← Docs

Recipe: Office VPN + bastion design

A hardened remote-access architecture using WireGuard, a single bastion host, and zero inbound exposure for internal services.

Topology

[Remote Worker]
    │ WireGuard (UDP 51820)
    ▼
[Bastion Host] ──── [Office LAN]
    │                 ├── 10.0.1.10 (fileserver)
    │                 ├── 10.0.1.20 (build CI)
    │                 └── 10.0.1.30 (monitoring)
    │
    └── No inbound ports except WireGuard

Ingredients

  • WireGuard kernel module on bastion and all office hosts
  • iptables/nftables forwarding rules (bastion → LAN)
  • SSH key-only auth, password auth disabled
  • fail2ban on bastion for SSH brute-force mitigation
  • Unbound DNS resolver on bastion for split-horizon internal zones

Bastion iptables rules

# Forward WireGuard traffic to office LAN
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -m state \
  --state ESTABLISHED,RELATED -j ACCEPT

# NAT outbound from WG clients
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Drop everything else inbound on WAN
iptables -A INPUT -i eth0 -p udp --dport 51820 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

Verification

  1. Connect from remote worker: wg-quick up office
  2. Ping internal host: ping 10.0.1.10
  3. SSH to bastion: ssh bastion.internal
  4. From bastion, SSH to any LAN host using internal IPs
  5. Run nmap -sS bastion_public_ip — only UDP 51820 open
← Back to docs