VPNserver

From Sea of Fate
Jump to navigationJump to search

Introduction

The only host on the VPNNet is Vanilla it has an IP Address of VPNnet.5. OpenVPN was tried but it had problems with routing so Wireguard has been tried and it now works. It is possible that the routing problems were the same as was on wireguard and maybe they could have been overcome but as there is now a working Wireguard solution on Vanilla there is only a limited reason to try OpenVPN again.

The Solution required

The general idea of the VPN was to allow RDP access to the desktop hosts on the terminals network from a remote location . There may be some gain in having a Samba share to Satsuma as well as the VPN will secure the connection. There does not need to be a Internet connection through the VPN at this time so we will not add the Ip as the default route for Internet at this time, If that changes it should be fairly straight forward to add it on to the client connection. There may be other requirements at a later date.

Installation of Wireguard

the installation will be in three parts, four if debug is taken as a part. The first Part is to install the and configure the server, Vanilla. This will be install the software, generate the keys and write the config file. The second part will be the client install and is much the same as the server, as the software needs to be installed, the keys must be generated and the config file need to be written. The third part is the iptables config and the final part is the testing and debugging.

Server Install on Vanilla

To install Wireguard on Vanilla do 

sudo apt update
sudo apt install wireguard wireguard-tools -y

wireguard-tools is a package containing additional utilities for managing WireGuard, such as wg and wg-quick. More details can be found on the Ubuntu website. Once the two packages are installed we need to generate the public and private keys. First we do the private key with the command 

sudo wg genkey | sudo tee /etc/wireguard/server-privatekey

What this does is to use wg with genkey to generate a new Wireguard private key that will be displayed on the screen. The pipe tee will copy it to the file /etc/wireguard/server-privatekey. We can use this private key to generate the public key to match using the command 

sudo cat /etc/wireguard/server-privatekey | wg pubkey | sudo tee /etc/wireguard/server-publickey

This will pipe the private key from the file we just made to wg pubkey to be displayed on screen by the pipe tee and ten copies it to the file /etc/wireguard/server-publickey. It would probably be best to check that these two key files can be accessed before clearing the screen so do 

sudo nano  /etc/wireguard/server-publickey

and a 

sudo nano  /etc/wireguard/server-privatekey

Just to be sure that both can be accessed. The private key must be kept private so do a chmod to make it accessible to root only 

sudo chmod 600 /etc/wireguard/server-privatekey

Now to view the file or even get a listing you have to do sudo. the public key will need to be exchanged with clients so no need to keep it private. Using our newly created keys we can create a wg0.conf file in the wireguard directory. 

sudo nano /etc/wireguard/wg0.conf

In this file we will need the following information 

 [Interface]
PrivateKey = <your_server_private_key_just_generated >
Address = 192.168.130.4/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE

[Peer]
PublicKey = <client_public_key_1_not yet created>
AllowedIPs = 192.168.130.6/32

[Peer]
PublicKey = <client_public_key_2 also not yet created>
AllowedIPs = 192.168.130.7/32

In the interface section we will need to paste in the private key from /etc/wireguard/server-privatekey and we will need to sudo just to access it. the IP address for the interface needs to be different from the Vanilla interface so as vanilla is on 192.168.130.5 we add the wg0 interface as 192.168.130.4/24, if qemu-guest-agent is installed when Wireguard is up and running, it should be seen in the Proxmox GUI summary. If this was to be on a production environment we would possibly have this interface on a different IP domain with more hosts and with a DHCP server running but as we will only have a few clients we will use static IPs and use the same domain because we will never have enough clients to make static IPs unmanageable and we will probably never need to use scripts to configure clients. The listen port is the port that vanilla will be listening on for connections. The postup and postdown iptables are to allow forwarding and NAT, they are mostly boilerplate code. The first line, PostUp, is two commands separated by the semicolon 

iptables -A FORWARD -i %i -j ACCEPT
  • iptables is the command line tool for managing the Linux kernel firewall
  • -A FORWARD: Appends a rule to the FORWARD chain. The FORWARD chain handles traffic that is passing through the server, not traffic destined for the server itself.
  • -i %i: Specifies the input interface. %i is a placeholder that wg-quick replaces with the name of the WireGuard interface (in your case, wg0). So, this part of the rule says: "For any traffic coming into the server on the wg0 interface..."
  • -j ACCEPT: Specifies the action to take if a packet matches the rule. ACCEPT means to allow the packet to continue to its destination.
  • In essence, this part of the PostUp rule allows traffic originating from your WireGuard clients (coming in on the wg0 interface) to be forwarded to other interfaces on your server (like eth0 to reach your LAN or the internet).

After the semicolon the second part of the command is 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • iptables -t nat: Specifies that we are working with the nat table, which is used for Network Address Translation.
  • -A POSTROUTING: Appends a rule to the POSTROUTING chain. This chain is processed for packets that are about to leave the server.
  • -o enp6s18: Specifies the output interface. enp6s18 is the main interface for Vanilla. This part of the rule says: "For any traffic going out of the server on the enp6s18 interface..."
  • -j MASQUERADE: This is a form of NAT that dynamically translates the source IP address of packets leaving through enp6s18 to the IP address of enp6s18 . This is crucial for allowing VPN clients (on the 192.168.130.0/24 subnet in your setup) to access networks beyond the server, such as your LAN or the internet.

The PostDown line does the opposite of PostUp. It uses -D instead of -A to delete the iptables rules that were added when the wg0 interface was brought up. This ensures that when the WireGuard interface is shut down, the forwarding and NAT rules are also removed, which is good practice to avoid unintended routing or NAT behavior when the VPN is not active.


