Back to DocsBack to Profile

VPN Connection Guide

Connect to the private lab network over WireGuard before opening hosted lab services.

Why VPN

Labs run on private worker networks and are not exposed publicly. The VPN tunnel gives your device a routed path into that isolated environment.

Get Your Config

  1. Open the platform UI.
  2. Open your active lab panel.
  3. Click Download VPN config.
  4. Import that file into your WireGuard client.

Redacted Config Example

ini
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.13.xx.xx/32
DNS = 10.13.0.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = vpn.example.com:51820
AllowedIPs = 10.13.0.0/16
PersistentKeepalive = 25

Operating System Setup

Install WireGuard

  • Download WireGuard for Windows from the official website.
  • Run the installer with admin rights and finish setup.

Import config

  • In WireGuard, click Import tunnel(s) from file.
  • Select the config downloaded from the lab panel (Download VPN config).

Activate tunnel

  • Select your tunnel and click Activate.
  • Keep the client running while accessing labs.

Verify connection

  • Open PowerShell and ping the VPN gateway.
  • If ping works but labs fail, validate AllowedIPs and DNS settings in your tunnel.
bash
ping 10.13.0.1

Troubleshooting tips

  • If handshake never starts, allow outbound/ingress UDP 51820 on local firewall.
  • Sync your Windows clock (time drift can break handshakes).

Verify Connection

After tunnel activation, verify route and transport before opening lab services.

bash
ping 10.13.0.1
  • AllowedIPs decides what traffic is routed inside VPN.
  • DNS controls resolver behavior while tunnel is active.
  • If ping works but app traffic fails, check firewall forwarding rules on the worker.

Troubleshooting

Handshake timeout / no latest handshake

Confirm server endpoint, allow UDP/51820 on both client and server firewalls, and test from another network.

UDP blocked on restricted network

Switch to another network (mobile hotspot/corporate VPN off) and retry tunnel activation.

DNS names do not resolve

Set DNS in tunnel to 10.13.0.1 and verify resolver update tools (for Linux, install resolvconf).

Wrong system clock

Enable NTP/automatic time on client and server; WireGuard handshakes are sensitive to time drift.

Overlapping routes with local VPN/LAN

Inspect route table and disable conflicting VPN adapters; ensure AllowedIPs includes only required ranges.

Linux tunnel up but no DNS

Install resolvconf and bring tunnel down/up again so DNS hooks apply.

Config not saved correctly

Re-download from the lab panel (Download VPN config) and re-import without manual edits.

Permission denied when bringing tunnel up

Run wg-quick with sudo and enforce proper file permissions on /etc/wireguard/*.conf.

Connected to VPN but cannot reach labs

Check that AllowedIPs includes lab ranges and that server allows forwarding from wg0 to Docker networks.

Intermittent disconnects

Keep PersistentKeepalive = 25 and avoid aggressive power-saving policies on network adapters.

FAQ

From the lab panel using Download VPN config.