wireguard: instructions for setting up proxy

wireguard/README.md

@@ -0,0 +1,29 @@
+# Wireguard proxy setup
+
+This is for a server that is inside of a firewall or behind a NAT gateway
+that doesn't have a static IP address.  A cheap $6/month DigitalOcean droplet
+can be created that will route *all* internet traffic to the server, allowing
+it to change IP.
+
+* On both proxy and the server:
+
+```
+sudo apt install wireguard-tools net-tools
+wg genkey \
+| sudo tee /etc/wireguard/wg0.key \
+| wg pubkey \
+| sudo tee /etc/wireguard/wg0.pub
+sudo chmod -R go-rwx /etc/wireguard
+```
+
+* Copy `wireguard/wg0-proxy.conf` to `/etc/wireguard/wg0.conf` on the proxy
+* On the **proxy** edit `/etc/wireguard/wg0.conf`:
+  * Change `${SERVER_PUBKEY}` to the public key that was output on the server
+
+* Copy `wireguard/wg0-server.conf` to `/etc/wireguard/wg0.conf` on the server.
+* On the **server** edit `/etc/wireguard/wg0.conf`:
+  * Change `${PROXY_IP}` to the public IP address of the proxy (two places)
+  * Change `${PROXY_PUBKEY}` to the public key output on the proxy (two places)
+  * Change `${SERVER_GW}` to the gateway address used to reach the internet from the server
+
+* On both machines run `sudo wg-quick up /etc/wireguard/wg0.conf`

wireguard/wg0-proxy.conf

@@ -0,0 +1,33 @@
+[Interface]
+Address = 192.168.4.1/24
+ListenPort = 51820
+
+PostUp = wg set %i private-key /etc/wireguard/%i.key
+
+# Enable IP masquerading for the remote host
+PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
+PostUp = iptables -A FORWARD -i %i -j ACCEPT
+PostUp = iptables -A FORWARD -o %i -j ACCEPT
+PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+# accept the wireguard connection
+PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp --dport 51820 -j ACCEPT
+
+# redirect ssh to port 23
+PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT --to-port 22
+
+# redirect *all* traffic to the wg tunnel
+PostUp = iptables -t nat -A PREROUTING -i eth0 -p all -j DNAT --to-destination 192.168.4.2
+
+# Tear down the proxy
+PostDown = iptables -D FORWARD -i %i -j ACCEPT
+PostDown = iptables -D FORWARD -o %i -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp --dport 51820 -j ACCEPT
+PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT -to-port 22
+PostDown = iptables -t nat -D PREROUTING -i eth0 -p all -j DNAT --to-destination 192.168.4.2
+
+[Peer]
+PublicKey = ${SERVER_PUBKEY}
+AllowedIPs = 192.168.4.2/32

wireguard/wg0-server.conf

@@ -0,0 +1,28 @@
+# wg0-server.conf
+#
+# This is the configuration for the server hidden behind the wireguard proxy.
+# It routes all internet traffic via the proxy, with the exception of traffic
+# to the proxy itself.  It is still accessible on the local network.
+#
+# When moving this to a new machine:
+# * Update the PostUp route so that the proxy address has an explicit route via the local gateway
+# * Update the PownDown to delete the explicit route and restore the default gw
+# * Update the Peer PublicKey and Endpoint with the proxy key and address
+#
+[Interface]
+PostUp = wg set %i private-key /etc/wireguard/%i.key
+Address = 192.168.4.2/24
+
+# Delete the default gateway and add an explicit route for the wireguard tunnel
+PostUp = route add ${PROXY_IP} gw ${SERVER_GW} || echo "wrong route"
+PostUp = route del default || echo "no default"
+PostUp = route add default gw 192.168.4.1
+
+PostDown = route del ${PROXY_IP}
+PostDown = route add default gw ${SERVER_GW}
+
+[Peer]
+PublicKey = ${PROXY_PUBKEY}
+Endpoint = ${PROXY_IP}:51820
+AllowedIPs = 0.0.0.0/0
+PersistentKeepalive = 25