The two peer sections will need to have the public key from the clients to be added in when they have been done and the AllowedIPs will set the iP addresses of the clients (as in /32).

Next we have to enable ip forwarding on vanilla 

sudo nano /etc/sysctl.conf

search for the line 

net.ipv4.ip_forward=1

and add it or uncomment it, then save and exit. Next we can move on to the client install

Client Install on Grape

We install on Grape, the desktop PC to begin with and then repeat the step with the laptop Dragonfruit. First we need to download the client software

After installing Wireguard a key pair must be generated, as it is on a Windows 11 client open a powershell window as administrator and enter the two commands 

wg genkey | Out-File -Encoding ASCII client-privatekey.txt
(Get-Content -Path client-privatekey.txt -Raw) | wg pubkey | Out-File -Encoding ASCII client-publickey.txt

The first command uses wg with the genkey option to create a private key and pipe it to the file client-privatekey.txt. The second command gets the private key from the file and pipes it to wg and wg uses the option pubkey to generate a public key and the it is piped to the file client-publickey.txt. There should now be two files in the current directory (probably c:\windows\system32) the private key must be kept private as this is used to auth the public key that will be copied to vanilla. We now create a file called Grape-Vanilla.conf so we can import the config into the client. The file should have the following details. 

[Interface]
PrivateKey = <your_client_private_key>
Address = 192.168.131.6/32
DNS = 192.168.110.11

[Peer]
PublicKey = <your_server_public_key>
Endpoint = <ip or dns to the server>:<portnumer>
AllowedIPs = 192.168.111.0/24, 192.168.130.0/24, 192.168.110.11/32, 192.168.100.0/24
PersistentKeepalive = 25

The <your_client_private_key> will be from the private key just generated on grape. The address is the Ip address that will be issued to grape when the tunnel is active and the DNS is the address of ns1 on Proxmox that will be used for this connection. In the Peer section the <your_server_public_key> will be the public key from Vanilla. The endpoint will be the route and port to the server, this could be a DNS name or IP address of Pfsense as long as it will be a route to Vanilla. The allowed IPs are the addresses that the VPN client will have access to and be sure to include the DNS server (in this case the /32 will only give access to ns1).

We also need to copy the public key from Grape to the Peer entry on the wg0.conf on vanilla, copy the public key from grape and open the wg0.conf on vanilla 

sudo /etc/wireguard/wg0.conf

Then save and close. One of the Wireguard tools that was installed on Vanilla was wg-quick and it can bring up and close down wireguard, on Vanilla bring up the wireguard interface with: 

 sudo wg-quick up wg0

There should now be an interface appear in the Proxmox GUI summary page for vanilla. we can also activate the client on grape but unless the forwarding rule on Pfsense has been created if the client the latest handshake will never be filled in. So we need to login to Pfsense web GUI and go to Firewall-NAT and create a forwarding rule to forward UDP on the port number from the [Peer] section above to vanilla for all sources with a destination of "This Firewall (self)". When saved check in the Firewall->rules->wan that the pass rule has been added above the default deny any any because by default when a NAT forwarding rule is made the accompanying firewall rule is created at the bottom of the list. When the Pfsense forwarding rule is active the wireguard application on Grape should start showing numbers in the Transfer line and it should start showing a time in the Latest Handshake line, if these are not updating check the Pfsense NAT rule and see why the UDP packets are being blocked. Assuming the connection is made there should be a new interface called whatever the .conf was called (probably Grape-Vanilla) to easily check open a cmd window on grape and do an ipconfig /all and there should be another adapter listed with some comment about WireGuard tunnel, there should also be a new IP address 192.168.131.6 as listed on the interface section of the wireguard app on grape.

Other Configs and testing

Now that the interface is up on Grape and also on Vanilla we should be able to see latest handshake update, this shows that the connection is successfully made to Vanilla, if not check the Pfsense rules as that is the most likely block. We should be able to see the interface in the cmd window of Grape as a result of ipconfig /all. We should also see the interface is made on vanilla by the Proxmox summary page for Vanilla (it will probably be hidden by the more button). Alternatively, the command is 

ip link

There should be at least three interfaces shown, the loopback, the main NIC(enp6s18) for vanilla and the VPN interface (probably wg0 as it takes the filename and uses that as the interface name) . both interfaces must be up and there must be updates in the client to go any further.

We should be able to ping Vanilla's IP but not the DNS name and we will not be able to ping anything outside 192.168.130.0/24 because we need to add a static route to Pfsense to reach 192.168.131.0/24. The route to the other IP domains is effectively taken care of by Wireguard because routes in to Proxmox are specified in the Allowed IPs in the [peer] section of the client config and the routes will be set by vanilla. For example, the route from Grape to 192.168.100.10 will be from 192.168.131.6 to 192.168.131.1(vanilla on wg0) to 192.168.130.5 (Vanilla on enp6s18, it's main NIC) then as Vanilla has already got it's own default route set to Pfsense on 192.168.130.1 the route continues to Pfsense and on to the Pfsense NIC on 192.168.100.0/24 then to the final destination. Grape is able to use Vanilla's routes because the Mascarade directive in the wg0.conf hides all of the VPN clients' IPs so Pfsense will never see them, like a NAT, from pfsense viewpoint anything coming out of the VPN is originating from Vanilla.

Retrieved from "https://wiki.seaoffate.net/index.php?title=VPNserver&oldid=309"