guard that is udp port 51820 if i can find udp custom udp rule okay all right so y1820 and i'm going to open it from anywhere and then click on review and launch let's go ahead and launch i'm going to use the key pair that i already have if you don't have one then you need to create one and then click on launch instance all right so i'll give it a few minutes let the instance be ready and then i'll show you how to install wireguard on it now before we install wireguard what we need to do is basically assign a static you know public ip address to this server so that on the reboot ips don't change so let's do that first and in order to do that let's go to elastic ips and let's allocate an elastic ip from the pool click on allocate and now we're going to associate the ip address with the instance and uh i don't remember what the instance name was so let's go back to instances and it is ending with a6 d8 so back to elastic ips and there we go let's associate it here okay so we should have that ip address for this instance now there it is all right so it it still shows initializing but i'm pretty sure it's up so we should be able to connect to it now i'm going to click on connect here and then go to ss copy the example from here and then i'm going to open the powershell in the same folder where we have the key so let me do that paste the command here and hit enter and then we're gonna do yes and boom we're connected to our new instance now let's go ahead and install wire regard vpn so there are multiple ways to install wireguard vpn and i'm going to show you the most easiest way to do it using you know pi vpn so go to the pi vpn website uh if i can spell it and there we go let me copy this command here and paste it in the powershell hit enter it's gonna take few seconds before it actually you know prompts for a user input so you gotta be patient with it all right so it looks like it has moved ahead and the installation has started ivpn was basically designed for raspberry pi but we can definitely use it for aws as well and by vpn makes it easy to install wireguard and add or remove user accounts or clients into it so let's go ahead and hit enter here we already have a static ip address so hit enter and it detects that we are not on raspbian so it's not gonna give us the option to set a static ip that's okay because we don't need one right now hit enter enter all right so the user that's gonna hold all the config files for new you know vpn clients that's gonna be default ubuntu user so let's hit enter all right so over here you have an option to choose whether you want to use wireguard or openvpn and i'm going to stick to wireguard and then hit enter here it's doing its magic all right so here you can specify the board for vpn uh we're going to keep it to default 51820 this is the one that we opened in our security group for access so let's go ahead and hit okay yes um you can choose any dns server you want i'm really fine with code9 so i'm going to hit enter this is the public ip address that was assigned uh to it i mean the elastic ip address that we assigned to it so i'm gonna hit ok here and then hit enter okay yes i want to automatically do upgrades and then hit ok and yes let's go ahead and reboot our instance so it's going to reboot the instance it's gonna take few seconds so i'm gonna go ahead and get my coffee okay so it's been a minute i'm back with my coffee so let's go ahead and try to connect to it again i'm just gonna hit up arrow and hit enter see it's up so we are logged back into our instance so i'm going to create a user account for myself in wireguard so to do that you need to type in pi vpn and then space and then add hit enter let's give it a name i'm gonna type in tree and then enter and it has created it has created a config file for me so we can view that config file by doing cat then go to home unto configs and then there should be an config file for each user so it's shree.conf hit enter and we have our configuration that we are going to use to connect to now vpn so let me copy this from here and save it in a notepad all right so let me paste it here and save this file as a key so i'm going to do as key.con now remember this key is extremely important you need to secure it um you know in the best way possible because if someone gets hand on this key they're going to be able to connect to your vpn and they're you're gonna be able to access the network so uh it's really up to you how you handle these keys uh there are you know you can improvise and keep the keys safe or um hand over to the users in a safe manner so all right so we have the key now next thing that we need to do is go back to the aws console let me go back here and take care of a couple of rules so that you know our servers can talk to each other on the private network so we have two instances like two servers one for wireguard and one for web server and what i want is um modify the security group so they can talk to each other properly without any restrictions so let's first go ahead and go into the security group for our web server so let me go to networking should be in security and let's go to this group so we have rdp open from the internet so i'm going to edit the inbound rules and remove the rdp access so we will no longer be able to connect it using public ip so let's delete this and then we're going to add another rule for all traffic without any restrictions but from the security group of the wireguard vpn so that was launch wizard1 we didn't actually name it anything different we should have but anyway so let's go ahead and save it here okay now let's go back to our ec2 instances let's go to the security group for the wireguard vpn the one that we created and let's edit inbound rules here i'm going to add a new rule for all traffic again we're going to choose the security group for the web server and then click on save here and of course we can remove the ssh now so let me delete that let me disconnect from the ss edge here all right and then click on save okay so our security groups are properly configured now the next thing that you want to do is install the wireguard client so let's go ahead and go to the wireguard website and that's wireguard.com so from there you can just go ahead and download the windows client where is it go to installation and download the windows installer from here then save it i already have it installed so i'm not gonna install it just next next next and install so i'm just gonna go ahead and open up the client here and import the key that we had saved so let me select the key open it here okay so we have the key now i'm going to go ahead and activate the vpn so let's do that and bingo we're connected to vpn right now so let's go back to our ec2 console let's go to ec2 instances and i'm going to go ahead and try to rdp into my web server so let me and i'm going to use the private ip address not the public one so private ip address copied let me go to what desktop and connect to it and it gave a prompt so that's a good sign so let me type in the credentials okay i'm gonna paste my password hit enter and bingo we're connected to the instance using a private ip address and it's not accessible from the public ip so we can try that as well so let me try public dns go to mstsc again and try to connect to it and it won't connect so that is good that's that's what we wanted now let me show you that you even if you have just one server and if it's linux you can use the wire guard the same way i did and then connect to it using the uh private ip address so right now we disable the rule to you know ssh into the server using public ip but we can use wire guard and ssh into it using private ip so let me copy the private ip here go back to my terminal and instead of um the public name i'm going to try with this ip and it did prompt me for confirmation yes and there we go we're connected and if you uh you know if i want to show you that we can't connect to it on public ip anymore so we do exit and just go to up and we won't be able to connect using the public ip address see it's probably just going to time out all right so this is how you use the wireguard to you know securely access your infrastructure on aws i hope this video was informative um if you liked it you know if you liked the video if you learned something new please do give me a like on youtube subscribe to the channel for more exciting content i'll see you guys in the next video take care

Info

Channel: Shrikrishna Kulkarni

Views: 144

Rating: undefined out of 5

Keywords:

Id: GL5rphZ7wUQ

Channel Id: undefined

Length: 20min 7sec (1207 seconds)

Published: Wed Sep 22 2021