How-To run Portainer behind a Wireguard VPN

In this blog post you will learn how to Portainer behind a Wireguard VPN. This will be based on a point-to-point connection between two machines. You can also watch this how-to as a video below.

Pre-reqs

• A server machine that will either have a fixed IP or a DDNS hostname where Portainer is running
• If the machine running Portainer is running on a cloud-base virtual, access to the network security console in order to be able to open UDP port 51820
• If the machine running Portainer is on-prem, admin access to the operating system in order to be able to open UDP port 51820
• Wireguard installed on the host running Portainer and a second host that will connect via the VPN. Please refer to https://www.wireguard.com/install/ on how to install Wireguard.

Prepare the Portainer machine

1. The first step is to generate the wireguard keys for both the main host and the client host that will connect to Portainer via the VPN by running the following:
   1. wg genkey | tee srv.privatekey | wg pubkey > srv.publickey
      We will use these on the Portainer host
   2. wg genkey | tee clt.privatekey | wg pubkey > clt.publickey
      We will use these on the client host
2. After running the key generation commands above you can continue by running the following commands on the host running Portainer. Please make sure to copy&paste the entire code block below:

server_priv=`cat srv.privatekey`
server_publ=`cat srv.publickey`
client_priv=`cat clt.privatekey`
client_publ=`cat clt.publickey`

cat <<EOF> server.conf
[Interface]
# Name: server
Address = 192.168.10.10/24
PrivateKey = $server_priv
ListenPort = 51820

[Peer]
# Name: client
PublicKey = $client_publ
AllowedIPs = 192.168.10.11/32
EOF

cat <<EOF> client.conf
[Interface]
# Name: client
PrivateKey = $client_priv 
Address = 192.168.10.11/24

[Peer]
# Name: server
PublicKey = $server_publ
EndPoint  = [SERVER IP]:51820
AllowedIPs = 192.168.10.10/32, 192.168.10.0/24
PersistentKeepalive = 25
EOF

rm *.privatekey
rm *.publickey

This script will generate two wiregaurd configuration the base files that will be used by the wireguard clients to connect to each other:

• server.conf - make sure to replace [SERVER IP] with the hostname or IP of the host that is running Portainer
• client.conf - there is no need to change anything on this file

The VPN subnet chosen for this example is 192.168.10.0

Wireguard configuration

1. On the Portainer host install wireguard according to the linux version you are running. Please following the instructions on the Wireguard documentation page: https://www.wireguard.com/install/
2. Move/Copy the server.conf file to the /etc/wireguard folder.
3. On the client host move/copy the client.conf file to the same /etc/wireguard folder if it is a linux machine or use the Import option if you are running Wireguard on MacOS or Windows.

Start Wireguard and access Portainer

1. On the Portainer host you can start wireguard by running:
   wg-quick up server
2. On the client host you can start wireguard by running:
   wg-quick up client if it is a linux machine or use the corresponding Activate option on MacOS/Windows clients.
   You should be able to ping from the client host the Portainer machine by running ping 192.168.10.10
3. Finally you can open your browser on the client machine using the following address:
   1. https://192.168.10.10:9000 - if you deployed Portainer on Docker or
   2. https://192.168.10.10:30777 - if you deployed Portainer on Kubernetes

See for yourself, with a demo or free trial
Let us introduce you to a world of fast and easy app deployment, governance, and management in Docker/Swarm and Kubernetes. Join a group demo to see how Portainer Business helps to make Engineering and DevOps teams more accurate and efficient in container management.