freie-netze wireguard access server

wg-access-server w/ suricata

requirementsrequirements

apt install wireguard wireguard-tools
# sqlite3 sqlite3-tools
# wireguard-dkms

wg --version
sqlite3 --version

modprobe ip_tables
#modprobe ip6_tables
modprobe wireguard

setupsetup

password=`tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1`
privkey=`wg genkey`
domain=md.nethence.com

mkdir -p /data/wg-access-server-data/
cat > /data/wg-access-server-data/config.yaml <<EOF

externalHost: $domain
adminUsername: wgas-admin

wireguard:
  port: 51821

# https://www.freie-netze.org/wg-access-server/2-configuration/
loglevel: info
adminPassword: "$password"
storage: sqlite3:///data/db.sqlite3
wireguard:
  privateKey: "$privkey"

# the forwarders to proxy (possibly internal)
# defaults to embedded nameserver
#dns:
#  upstream:
#    - "INTERNAL-DNS-HERE"
#    - "208.67.222.222"
#    - "208.67.220.220"

vpn:

  # routing we are offering
  allowedIPs:
    - "10.7.7.0/24" # e.g. some internal network
    #- "0.0.0.0/0"  # exit node

  # so that large corporation end-users won't attack each other
  clientIsolation: true

# delete after 6 months unused
enableInactiveDeviceDeletion: true
inactiveDeviceGracePeriod: 4380h

EOF

choose –either– latest (latest release) –or– master (some snapshot?)

tag=latest

docker image pull ghcr.io/freifunkmuc/wg-access-server:$tag
docker rm -f wg-access-server

make sure you’ve got the docker0 interface up and running as well as the default netfilter chain for it

ifconfig docker0
iptables -nvL | grep DOCKER
nft list ruleset | grep DOCKER
#systemctl restart docker

docker rm -f wg-access-server
docker run -d --name wg-access-server \
    --cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \
    -v /data/wg-access-server-data:/data \
    -e "WG_HTTPS_ENABLED=false" \
    -e "WG_VPN_CIDRV6=0" -e "WG_CONFIG=/data/config.yaml" \
    -p 127.0.0.1:8000:8000 \
    -p 0.0.0.0:51821:51821/udp \
    ghcr.io/freifunkmuc/wg-access-server:$tag

docker logs wg-access-server -f

and if you wanted to ssl-terminate yourself

draft - :8443 doesn’t show up as listening - we go for reverse-proxy anyhow

    -v /etc/dehydrated/certs/md.nethence.com:/data/ssl \
    -e "WG_HTTPS_CERT_FILE=/data/ssl/fullchain.pem" \
    -e "WG_HTTPS_KEY_FILE=/data/ssl/privkey.pem" \
    -e "WG_HTTPS_HOST=md.nethence.com" \

make sure the UI is reachable

curl -I http://localhost:8000/signin

#curl -I https://localhost:8443/signin

reverse-proxy ssl terminationreverse-proxy ssl termination

ls -lkF /etc/dehydrated/certs/md.nethence.com/

vi /etc/nginx/conf.d/wireguard.conf

...
location / {
    # without trailing-slash
    proxy_pass http://127.0.0.1:8000;
}
...

nginx -t
nginx -s reload

ready to goready to go

reach the UI remotely

domain=md.nethence.com

nmap -p 443 $domain
sudo nmap -sU -p 51821 $domain

curl -I https://$domain/signin

register some vpn peer devices

https://md.nethence.com/signin

grep ^adminPassword: /data/wg-access-server-data/config.yaml

wgas-admin / <admin password>

(add device)

linux workstation client

add the config file system-wide

as root

mv -i ~USER/Downloads/WireGuard.conf /etc/wireguard/EXAMPLE.conf
vi /etc/wireguard/EXAMPLE.conf

(check AllowedIPs points to internal CIDR)

now reach the insider network

wg-quick up EXAMPLE
ifconfig EXAMPLE
ping -c3 10.44.0.1

and make sure your access to public network doesn’t go through the newly configured vpn access

traceroute opendns.com

smartphone

QR code...

debuggingdebugging

docker exec -ti wg-access-server bash

check you’re up and listening

ps
netstat -lntup

show peers

watch wg show

make sure the container reaches external network

ping -c1 opendns.com

sniff the front-facing interface and eventually the tunnel

# host
tcpdump -ni eth0 udp port 51821 -vvv

# container
apk update && apk add tcpdump
tcpdump -ni eth0 udp port 51821 -vvv
tcpdump -ni wg0 -vvv

troubleshootingtroubleshooting

http: proxy error: dial tcp 127.0.0.1:3000: connect: connection refused

==> looks like it’s calling the dev website internally

==> do NOT set WORKDIR

resourcesresources

https://www.freie-netze.org/wg-access-server/

https://www.freie-netze.org/wg-access-server/2-configuration/

https://www.freie-netze.org/wg-access-server/3-storage/

https://www.freie-netze.org/wg-access-server/deployment/1-docker/

https://github.com/freifunkMUC/wgkex/blob/main/docker-compose.yml

https://github.com/freifunkMUC/wg-access-server-chart/tags

https://github.com/freifunkMUC/wg-access-server-chart

https://pascal-bergeron.com/en/posts/docker-expose-ports-local-network/

https://stackoverflow.com/questions/29957143/make-docker-use-ipv4-for-port-binding ==> ipv4 only

https://denbeke.be/blog/software/configuring-wireguard-vpn-with-wg-access-server/ ==> cool guide


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT