VPNserver

From Sea of Fate
Jump to navigationJump to search

Introduction

The only host on the VPNNet is Vanilla it has an IP Address of VPNnet.5. OpenVPN was tried but it had problems with routing so Wireguard has been tried and it now works. It is possible that the routing problems were the same as was on wireguard and maybe they could have been overcome but as there is now a working Wireguard solution on Vanilla there is only a limited reason to try OpenVPN again.

The Solution required

The general idea of the VPN was to allow RDP access to the desktop hosts on the terminals network from a remote location . There may be some gain in having a Samba share to Satsuma as well as the VPN will secure the connection. There does not need to be a Internet connection through the VPN at this time so we will not add the Ip as the default route for Internet at this time, If that changes it should be fairly straight forward to add it on to the client connection. There may be other requirements at a later date.

Installation of Wireguard

the installation will be in three parts, four if debug is taken as a part. The first Part is to install the and configure the server, Vanilla. This will be install the software, generate the keys and write the config file. The second part will be the client install and is much the same as the server, as the software needs to be installed, the keys must be generated and the config file need to be written. The third part is the iptables config and the final part is the testing and debugging.

Server Install on Vanilla

To install Wireguard on Vanilla do 

sudo apt update
sudo apt install wireguard wireguard-tools -y

wireguard-tools is a package containing additional utilities for managing WireGuard, such as wg and wg-quick. more dtails can be found on Ubuntu website here. Once the two packages are installed we need to generate the public and private keys. First we do the private key with the command 

sudo wg genkey | sudo tee /etc/wireguard/server-privatekey

What this does is to use wg with genkey to generate a new Wireguard private key that will be displayed on the screen. The pipe tee will copy it to the file /etc/wireguard/server-privatekey. We can use this private key to generate the public key to match using the command 

sudo cat /etc/wireguard/server-privatekey | wg pubkey | sudo tee /etc/wireguard/server-publickey

This will pipe the private key from the file we just made to wg pubkey to be displayed on screen by the pipe tee and ten copies it to the file /etc/wireguard/server-publickey. It would probably be best to check that these two key files can be accessed before clearing the screen so do 

sudo nano  /etc/wireguard/server-publickey

and a 

sudo nano  /etc/wireguard/server-privatekey

Just to be sure that both can be accessed. The private key must be kept private so do a chmod to make it accessible to root only 

sudo chmod 600 /etc/wireguard/server-privatekey

Now to view the file or even get a listing you have to do sudo. the public key will need to be exchanged with clients so no need to keep it private. Using our newly created keys we can create a wg0.conf file in the wireguard directory. 

sudo nano /etc/wireguard/wg0.conf

In this file we will need the following information 

 [Interface]
PrivateKey = <your_server_private_key_just_generated >
Address = 192.168.130.4/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE

[Peer]
PublicKey = <client_public_key_1_not yet created>
AllowedIPs = 192.168.130.6/32

[Peer]
PublicKey = <client_public_key_2 also not yet created>
AllowedIPs = 192.168.130.7/32

In the interface section we will need to paste in the private key from /etc/wireguard/server-privatekey and we will need to sudo just to access it. the IP address for the interface needs to be different from the Vanilla interface so as vanilla is on 192.168.130.5 we add the wg0 interface as 192.168.130.4/24, if qemu-guest-agent is installed when Wireguard is up and running, it should be seen in the Proxmox GUI summary. If this was to be on a production environment we would possibly have this interface on a different IP domain with more hosts and with a DHCP server running but as we will only have a few clients we will use static IPs and use the same domain because we will never have enough clients to make static IPs unmanageable and we will probably never need to use scripts to configure clients. The listen port is the port that vanilla will be listening on for connections. The postup and postdown iptables are to allow forwarding and NAT, they are mostly boilerplate code. The first line, PostUp, is two commands separated by the semicolon 

iptables -A FORWARD -i %i -j ACCEPT
  • iptables is the command line tool for managing the Linux kernel firewall
  • -A FORWARD: Appends a rule to the FORWARD chain. The FORWARD chain handles traffic that is passing through the server, not traffic destined for the server itself.
  • -i %i: Specifies the input interface. %i is a placeholder that wg-quick replaces with the name of the WireGuard interface (in your case, wg0). So, this part of the rule says: "For any traffic coming into the server on the wg0 interface..."
  • -j ACCEPT: Specifies the action to take if a packet matches the rule. ACCEPT means to allow the packet to continue to its destination.
  • In essence, this part of the PostUp rule allows traffic originating from your WireGuard clients (coming in on the wg0 interface) to be forwarded to other interfaces on your server (like eth0 to reach your LAN or the internet).

After the semicolon the second part of the command is 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • iptables -t nat: Specifies that we are working with the nat table, which is used for Network Address Translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain. This chain is processed for packets that are about to leave the server.
  • -o enp6s18: Specifies the output interface. enp6s18 is the main interface for Vanilla. This part of the rule says: "For any traffic going out of the server on the enp6s18 interface..."
  • -j MASQUERADE: This is a form of NAT that dynamically translates the source IP address of packets leaving through enp6s18 to the IP address of enp6s18 . This is crucial for allowing VPN clients (on the 192.168.130.0/24 subnet in your setup) to access networks beyond the server, such as your LAN or the internet.

The PostDown line does the opposite of PostUp. It uses -D instead of -A to delete the iptables rules that were added when the wg0 interface was brought up. This ensures that when the WireGuard interface is shut down, the forwarding and NAT rules are also removed, which is good practice to avoid unintended routing or NAT behavior when the VPN is not active.


The two peer sections will need to have the public key from the clients to be added in when they have been done and the AllowedIPs will set the iP addresses of the clients (as in /32).

Retrieved from "https://wiki.seaoffate.net/index.php?title=VPNserver&oldid=304"