WireGuard VPN

Published by Felipe Crochik on

WireGuard: fast, modern, secure VPN tunnel

Install on ubuntu 18.04:

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

Create keys

Create keys for server in /etc/wireguard:

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Forward traffic

To use this box as jumpbox to the LAN:

sysctl -w net.ipv4.ip_forward=1

To survive reboots, create /etc/sysctl.d/50-forward.conf:

net.ipv4.ip_forward = 1

Create Configuration

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = contents_of_private_key

When using the box to forward traffic to LAN, add to the [Interface] section in wg0.conf:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Make sure to replace eth0 with the appropriate network adapter.

Add “peers” (clients)

You should have each client generate its own secrets and just share with you the public key.

You should assign a IP for each client in the range you defined for the serve (e.g. 10.0.0.1/24 in this example)

[Peer]
PublicKey = public_key_generated_on_client
AllowedIPs = 10.0.0.2/32

Enable service

systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0

DNS

When you are trying to use wireguard as a jumpbox to access resources that are not public (e.g. AWS VPC), you may need to use the the DNS resolver of the private network.

For example to access resources in a AWS VPC by their DNS.

Install unbound DNS server in the wireguard jumpbox

sudo apt-get install unbound

Modify the configuration to forward name resolution of amazonaws.com names to VPC DNS resolver. Create a file amazonaws.conf in /etc/unbound/unbound.conf.d:

server:
    interface: 10.0.0.1
	access-control: 0.0.0.0/0 allow
	forward-zone:
		name: amazonaws.com
		forward-addr: 169.254.169.253
	forward-zone:
		name: "."
		forward-addr: 8.8.8.8
		forward-addr: 4.4.4.4

In this case the dns will only respond in the wg0 adapter (10.0.0.1) and will forward all but *.amazonaws.com to google DNS servers.

Now on the configuration in your “local machine” for wireguard modify it to let the client know to use unbound as the DNS resolver when connected to the VPN.

[Interface]
DNS = 10.0.0.1

References

Categories: TL;DR
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Related Posts

TL;DR

Grafana – reset admin password

If you have deployed grafana to your k8s cluster using the helm chart and for some reason can’t login using the password stored in the secret, this is how you reset it. The password is Read more…

TL;DR

Multipass – Remote-SSH development environment on your Mac

This is a little experiment to run ubuntu linux on your Mac using multipass to develop SPAs using a vscode Remote-SSH development environment. This is not the quickest way to setup a remote development environment Read more…

TL;DR

AWS Credentials

Get the role name wget http://169.254.169.254/latest/meta-data/iam/info will get something like: { "Code" : "Success", "LastUpdated" : "2020-03-06T20:34:08Z", "InstanceProfileArn" : "arn:aws:iam::3940394039403:instance-profile/ProfileName", "InstanceProfileId" : "kasdjaksjakjsa" } or better yet, get the role name from: wget http://169.254.169.254/latest/meta-data/iam/security-credentials It Read more…