Skip to content

VPN Infrastructure Setup Guide

Overview

This setup provides a secure VPN-based infrastructure using WireGuard that: - Exposes only essential public services to the internet - Requires VPN connection for administrative and monitoring services - Provides enterprise-grade security with minimal performance overhead

Architecture

Internet
    ↓
[Public Services] ← Traefik Reverse Proxy
    ↓
[WireGuard VPN] ← VPN Required
    ↓
[Private Services] ← Internal Network

Public Services (Internet Accessible)

These services remain accessible without VPN:

  1. Status Page: status.olanna.ai (Uptime Kuma)
  2. Assets: assets.olanna.ai (Static files)

Administrative Services (Basic Auth Required)

These services have their own authentication but are publicly accessible:

  1. VPN Admin: vpn-admin.olanna.ai (WG-Easy - with basic auth)

Private Services (VPN Required)

These services require VPN connection:

  1. Authentication: auth.olanna.ai (Keycloak)
  2. Monitoring: monitoring.olanna.ai (Grafana)
  3. Search: search.olanna.ai (OpenSearch Dashboards)
  4. Tracing: tracing.olanna.ai (Jaeger)
  5. Database: database.olanna.ai (pgAdmin)
  6. CI/CD: jenkins.olanna.ai (Jenkins)
  7. Service Discovery: consul.olanna.ai (Consul)
  8. Secrets: vault.olanna.ai (Vault)
  9. Artifacts: nexus.olanna.ai (Nexus)
  10. Proxy Admin: traefik.olanna.ai (Traefik Dashboard)
  11. Message Queue: rabbitmq.olanna.ai (RabbitMQ)
  12. DNS Admin: dns.olanna.ai (Pi-hole)
  13. Telemetry: telemetry.olanna.ai (OpenTelemetry)

Quick Start

1. Run the Setup Script

./scripts/setup-vpn.sh

This script will: - Check WireGuard support - Generate cryptographic keys - Create client configurations - Set up Docker networks - Generate firewall rules - Create documentation

2. Start VPN Infrastructure

# Start VPN services first
docker-compose -f docker-compose-vpn.yml up -d

# Start main services with VPN protection
docker-compose up -d

3. Configure DNS

Add these DNS records to your domain: 

# VPN Infrastructure
vpn.olanna.ai        A    YOUR_SERVER_IP
vpn-admin.olanna.ai  A    YOUR_SERVER_IP

# Public Services
status.olanna.ai     A    YOUR_SERVER_IP
assets.olanna.ai     A    YOUR_SERVER_IP

# Private Services (VPN Required)
auth.olanna.ai       A    YOUR_SERVER_IP
monitoring.olanna.ai A    YOUR_SERVER_IP
search.olanna.ai     A    YOUR_SERVER_IP
tracing.olanna.ai    A    YOUR_SERVER_IP
jenkins.olanna.ai    A    YOUR_SERVER_IP
database.olanna.ai   A    YOUR_SERVER_IP
consul.olanna.ai     A    YOUR_SERVER_IP
vault.olanna.ai      A    YOUR_SERVER_IP
nexus.olanna.ai      A    YOUR_SERVER_IP
traefik.olanna.ai    A    YOUR_SERVER_IP
rabbitmq.olanna.ai   A    YOUR_SERVER_IP
dns.olanna.ai        A    YOUR_SERVER_IP
telemetry.olanna.ai  A    YOUR_SERVER_IP

4. Apply Firewall Rules

sudo ./firewall-rules.sh

5. Configure VPN Clients

  • Client configurations are in ./wireguard-clients/
  • Import client1.conf into your WireGuard client
  • Connect and test access to private services

Security Features

Network Isolation

  • VPN Subnet: 10.8.0.0/24
  • Docker Network: 172.18.0.0/16
  • IP Filtering: Services check source IP ranges

Access Control

  • Public: Rate-limited, security headers
  • Private: VPN-only, additional authentication
  • Admin: Basic auth + VPN required

