util_server_wireguard¶
The cake function util_server_wireguard executes the Ansible role-wireguard-server, which installs and configures wireguard to be used as the employee VPN.
Simplified, the role-wireguard-server works as follows:
- Install the wireguard apt packages
- Generate a private and public key
- Download the public key from all other servers
- Template
/etc/wireguard/mesh.conf, which contains the public IP and public key of all other servers
Information¶
| Key | Value |
|---|---|
| Playbook path | plays/baseline/wireguard-server.yml |
| Role | https://git.blunix.com/ansible-roles/role-wireguard-server |
| Tags | https://git.blunix.com/ansible-roles/role-wireguard-server/-/tags |
| Defaults | https://git.blunix.com/ansible-roles/role-wireguard-server/-/blob/master/defaults/main.yml |
| Config file | Description |
|---|---|
| /etc/wireguard/mesh.conf | Wireguard configuration file for the server-to-server mesh network |
| /etc/wireguard/mesh.key | Wireguard mesh private key |
| /etc/wireguard/mesh.pub | Wireguard mesh public key |
Example¶
Define a subnet for the wireguard mesh:
inventory/group_vars/all.yml:
wireguard_server_subnet: "172.16.0.0/24"
Define individual wireguard mesh IPs for each server:
inventory/hosts:
cus-www-prod-db-1 nic_wg_mesh_ip=172.16.0.21 nic_pub_ip=3.4.5.6
Adding new servers¶
Simply define the new servers in inventory/hosts and execute cake -f util_server_wireguard -i pub. Make sure to use --inventory pub as the wireguard mesh will restart during that play.
Usage¶
Common commands¶
Show wireguard status:
root@any-server ~ # wg show
interface: mesh
public key: wireguard-public-key=
private key: (hidden)
listening port: 51819
peer: wireguard-public-key=
endpoint: 1.2.3.4:51819
allowed ips: 172.16.0.24/32
latest handshake: 2 seconds ago
transfer: 1.60 GiB received, 160.15 MiB sent
peer: wireguard-public-key=
endpoint: 2.3.4.5:51819
allowed ips: 172.16.0.34/32
latest handshake: 11 seconds ago
transfer: 1.50 GiB received, 122.50 MiB sent
[...]
Start / Stop wireguard:
systemctl stop wg-quick@mesh.service
systemctl start wg-quick@mesh.service
systemctl status wg-quick@mesh.service
Debugging¶
Ping all servers via VPN - the Ping packages will be routed from your workstation via the employee VPN to gateway-1 or -2, then over the server-to-server mesh vpn from gateway-1 or -2 to your destination server:
CAKE master * cake -f debug_ping -i vpn
[...]
TASK [ping] ******************
ok: [cus-util-prod-log-1]
ok: [cus-util-prod-monitoring-1]
ok: [cus-util-prod-gitci-1]
ok: [cus-util-prod-deploy-1]
ok: [cus-www-prod-web-1]
ok: [cus-www-prod-myapp-1]
[...]
Ping server A from server B:
root@cus-util-prod-monitoring-1 ~ # host log
log has address 172.16.0.9
root@cus-util-prod-monitoring-1 ~ # ping 172.16.0.9
PING 172.16.0.9 (172.16.0.9) 56(84) bytes of data.
64 bytes from 172.16.0.9: icmp_seq=1 ttl=64 time=1.01 ms
Source of the following commands
Debug wireguard logs live:
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
dmesg -wT | grep wireguard'
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control
Debug wireguard packages:
tcpdump -i any port 51819 udp
Gateways¶
The two redundant gateways provide the following functionality:
- Wireguard VPN for the employees to reach the servers (called employee wireguard VPN)
- Wireguard VPN clients for the server-to-server VPN (called wireguard mesh)
- Firewall for granting specific employees access to specific servers
- dnscrypt-proxy DNS resolvers for the employee VPN as well as all servers
How to add a new employee to the wireguard VPN¶
TODO
How to configure the firewall to allow a specific employee access to specific servers¶
TODO
Security considerations¶
The wireguard servers (gateway-1 and -2) can not reach the employees via wireguard:
With shorewall, packages are rejected and logged:
root@cus-util-prod-gateway-1 ~ # ping 172.30.205.9
PING 172.30.205.9 (172.30.205.9) 56(84) bytes of data.
From 172.30.205.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted
Without shorewall, packages are dropped by wireguard:
root@cus-util-prod-gateway-1 ~ # shorewall clear
Clearing Shorewall....
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
IPv4 Forwarding Enabled
done.
root@cus-util-prod-gateway-1 ~ # ping 172.30.205.9
PING 172.30.205.9 (172.30.205.9) 56(84) bytes of data.
Wireguard clients (employees) can not reach each other.
Wireguard mesh servers (server-to-server wireguard, also called "mesh") can not reach employees.
The only possible connections are:
- employees can reach their gateway (to establish a wireguard connection, or whatever is allowed by shorewall)
- employees can reach servers in the wireguard mesh via gateway (if allowed by shorewall)
- servers can reach each other over the wireguard mesh (if allowed by shorewall)