Important Notes for VPN
This section contains important technical notes that must be considered when configuring and using a WireGuard Client VPN, especially for accessing internal networks, scanning applications, and handling multi-VPN scenarios.
1. VPN Deployment and Workspace Limitation
- The VPN can be configured directly on the application server or on the scanning device, depending on the deployment architecture.
- Each workspace can use only one VPN configuration at a time.
- Ensure the WireGuard configuration file is properly managed to avoid conflicts between multiple VPN profiles.
2. Allow IP Address and WireGuard Port
Ensure that the WireGuard Client is allowed to access:
- The WireGuard Server IP address
- The WireGuard UDP port (default: 51820, unless customized)
Firewall rules on the client, server, and network perimeter must allow this traffic to ensure successful VPN handshake and tunnel establishment.
3. DNS Configuration Considerations
If you experience issues such as loss of internet connectivity after enabling the VPN, adjust the WireGuard configuration file as follows:
- Comment out the DNS line so it becomes:
#DNS = 8.8.8.8, 8.8.4.4 - Or change the DNS settings to values permitted by your organization
Incorrect DNS settings may cause traffic misrouting or prevent internet and internal network access.
4. Firewall and Antivirus Requirements
Ensure that antivirus and firewall software on your device allow VPN connections.
5. Firewall Access to Internal Subnets
- Ensure the firewall allows the WireGuard Server IP (e.g., 10.250.0.1) to access all required internal subnets.
- This is necessary for:
- Internal application access
- Cross-subnet communication
- Network scanning and testing activities
6. Internal VPN and Dual-VPN Scenarios (Scanning Use Case)
If the application you want to scan is accessible only through your organization's internal VPN (for example, a staging or private environment), the following conditions apply:
- You must connect to the internal VPN to access the application.
- To perform scanning, you must also enable the scanning VPN (e.g., Helium VPN or WireGuard VPN) on your device.
- As a result, your device will use two VPN connections simultaneously:
- Internal VPN: Provides access to the application.
- Scanning VPN: Creates a secure communication path that allows the scanning platform to perform scans through your device.
As long as both VPN connections are active and do not block each other, the scanning process will function correctly through the VPN tunnel.
7. Notes for Scanning and Security Testing
Before performing any scanning or security testing through the WireGuard VPN:
- Ensure firewall rules on the target system allow traffic from the WireGuard subnet
- Temporarily disable or adjust antivirus and endpoint protection on the target if required
- This is especially important for:
- Port scanning
- Vulnerability assessment
- Service enumeration
8. Role and Access Control
Each team member with Full Access permissions is authorized to:
- Create VPN configurations
- Connect or disconnect VPNs
- Stop VPN sessions
- Modify VPN configuration files
Proper access control helps prevent misconfiguration and unauthorized VPN changes.