A simple VPN setup to access private resources in AWS

If you need to make some tests with private AWS resources (e.g. experimenting with an EKS cluster or a private RDS instance) but still want to access them, it’s very cost effective and surprisingly simple (compared to OpenVPN) to run WireGuard on the smallest instance possible.

• Choose a network space 10.42.0.0/16 and create a VPC
• Choose three /20 subnets: pri1 (10.42.128.0/20), pub1 (10.42.0.0/20) on AWS, and rw1 (10.42.32.0/20)
• Computers in pri1 will have no public IP and will route the 0.0.0.0/0 traffic to a NAT Gateway
• Those in pub1 will have an auto-assigned public IP and will route the 0.0.0.0/0 traffic to an Internet Gateway
• Those in rw1 will have a TUN interface forwarding packets for anything destined to 10.42.0.0/16
• Power on an EC2 instance in pub1, ssh to it, and setup WireGuard with something along the lines of this configuration file

[Interface]
Address = 10.42.32.1/20
ListenPort = 51820
PrivateKey = ...

[Peer]
PublicKey = ...
AllowedIPs = 10.42.32.0/20

• Setup WireGuard on your MacBook using a configuration file like this

[Interface]
Address = 10.42.32.5/20
PrivateKey = ...

[Peer]
PublicKey = ...
AllowedIPs = 10.42.0.0/16
Endpoint = ...:51820
PersistentKeepalive = 25

• Use sysctl to enable IP forwarding, and make eth0 rewrite the source destinations of IP packets from the VPN (or hosts unaware of the VPN won’t know how to route them) — iptables -t nat -A POSTROUTING -s 10.42.32.0/20 -o eth0 -j MASQUERADE
• Make sure to enable UDP on 51820 from the Internet. Have fun firewalling whatever is not needed using the related Security Groups
• Now any packet from your MacBook destined to a private IP of the 10.42.0.0/16 VPN will tunnel the TUN interface, forwarded by the WireGuard router and finally reach destination.