Commit f9b5b5df authored by JackV's avatar JackV

Add wireguard section

parent 79f8583e
Pipeline #557 passed with stage
in 1 minute and 23 seconds
......@@ -201,7 +201,7 @@ body {
.reveal pre {
display: block;
position: relative;
width: 90%;
//width: 90%;
min-width: 40em;
margin: 20px auto;
text-align: left;
......@@ -410,4 +410,4 @@ body {
.reveal code.input.root::before, .reveal pre.input.root > code::before {
content: "#";
}
\ No newline at end of file
}
......@@ -48,6 +48,94 @@ all these topics can come together
---
### What is a VPN?
A VPN is a piece of software that allows us to access a **Network**
that is not publicly available (**Private**) and which we have
no physical connection to (**Virtual**)
---
### Wireguard
Project started in 2016 to replace OpenVPN, in terms
of security and ease of configuration
Strong Points:
* Minimal codebase, ~40000 loc (originally 4000) vs 600000 for OpenVPN
* Minimal configuration
* Fail-open behavior, if misconfigured no packets are routed
---
### Step 1: Generating a key pair
```bash
wg genkey > privatekey
cat privatekey | wg pubkey > publickey
```
This needs to be done for every __host__ that wants to join the vpn
---
### Write server configuration
```
[Interface]
Address = 192.168.10.1/24
ListenPort = 51820
PrivateKey = kIbuAUUbNZeC18onuKDtUui2Oa+l4/RrsU/sjcVKgmU=
PostUp = nft add rule ip filter FORWARD iifname %i counter accept
PostUp = nft add rule ip nat POSTROUTING oifname eth0 counter masquerade
PostDown = nft del rule ip filter FORWARD iifname %i counter accept
PostDown = nft del rule ip nat POSTROUTING oifname eth0 counter masquerade
[Peer]
PublicKey = yL4ajtwU9a2zP9vyVa5hdB5cSl/deLXv0Ldck1Y/FSU=
AllowedIPs = 192.168.10.2/32
```
---
### Write client configuration
```
[Interface]
Address = 192.168.10.2/24
PrivateKey = CCSq5ngQcIGjKS3qu5woC7tYVQM2zJhJVR4jQ9xrXUY=
DNS = 192.168.10.1
[Peer]
PublicKey = xopK6ZfGT0CAS8g8SXmEZf4Ppp3al5XkDJPCYl5Z8So=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server public ip>:51820
```
---
```
wg-quick server.conf
```
```
wg-quick client.conf
```
---
# Done!
---
## Well not so fast
Due to the fail-open nature, it is sometimes difficult to debug
Some debugging techniques are shown in the previous sections.
The linked slides offer a more in-depth explaination of the
configuration that might help to debug problems.
----
# Ansible
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment