View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions VPC with wireguard and vlans
Log in to Ask a Question
✓ Solved

VPC with wireguard and vlans

Hello community,

I'm looking to set up a Virtual Private Cloud (VPC) with three VLANs (Dev, Test, Prod) and a WireGuard virtual machine (VM) that enables clients from outside (from the internet) to connect and access the appropriate VLAN's machines based on their configurations.

I have a few questions:

1) Do I need to set up a dedicated WireGuard instance for each VLAN?
2) Since the WireGuard server is inside the VPC, which firewall rules should I apply in addition to allowing traffic on the WireGuard UDP ports?
3) Is there a similar use case or tutorial that could help me understand how to achieve what I want? ( want to grant developer access to dev machines, ops to all stages and testers to test )

Thanks for your help!

1 Reply

Linode Staff

✓ Best Answer

Ultimately, your VPC VLAN configuration and VPN setup will depend on the following considerations:

  • What is the degree of inter-VLAN connectivity? Are all VLANs able to communicate between each other or are any fully/partially isolated from each other?
  • Do you intend for any/all of the VLANs to have internet access or will the WireGuard VPN be the only VM connected to the internet?

We currently do not have a "gateway" tool to directly bridge VPC subnets. If you were to create individual Subnets for each desired environment (Testing, Production, & Development), I believe that yes you would currently need to create one VPN entry point per individual Subnet.

Alternatively, until a gateway solution would be implemented, I think you would deploy all three "subnets" as a single /22 subnet, admin subnet IPs based on an imagine /24 scheme, and create firewall rules so that each backend Node can only communicate with Nodes within the same IP range. For example:

  • Production: 192.168.1.0/22 << Nodes assigned 192.168.1.1-255
  • Development: 192.168.2.0/22 << Nodes assigned 192.168.2.1-255
  • Testing: 192.168.3.0/22 << Nodes assigned 192.168.3.1-255

Then, you deploy a single WireGuard VPN Node into the subnet and assign it a Public IP. It will be able to be reached on the internet and will be able to interact with all Nodes within the VPC.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct