Back to DocsBack to Profile

VPN Connection Guide

Connect to the private lab and challenge network over WireGuard before opening hosted services.

Why VPN

Labs and instance-backed challenges run on private worker networks and are not exposed publicly. The VPN tunnel gives your device a routed path into that isolated environment.

Get Your Config

  1. Open the platform UI.
  2. Open your active lab or instance-backed challenge panel.
  3. Click Download .conf or Copy to get your WireGuard config.
  4. Import that file into your WireGuard client.

Each started instance generates a unique config. If you start a new lab or challenge, download its config separately.

Redacted Config Example

ini
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.13.xx.xx/32
DNS = 10.13.0.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = vpn.example.com:51820
AllowedIPs = 10.13.0.0/16
PersistentKeepalive = 25

Operating System Setup

Install WireGuard

  • Download WireGuard for Windows from the official website.
  • Run the installer with admin rights and finish setup.

Import config

  • In WireGuard, click Import tunnel(s) from file.
  • Select the config downloaded from the lab or challenge panel (Download .conf).

Activate tunnel

  • Select your tunnel and click Activate.
  • Keep the client running while accessing labs.

Verify connection

  • Open PowerShell and ping the VPN gateway.
  • If ping works but labs fail, validate AllowedIPs and DNS settings in your tunnel.
bash
ping 10.13.0.1

Troubleshooting tips

  • If handshake never starts, allow outbound/ingress UDP 51820 on local firewall.
  • Sync your Windows clock (time drift can break handshakes).

Verify Connection

After tunnel activation, verify route and transport before opening lab services.

bash
ping 10.13.0.1
  • AllowedIPs decides what traffic is routed inside VPN.
  • DNS controls resolver behavior while tunnel is active.
  • If ping works but app traffic fails, check firewall forwarding rules on the worker.

Troubleshooting

Handshake timeout / no latest handshake

Confirm server endpoint, allow UDP/51820 on both client and server firewalls, and test from another network.

UDP blocked on restricted network

Switch to another network (mobile hotspot/corporate VPN off) and retry tunnel activation.

DNS names do not resolve

Set DNS in tunnel to 10.13.0.1 and verify resolver update tools (for Linux, install resolvconf).

Wrong system clock

Enable NTP/automatic time on client and server; WireGuard handshakes are sensitive to time drift.

Overlapping routes with local VPN/LAN

Inspect route table and disable conflicting VPN adapters; ensure AllowedIPs includes only required ranges.

Linux tunnel up but no DNS

Install resolvconf and bring tunnel down/up again so DNS hooks apply.

Config not saved correctly

Re-download from the lab or challenge panel (Download .conf) and re-import without manual edits.

Permission denied when bringing tunnel up

Run wg-quick with sudo and enforce proper file permissions on /etc/wireguard/*.conf.

Connected to VPN but cannot reach labs

Check that AllowedIPs includes lab ranges and that server allows forwarding from wg0 to Docker networks.

Intermittent disconnects

Keep PersistentKeepalive = 25 and avoid aggressive power-saving policies on network adapters.

FAQ

From the active instance panel on any lab or instance-backed challenge page — click Download .conf.