Encryption

  • WireGuard: ChaCha20Poly1305 encryption
  • TLS: Let's Encrypt certificates
  • Headers: Security headers on all services

Configuration Files

WireGuard Server Config (Auto-generated)

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.8.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32

Client Config Example

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.8.0.2/24
DNS = 172.18.0.10, 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.olanna.ai:51820
AllowedIPs = 10.8.0.0/24, 172.18.0.0/16
PersistentKeepalive = 25

Management

WG-Easy Web Interface

  • URL: https://vpn-admin.olanna.ai
  • Features:
  • QR codes for mobile clients
  • Client management
  • Usage statistics
  • Connection monitoring

Pi-hole DNS Management

  • URL: https://dns.olanna.ai
  • Features:
  • Internal DNS resolution
  • Ad blocking for VPN clients
  • Query logging
  • Whitelist/blacklist management

Monitoring & Troubleshooting

Connection Testing

# Test VPN connection
ping 10.8.0.1

# Test internal service access
curl -I https://monitoring.olanna.ai

# Check WireGuard status
sudo wg show

Log Locations

  • WireGuard: Container logs via docker logs wireguard
  • Traefik: /var/log/traefik/
  • Access Logs: Traefik access logs show VPN vs public access

Common Issues

  1. Can't connect to VPN
  2. Check firewall allows UDP 51820
  3. Verify DNS resolution for vpn.olanna.ai

  4. Check server logs: docker logs wg-easy

  5. Can access VPN but not services

  6. Verify IP range in VPN config includes 172.18.0.0/16
  7. Check Traefik dynamic config loaded

  8. Test with: curl -H "Host: monitoring.olanna.ai" http://172.18.0.X:3000

  9. Services accessible from internet (security issue)

  10. Check firewall rules are applied
  11. Verify Traefik middleware is active
  12. Check service labels include vpn-only@file

Performance Considerations

WireGuard Performance

  • Throughput: Near-native network speed
  • Latency: <1ms additional overhead
  • CPU Usage: Minimal (optimized cryptography)

Resource Allocation

  • WireGuard: 128MB RAM limit
  • WG-Easy: 128MB RAM limit
  • Pi-hole: 256MB RAM limit

Scaling

Multiple VPN Servers

For high availability: 1. Deploy multiple WireGuard instances 2. Use DNS round-robin or load balancer 3. Sync client configurations

Client Management

  • WG-Easy supports unlimited clients
  • Each client gets unique IP (10.8.0.2-254)
  • Revoke access by removing peer configuration

Security Best Practices

  1. Change Default Passwords 

    # Update passwords in docker-compose files
# Generate strong passwords with:
openssl rand -base64 32

  2. Certificate Management

  3. Let's Encrypt auto-renewal configured

  4. Monitor certificate expiration

  5. Access Monitoring

  6. Review Traefik access logs
  7. Monitor VPN connection logs

  8. Set up alerts for unusual access patterns

  9. Regular Updates 

    # Update containers
docker-compose pull
docker-compose up -d

# Update WireGuard
docker pull lscr.io/linuxserver/wireguard:latest

Backup & Recovery

Critical Data

  • WireGuard keys: ./wireguard-keys/
  • Client configs: ./wireguard-clients/
  • Traefik certificates: ./letsencrypt/
  • Service data: Docker volumes

Backup Script

#!/bin/bash
tar -czf vpn-backup-$(date +%Y%m%d).tar.gz \
  wireguard-keys/ \
  wireguard-clients/ \
  letsencrypt/ \
  *.yml \
  *.conf

Cost Analysis

Advantages of This Setup vs Commercial VPN

  • Cost: $0 vs $50-200/month for enterprise VPN
  • Performance: Better (no shared infrastructure)
  • Control: Complete control over configuration
  • Integration: Native Docker/container integration

Estimated Resource Usage

  • Bandwidth: <5% overhead for VPN encryption
  • Storage: <1GB for configurations and logs
  • CPU: <1% additional load for encryption

This setup provides enterprise-grade VPN security at minimal cost and complexity while maintaining high performance and full control over your infrastructure.