Building a Lightweight Point-to-Site VPN on OCI Using PiVPN (WireGuard) on OCI

-

 Overview

Remote administrative access to cloud environments is a common requirement. While IPSec VPN and Client VPN services are robust, there are scenarios where teams need a lightweight, quick-to-deploy, and cost-effective Point-to-Site (P2S) VPN solution. Currently in OCI there are no native client access VPN services available.

In this post, I demonstrate how to build a WireGuard-based P2S VPN on Oracle Cloud Infrastructure (OCI) using PiVPN, an automation-friendly installer that simplifies WireGuard deployment. 

⚠️ This demonstration is implemented in a personal OCI tenancy using test resources.
No customer environments or confidential information are used.

Oracle Products Used

  • Oracle Cloud Infrastructure

  • OCI Compute

  • Virtual Cloud Network (VCN)

  • Subnets

  • Security Lists / Network Security Groups

  • Linux OS (Ubuntu Linux)

 

Why WireGuard + PiVPN?

WireGuard Advantages

  • Modern cryptography

  • High performance, low overhead

  • Simple configuration model

  • Widely adopted in cloud-native environments

Why PiVPN?

  • Automates WireGuard installation

  • Simplifies client profile management

  • Minimal attack surface

  • Ideal for quick P2S setups

This combination is well suited for:

  • Bastion-style admin access

  • Temporary remote access

  • Lab and PoC environments

  • Lightweight enterprise tooling

    High-Level Architecture

    Remote User (Laptop)
        |
        |  WireGuard Tunnel (UDP)
        |
OCI Compute (WireGuard Server)
        |
        |  Private IP Routing
        |
OCI VCN Private Subnet


    Prerequisites
    OCI Resources
       
    • OCI tenancy (Free Tier is sufficient)
      • 
 
    • One VCN with:
        •   
      • Public subnet
        • 
  
      • Internet Gateway

       
    • One Compute instance:
        • 
 
      • Ubuntu Linux
        • 
  
      • Public IP assigned
        •  
    Local Machine
       
    • WireGuard client (Windows / Linux / macOS)
      • 
VCN Already created with Public & Private Subnets



      Internet gateway and NAT gateway created


      I have one VM running in Private Subnet (note that there is no public IP)


      Created new NSG rule for the PiVPN instance (restricted source IP for SSH)

      Created new instance with Ubuntu OS for PiVPN

      Assigned the NSG to the instance vNIC

      Logged into the instance using public IP

      Update the OS and reboot the instance once
      
sudo apt update && audo apt upgrade -y



      After connecting to the instance after reboot, run the pivpn installer -

sudo -s


      curl -L https://install.pivpn.io | bash
      
then follow the on screen prompts-
      


      








      Select the "ubuntu" user





      You can use a custom port for the connection, then you must update the same in the NSG
      


      



      system will detect the public IP assigned
      









      After reboot, connect to the instace again and then we can create the first user



      Now download the configuration file from - /home/ubuntu/configs

      Now download the wireguard client installer from - https://www.wireguard.com/install/

      Then import the configuration file - user-1.conf


      Click on activate to establish connection

      Once connected to the PiVPN, you can see that your laptops public IP will show same as the PiVPN instance public IP and location-

      At this point we can connect to the other instance located in private subnet with ip - 10.0.20.114



      Performance & Security Notes
         
      • WireGuard uses UDP → low latency
        •  
      • Minimal CPU overhead
        •  
      • Use restricted source CIDRs in security rules
        •  
      • Rotate client keys periodically
        •  
      • Disable password based SSH login
      Common Issues & Troubleshooting
      
 
  
      
   
   
      Issue
      
         		
   
   
      Resolution
      
         		
  
      
       
 
      
  
  
      No handshake
      
        		
  
  
      Check UDP 51820 rule
      
        		
 
      
 
      
  
  
      No routing
      
        		
  
  
      Verify IP forwarding
      
        		
 
      
 
      
  
  
      Client connects, no access
      
        		
  
