| Setting | Value |
|---|---|
| VM | 301 (crc-cdw-vpn-01) |
| IP | 192.168.50.11 |
| VPN Interface | wg0 |
| VPN Address | 10.50.10.1/24 |
| Listen Port | 51820/UDP |
| Public Key | D3TUkyiq/jiY62vNqotmEXQjzju4sjCk5bA7dSueNxw= |
| Config File | /etc/wireguard/wg0.conf |
[Interface]
Address = 10.50.10.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = CLIENT_VPN_IP/32
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = D3TUkyiq/jiY62vNqotmEXQjzju4sjCk5bA7dSueNxw=
Endpoint = vpn.cdw.tcecure.com:51820
AllowedIPs = 10.50.10.0/24, CLIENT_SUBNET
PersistentKeepalive = 25
| Variable | Description | Example |
|---|---|---|
| CLIENT_PRIVATE_KEY | Client's WireGuard private key | (generated per client) |
| CLIENT_VPN_IP | Assigned VPN IP for client | 10.50.10.2 |
| CLIENT_SUBNET | Client's internal network to route | 192.168.1.0/24 |
# On any machine
wg genkey | tee client_private.key | wg pubkey > client_public.key
cat client_private.key # CLIENT_PRIVATE_KEY
cat client_public.key # Needed for server peer config
ssh crc-adm@192.168.50.11
sudo wg set wg0 peer <CLIENT_PUBLIC_KEY> allowed-ips 10.50.10.X/32
sudo wg-quick save wg0
Replace template variables and save as cdw.conf:
[Interface]
PrivateKey = <actual client private key>
Address = 10.50.10.2/32
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = D3TUkyiq/jiY62vNqotmEXQjzju4sjCk5bA7dSueNxw=
Endpoint = vpn.cdw.tcecure.com:51820
AllowedIPs = 10.50.10.0/24, 192.168.X.0/24
PersistentKeepalive = 25
Either:
PowerShell script for automated WireGuard deployment via NinjaOne:
# Download WireGuard
$wgUrl = "https://download.wireguard.com/windows-client/wireguard-installer.exe"
$installer = "$env:TEMP\wireguard-installer.exe"
Invoke-WebRequest -Uri $wgUrl -OutFile $installer
# Install silently
Start-Process -FilePath $installer -ArgumentList "/S" -Wait
# Write config
$configPath = "C:\Program Files\WireGuard\Data\Configurations\cdw.conf.dpapi"
$configContent = @"
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = CLIENT_VPN_IP/32
DNS = 8.8.8.8, 1.1.1.1
[Peer]
PublicKey = D3TUkyiq/jiY62vNqotmEXQjzju4sjCk5bA7dSueNxw=
Endpoint = vpn.cdw.tcecure.com:51820
AllowedIPs = 10.50.10.0/24, CLIENT_SUBNET
PersistentKeepalive = 25
"@
$configContent | Out-File -FilePath $configPath -Encoding UTF8
# Install and start tunnel service
& "${env:ProgramFiles}\WireGuard\wireguard.exe" /installtunnelservice "$configPath"
| Rule | Description |
|---|---|
| Split tunnel ONLY | Only route CDW/client traffic — never full tunnel |
| Log all activity | Wazuh monitors all CDW network activity |
| No internal lab access | CDW cannot reach training VLAN or management network |
| Disable after engagement | Remove client peer and tunnel immediately post-engagement |
| Never leave tunnels active | All VPN peers must be removed after engagement ends |
| Hostname | Target | Purpose |
|---|---|---|
| vpn.cdw.tcecure.com | Public IP of Dreamwall (108.31.169.90) | WireGuard endpoint |
| crc.guac.02.tcecure.com | 108.31.169.90 | CDW Guacamole UI |
Note: Port 51820/UDP must be forwarded on Dreamwall to VM 301 (192.168.50.11) for VPN to work externally.