Add wireguard section

f9b5b5df · JackV · 79f8583e · f9b5b5df · f9b5b5df
Commit f9b5b5df authored Apr 21, 2020 by JackV
--- a/poul/css/poul.css
+++ b/poul/css/poul.css
@@ -201,7 +201,7 @@ body {
 .reveal pre {
    display: block;
    position: relative;
-    width: 90%;
+    //width: 90%;
    min-width: 40em;
    margin: 20px auto;
    text-align: left;
@@ -410,4 +410,4 @@ body {

 .reveal code.input.root::before, .reveal pre.input.root > code::before {
    content: "#";
-}
\ No newline at end of file
+}
--- a/slides/content.md
+++ b/slides/content.md
@@ -48,6 +48,94 @@ all these topics can come together

 ---

+### What is a VPN?
+
+A VPN is a piece of software that allows us to access a **Network**
+that is not publicly available (**Private**) and which we have
+no physical connection to (**Virtual**)
+
+---
+
+### Wireguard
+
+Project started in 2016 to replace OpenVPN, in terms
+of security and ease of configuration
+
+Strong Points:
+* Minimal codebase, ~40000 loc (originally 4000) vs 600000 for OpenVPN
+* Minimal configuration
+* Fail-open behavior, if misconfigured no packets are routed
+
+---
+
+### Step 1: Generating a key pair
+
+```bash
+wg genkey > privatekey
+cat privatekey | wg pubkey > publickey
+```
+
+This needs to be done for every __host__ that wants to join the vpn
+
+---
+
+### Write server configuration
+
+```
+[Interface]
+Address = 192.168.10.1/24
+ListenPort = 51820
+PrivateKey = kIbuAUUbNZeC18onuKDtUui2Oa+l4/RrsU/sjcVKgmU=
+
+PostUp = nft add rule ip filter FORWARD iifname %i counter accept
+PostUp = nft add rule ip nat POSTROUTING oifname eth0 counter masquerade
+PostDown = nft del rule ip filter FORWARD iifname %i counter accept
+PostDown = nft del rule ip nat POSTROUTING oifname eth0 counter masquerade
+
+[Peer]
+PublicKey = yL4ajtwU9a2zP9vyVa5hdB5cSl/deLXv0Ldck1Y/FSU=
+AllowedIPs = 192.168.10.2/32
+```
+
+---
+
+### Write client configuration
+
+```
+[Interface]
+Address = 192.168.10.2/24
+PrivateKey = CCSq5ngQcIGjKS3qu5woC7tYVQM2zJhJVR4jQ9xrXUY=
+DNS = 192.168.10.1
+
+[Peer]
+PublicKey = xopK6ZfGT0CAS8g8SXmEZf4Ppp3al5XkDJPCYl5Z8So=
+AllowedIPs = 0.0.0.0/0, ::/0
+Endpoint = <server public ip>:51820
+```
+
+---
+
+```
+wg-quick server.conf
+```
+
+```
+wg-quick client.conf
+```
+
+---
+
+# Done!
+
+---
+
+## Well not so fast
+
+Due to the fail-open nature, it is sometimes difficult to debug
+Some debugging techniques are shown in the previous sections.
+The linked slides offer a more in-depth explaination of the
+configuration that might help to debug problems.
+
 ----

 # Ansible