  
      Check OCI route tables
      
        		
 
      
 
      
  
  
      Slow performance
      
        		
  
  
      Reduce MTU
      
        		
 
      


      Lessons Learned
         
      • PiVPN significantly reduces setup complexity
        •  
      • WireGuard is ideal for lightweight P2S use cases
        •  
      • OCI networking integrates cleanly with open-source tools
        •  
      • Personal tenancy demos are effective and compliant
        •  
      • This approach complements, not replaces, IPSec VPN
      Use Cases
         
      • Secure admin access
        •  
      • Temporary contractor VPN
        •  
      • Lab environments
        •  
      • Emergency access path
        •  
      • Low-cost P2S alternative
      Conclusion
      This demonstration shows how Oracle Cloud Infrastructure
      Compute and VCN services can be used to deploy a secure, lightweight P2S
      VPN using WireGuard and PiVPN.
      The solution is fast to deploy, easy to manage, and suitable
      for real-world cloud operations where simplicity and security are equally
      important.
      References
         
      • WireGuard Documentation
        •  
      • PiVPN Documentation
        •  
      • OCI Networking Documentation
      🔗 About the Author
      Debapriya Biswas
      Oracle ACE Apprentice | Sr. Consultant – Cloud Technologies
      Focused on OCI Networking, Automation, and Hybrid Cloud Architectures

Comments

Post a Comment

Popular posts from this blog

Access Oracle OCI Object Storage through GUI Client

-
Image
 As we already know that there are several GUI clients available for Amazon AWS S3 Object storage like - S3 Browser (https://s3browser.com/), CloudBerry Explorer (https://www.msp360.com/explorer/windows/amazon-s3.aspx), CyberDuck (https://cyberduck.io/) etc. Using these tools we can easily connect to the Object Storage service, upload & download "objects" i.e files and folders and also do some advance management like Bucket Policies, Replication, Versioning, lifecycle policies etc. Now these tools can also be used with Oracle OCI Object storage, but there are some prerequisites to get the proper credentials. You need to get following information before you can connect to you OCI Object storage - Object Storage Namespace: REST Endpoint: Access Key: Secret Key ID: How to get these details - Login to your OCI Account, head over to - Hamburger Icon on left hand top corner -> Storage -> Under Object Storage & Archive -> Buckets. It will list all the buckets in thi...
Read more

Instance OS Baseline Configuration Runbook

-
Overview & Scope This runbook defines the standard baseline configuration procedure for new OCI compute instances across five supported operating system families. It is intended for use by Cloud SRE and operations personnel during initial instance provisioning. Objectives Each OS configuration procedure achieves the following baseline state: •        Set system timezone to Asia/Kolkata (IST, UTC+05:30) •        Apply all available OS security and feature updates •        Enable and configure the host-based firewall to permit SSH (Linux) or RDP (Windows) ingress exclusively from the VCN CIDR block •        Enable EPEL repository where applicable (Oracle Linux, Rocky Linux, Alma Linux) •        Create a named administrative user account separate from the default OCI-provisioned user (opc / Administrator) •   ...
Read more

Accessing OCI Compute Instances Using VNC Console (Instance Console Connection)

-
Image
  Overview In Oracle Cloud Infrastructure (OCI), administrators occasionally face scenarios where SSH access to a compute instance is unavailable —for example, due to network misconfiguration, firewall issues, or OS-level boot problems. To handle such situations, OCI provides Instance Console Connection , which enables VNC-based graphical console access and serial console access to compute instances. In this post, I demonstrate how to access an OCI Compute instance using the VNC console , explain when to use it, and highlight best practices for secure and effective troubleshooting. ⚠️ This demonstration is performed in a personal OCI tenancy using test instances. No customer environments or confidential information are exposed. Oracle Products Used Oracle Cloud Infrastructure OCI Compute Instance Console Connection OCI IAM Virtual Cloud Network (VCN) What Is Instance Console Connection? Instance Console Connection provides ou...
Read more