From f88be1322257c9f8a670063b5ee3dc1ad89f12a3 Mon Sep 17 00:00:00 2001 From: gar Date: Wed, 24 Nov 2021 11:11:17 -0800 Subject: [PATCH] Adding wireguard docs --- docs/wireguard/README.md | 153 +++++++++++++++++++++++++++ docs/wireguard/client-wg-config.conf | 18 ++++ docs/wireguard/server-wg-config.conf | 10 ++ 3 files changed, 181 insertions(+) create mode 100644 docs/wireguard/README.md create mode 100644 docs/wireguard/client-wg-config.conf create mode 100644 docs/wireguard/server-wg-config.conf diff --git a/docs/wireguard/README.md b/docs/wireguard/README.md new file mode 100644 index 000000000..afd279e6d --- /dev/null +++ b/docs/wireguard/README.md @@ -0,0 +1,153 @@ +# Wireguard VPN + +Main setup guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04 + +**ToC** +- [Wireguard VPN](#wireguard-vpn) + * [New user setup](#new-user-setup) + + [Install the wireguard client](#install-the-wireguard-client) + + [Generate your private and public keys](#generate-your-private-and-public-keys) + - [Linux](#linux) + - [OSX](#osx) + + [Give the public key to your VPN administrator](#give-the-public-key-to-your-vpn-administrator) + + [Linux](#linux-1) + - [Connect to the tunnel](#connect-to-the-tunnel) + + [OSX](#osx-1) + * [VPN Administrator](#vpn-administrator) + + [What to do when someone gives you a public key](#what-to-do-when-someone-gives-you-a-public-key) + * [WireGuard Server info](#wireguard-server-info) + * [Adding a peer on the Wireguard VPN server](#adding-a-peer-on-the-wireguard-vpn-server) + * [Removing a peer](#removing-a-peer) + * [User table](#user-table) + +Table of contents generated with markdown-toc + + +## New user setup + +### Install the wireguard client + +https://www.wireguard.com/install/ + +### Generate your private and public keys + +#### Linux + +Private keys: +``` +wg genkey | sudo tee /etc/wireguard/private.key +``` + +Public keys: +``` +sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key +``` + +#### OSX +https://serversideup.net/how-to-configure-a-wireguard-macos-client/ + +The `Add an empty tunnel` step will help you to generate your public and private keys + + +### Give the public key to your VPN administrator +The public key string is not a secret and can be passed around freely via Slack or email. + +Give this public key to your VPN administrator. + +You should never pass around your private key. + + +### Linux +Use the file in the same directory as this `README.md` named `client-wg-config.conf`. + +Put the content of that config file into your local computer at: `/etc/wireguard/wg0.conf` + +Replace the `` with your own private key. + +#### Connect to the tunnel + +``` +sudo wg-quick up wg0 +``` + +Check your local routes: +``` +ip route +``` + +Check the wireguard status: +``` +sudo wg +``` + +Turn off the VPN: +``` +sudo wg-quick down wg0 +``` + +### OSX + +Follow the directions in this guide: https://serversideup.net/how-to-configure-a-wireguard-macos-client/ + +Use the file in the same directory as this `README.md` named `client-wg-config.conf`. This will be your +config. + +Replace the `` with your own private key. + + + +## VPN Administrator + +### What to do when someone gives you a public key +This means someones wants to connect to this Wireguard VPN. + +The following steps will get them setup. + +## WireGuard Server info + +* Location: 641669687490 (production AWS account) +* AWS Region: us-east-1 + +How to access it: +* The ssh port is not enabled on the machine +* You have to use AWS SSM to access the machine +* GUI + * Log into the AWS production account via the web gui + * Navigate to: AWS System Manager -> Node Management -> Session Manager + * Click on "Start Session" + * Click on the radio button for node `i-02bb2da37071c6c04` + * Click on "Start Session" + * A new tab will open up with a web terminal + + +VPN CIDR: 10.2.200.0/24 + +## Adding a peer on the Wireguard VPN server +Run on the Wireguard server. + +You will use that public key to add the user in: +``` +sudo wg set wg0 peer allowed-ips 10.2.200.1 +``` + +Check the status: +``` +sudo wg +``` + +## Removing a peer + +``` +sudo wg set wg0 peer remove +``` + +## User table +| User | Assigned IP | Add command | +|----------------|----------------|----------------------------------------------------------------------------------------------| +| garland | 10.2.200.1/24 | sudo wg set wg0 peer OnA5n39plVMsap8MkADWgr0RPL0LCbzVFb4gLwSnGTQ= allowed-ips 10.2.200.1 | +| | | | +| | | | + +* Each user **MUST** have a unique "Assigned IP". The easiest way is to increment the last octet by 1. +* Then run the "Add command" on the Wireguard server +* Add each user to this table for record keeping and also used to decommision a user diff --git a/docs/wireguard/client-wg-config.conf b/docs/wireguard/client-wg-config.conf new file mode 100644 index 000000000..833c5bb6b --- /dev/null +++ b/docs/wireguard/client-wg-config.conf @@ -0,0 +1,18 @@ +[Interface] +PrivateKey = +Address = 10.2.200.1/24 +DNS = 10.2.0.2 + +# The wireguard server +[Peer] +# The wireguards server's public key +PublicKey = 5kK5yQBhcbzwPWmbPXLAChO5h3jvlVsA0QSNPS5XLzA= + +# Send only traffic destined for the network +#AllowedIPs = 10.0.0.0/16, 10.1.0.0/16, 10.2.0.0/16 + +# Send all local traffic through the VPN +AllowedIPs = 0.0.0.0/0 + +# The wireguard endpoint +Endpoint = 3.237.75.177:51820 diff --git a/docs/wireguard/server-wg-config.conf b/docs/wireguard/server-wg-config.conf new file mode 100644 index 000000000..4c0bfd003 --- /dev/null +++ b/docs/wireguard/server-wg-config.conf @@ -0,0 +1,10 @@ +[Interface] +PrivateKey = +Address = 10.2.200.0/24 +ListenPort = 51820 +SaveConfig = true + +PostUp = ufw route allow in on wg0 out on eth0 +PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE +PreDown = ufw route delete allow in on wg0 out on eth0 +PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE