How-To run Portainer behind a Wireguard VPN
In this blog post you will learn how to Portainer behind a Wireguard VPN. This will be based on a point-to-point connection between two machines. You can also watch this how-to as a video below.
- A server machine that will either have a fixed IP or a DDNS hostname where Portainer is running
- If the machine running Portainer is running on a cloud-base virtual, access to the network security console in order to be able to open UDP port 51820
- If the machine running Portainer is on-prem, admin access to the operating system in order to be able to open UDP port 51820
- Wireguard installed on the host running Portainer and a second host that will connect via the VPN. Please refer to https://www.wireguard.com/install/ on how to install Wireguard.
Prepare the Portainer machine
- The first step is to generate the wireguard keys for both the main host and the client host that will connect to Portainer via the VPN by running the following:
wg genkey | tee srv.privatekey | wg pubkey > srv.publickey
We will use these on the Portainer host
wg genkey | tee clt.privatekey | wg pubkey > clt.publickey
We will use these on the client host
- After running the key generation commands above you can continue by running the following commands on the host running Portainer. Please make sure to copy&paste the entire code block below:
cat <<EOF> server.conf
# Name: server
Address = 192.168.10.10/24
PrivateKey = $server_priv
ListenPort = 51820
# Name: client
PublicKey = $client_publ
AllowedIPs = 192.168.10.11/32
cat <<EOF> client.conf
# Name: client
PrivateKey = $client_priv
Address = 192.168.10.11/24
# Name: server
PublicKey = $server_publ
EndPoint = [SERVER IP]:51820
AllowedIPs = 192.168.10.10/32, 192.168.10.0/24
PersistentKeepalive = 25
This script will generate two wiregaurd configuration the base files that will be used by the wireguard clients to connect to each other:
- server.conf - make sure to replace [SERVER IP] with the hostname or IP of the host that is running Portainer
- client.conf - there is no need to change anything on this file
The VPN subnet chosen for this example is 192.168.10.0
- On the Portainer host install wireguard according to the linux version you are running. Please following the instructions on the Wireguard documentation page: https://www.wireguard.com/install/
- Move/Copy the server.conf file to the /etc/wireguard folder.
- On the client host move/copy the client.conf file to the same /etc/wireguard folder if it is a linux machine or use the Import option if you are running Wireguard on MacOS or Windows.
Start Wireguard and access Portainer
- On the Portainer host you can start wireguard by running:
wg-quick up server
- On the client host you can start wireguard by running:
wg-quick up clientif it is a linux machine or use the corresponding Activate option on MacOS/Windows clients.
You should be able to ping from the client host the Portainer machine by running
- Finally you can open your browser on the client machine using the following address:
See for yourself, with a demo or free trial
Let us introduce you to a world of fast and easy app deployment, governance, and management in Docker/Swarm and Kubernetes. Join a group demo to see how Portainer Business helps to make Engineering and DevOps teams more accurate and efficient in container management.