Security - VPN Tunnel Non AWS Environment

Create a bastion server. Requirements:

  1. Currently, this script assumes the host is running the "Ubuntu" distribution of Linux.
  2. Publicly accessible IP
  3. Firewall configured to allow incoming connections from ELT&CDC IPs on ports 51820 and 22.
  4. The private database must be reachable from the bastion server
  5. The database must have a DNS name (we don’t support connections via IP address when using tunneling)
  6. nslookup must be installed
  7. iptables must be installed - it is required to create local port forwarding
  8. ubuntu system user with SSH enabled (key authentication). Please create ubuntu user if it doesn’t exist.
  9. ubuntu user must be allowed to runsudo iptables andsudo wg

Setup tunneling:

  1. Transfer the downloaded installation script .sh file to the tunnel host. We recommend using the scp command.
  2. Change the file permissions to executable, for example, using chmod +x
  3. Execute the script:
    • The script will save an SSH key provided by to complete the setup of the tunnel on our side.
    • It will install the Wireguard library on the host and create a new directory at /etc/wireguard/ to save the tunnel configuration.
    • It will enable port forwarding on the host.
    • It will send an update to with the host's public IP address.
    • It will create and enable a cron job that keeps the tunnel connection open.