When creating the VPN server, prefix the host name with vpn- so the Salt states pick up the correct defaults.

Client (Linux)

Run the salt-minion-setup script (to add the server to the KB VPN) (should be in the ~/Private/scripts/src folder):

  • The salt-minion-setup script creates the private and public keys on the client and displays the public key on the screen.

  • These need to be added to the sites/vpn-my.sls pillar file on the Salt master.

  • Apply the states.

  • Restart the interface (wg-quick down wg0 && wg-quick up wg0).


Don’t forget to setup the Wireguard - Configuration

Client (Windows)

Download and install Wireguard https://www.wireguard.com/install/

Log in as an administrator and Create a new connection (Add empty tunnel) This will create an ini file with a public and private key.

Copy the Public key to your Salt master and configure the pillar for your VPN server e.g:

cd /srv/pillar
vim sites/vpn-my.sls

Add the IP address to the dns, zones and vpn sections e.g:

      - name: db.my.vpn
          - { name: '',              type: A,    value: }
          - { name: my-test-laptop,  type: A,    value: }

        PublicKey: <public key of your windows workstation>

Apply the salt state…

Back to the Wireguard Windows client…

Add the following to the connection (adjusting to match your network):

Address = 10.10.3.<Free node number>/32

PublicKey = <public key of your VPN server>
AllowedIPs =
Endpoint = vpn-my.hatherleigh.info:51820
PersistentKeepalive = 25

Save and Activate



Connection issues

The PublicKey in the Peer section of the configuration is the public key of the server, not the workstation:

PublicKey = abc123...

Unstable connection

Check to make sure you are not using the configuration in two (or more) places!

Malcolm says:

Yes the vpn configuration file specifies the IP address - so two vpn connections using the same config will constantly break each other