Home/Labs/Network and DNS/Remote Networking
Network and DNSRemote NetworkingIntermediate2-3 hoursLab build

Creating a WireGuard Jump Host with MFA-Friendly Access Patterns

Create a WireGuard jump host for remote access that keeps internal services private and leaves room for MFA-friendly access patterns.

Last reviewed4/30/2026
WireGuard access patternstravel gateways and remote entry points
WireGuardPAMSSHLinux

Expected Outcome

A working WireGuard jump host that provides secure, MFA-enabled access to internal services.

Assumptions

  • Basic knowledge of Linux command line
  • A server with a public IP address
  • Domain name for the server (optional)
  • A second device for MFA (e.g., smartphone with an authenticator app)

Bill of Materials

  • A server running Ubuntu 20.04 or later
  • WireGuard installed on the server
  • PAM (Pluggable Authentication Module) for MFA
  • An authenticator app (like Google Authenticator or Authy)

Build Steps

  1. Install WireGuard

    Install WireGuard on your server to handle secure VPN connections.

    Changes system state: review before running

    sudo apt update
sudo apt install wireguard
  2. Configure WireGuard

    Set up the WireGuard configuration file to define the VPN settings.

    Safe to run: read-only

    sudo nano /etc/wireguard/wg0.conf
  3. Enable IP Forwarding

    Allow the server to forward packets between interfaces.

    Safe to run: read-only

    echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
  4. Set Up Multi-Factor Authentication

    Install and configure PAM for MFA on your server.

    Changes system state: review before running

    sudo apt install libpam-google-authenticator
google-authenticator
  5. Configure SSH to Use MFA

    Modify the SSH configuration to require MFA for login.

    Safe to run: read-only

    sudo nano /etc/ssh/sshd_config
  6. Restart SSH Service

    Apply the changes made to the SSH configuration.

    Changes system state: review before running

    sudo systemctl restart sshd
  7. Start WireGuard

    Bring up the WireGuard interface to start accepting connections.

    Safe to run: read-only

    sudo wg-quick up wg0
  8. Test the Connection

    Connect to the WireGuard VPN from a client to ensure everything is working.

    Example pattern only. Adjust for your environment before running.

    wg-quick up wg0

Validation

  • Verify that you can connect to the WireGuard VPN.
  • Ensure that SSH connections require MFA.
  • Check that internal services are only accessible through the jump host.

Troubleshooting

  • Check service logs before changing the design.
  • Confirm ports, paths, credentials, DNS names, and container names match the guide assumptions.

Cleanup or Rollback

  • Stop test services you no longer need and keep a copy of working configuration before deleting volumes or data directories.

Next Improvements

  • Consider setting up a firewall to restrict access to the jump host.
  • Explore logging and monitoring solutions for your jump host.
  • Look into automating the WireGuard configuration and deployment.