From fcd2565b47a41aa04d223e1cc3fc32221f12d595 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 13 Nov 2022 18:58:46 +0000 Subject: [PATCH] wireguard: instructions for setting up proxy --- wireguard/README.md | 29 +++++++++++++++++++++++++++++ wireguard/wg0-proxy.conf | 33 +++++++++++++++++++++++++++++++++ wireguard/wg0-server.conf | 28 ++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 wireguard/README.md create mode 100644 wireguard/wg0-proxy.conf create mode 100644 wireguard/wg0-server.conf diff --git a/wireguard/README.md b/wireguard/README.md new file mode 100644 index 0000000..cdabf97 --- /dev/null +++ b/wireguard/README.md @@ -0,0 +1,29 @@ +# Wireguard proxy setup + +This is for a server that is inside of a firewall or behind a NAT gateway +that doesn't have a static IP address. A cheap $6/month DigitalOcean droplet +can be created that will route *all* internet traffic to the server, allowing +it to change IP. + +* On both proxy and the server: + +``` +sudo apt install wireguard-tools net-tools +wg genkey \ +| sudo tee /etc/wireguard/wg0.key \ +| wg pubkey \ +| sudo tee /etc/wireguard/wg0.pub +sudo chmod -R go-rwx /etc/wireguard +``` + +* Copy `wireguard/wg0-proxy.conf` to `/etc/wireguard/wg0.conf` on the proxy +* On the **proxy** edit `/etc/wireguard/wg0.conf`: + * Change `${SERVER_PUBKEY}` to the public key that was output on the server + +* Copy `wireguard/wg0-server.conf` to `/etc/wireguard/wg0.conf` on the server. +* On the **server** edit `/etc/wireguard/wg0.conf`: + * Change `${PROXY_IP}` to the public IP address of the proxy (two places) + * Change `${PROXY_PUBKEY}` to the public key output on the proxy (two places) + * Change `${SERVER_GW}` to the gateway address used to reach the internet from the server + +* On both machines run `sudo wg-quick up /etc/wireguard/wg0.conf` diff --git a/wireguard/wg0-proxy.conf b/wireguard/wg0-proxy.conf new file mode 100644 index 0000000..e7bdbc5 --- /dev/null +++ b/wireguard/wg0-proxy.conf @@ -0,0 +1,33 @@ +[Interface] +Address = 192.168.4.1/24 +ListenPort = 51820 + +PostUp = wg set %i private-key /etc/wireguard/%i.key + +# Enable IP masquerading for the remote host +PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward +PostUp = iptables -A FORWARD -i %i -j ACCEPT +PostUp = iptables -A FORWARD -o %i -j ACCEPT +PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +# accept the wireguard connection +PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp --dport 51820 -j ACCEPT + +# redirect ssh to port 23 +PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT --to-port 22 + +# redirect *all* traffic to the wg tunnel +PostUp = iptables -t nat -A PREROUTING -i eth0 -p all -j DNAT --to-destination 192.168.4.2 + +# Tear down the proxy +PostDown = iptables -D FORWARD -i %i -j ACCEPT +PostDown = iptables -D FORWARD -o %i -j ACCEPT +PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp --dport 51820 -j ACCEPT +PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT -to-port 22 +PostDown = iptables -t nat -D PREROUTING -i eth0 -p all -j DNAT --to-destination 192.168.4.2 + +[Peer] +PublicKey = ${SERVER_PUBKEY} +AllowedIPs = 192.168.4.2/32 diff --git a/wireguard/wg0-server.conf b/wireguard/wg0-server.conf new file mode 100644 index 0000000..9e65fba --- /dev/null +++ b/wireguard/wg0-server.conf @@ -0,0 +1,28 @@ +# wg0-server.conf +# +# This is the configuration for the server hidden behind the wireguard proxy. +# It routes all internet traffic via the proxy, with the exception of traffic +# to the proxy itself. It is still accessible on the local network. +# +# When moving this to a new machine: +# * Update the PostUp route so that the proxy address has an explicit route via the local gateway +# * Update the PownDown to delete the explicit route and restore the default gw +# * Update the Peer PublicKey and Endpoint with the proxy key and address +# +[Interface] +PostUp = wg set %i private-key /etc/wireguard/%i.key +Address = 192.168.4.2/24 + +# Delete the default gateway and add an explicit route for the wireguard tunnel +PostUp = route add ${PROXY_IP} gw ${SERVER_GW} || echo "wrong route" +PostUp = route del default || echo "no default" +PostUp = route add default gw 192.168.4.1 + +PostDown = route del ${PROXY_IP} +PostDown = route add default gw ${SERVER_GW} + +[Peer] +PublicKey = ${PROXY_PUBKEY} +Endpoint = ${PROXY_IP}:51820 +AllowedIPs = 0.0.0.0/0 +PersistentKeepalive = 25