Unverified Commit 8426a642 authored by Jake Howard's avatar Jake Howard
Browse files

WireGuard is meant to be correctly cased

parent 3366679f
......@@ -88,12 +88,12 @@ graph LR
subgraph You
A[Browser]
B[Wireguard Client]
B[WireGuard Client]
end
subgraph Home Network
C[Router]
D[Wireguard Client]
D[WireGuard Client]
subgraph Home Server
E[Reverse Proxy]
F[Service 1]
......@@ -130,11 +130,11 @@ graph LR
A[End Users]
subgraph VPS
B[HAProxy]
C[Wireguard Server]
C[WireGuard Server]
end
subgraph Home Network
D[Wireguard Client]
D[WireGuard Client]
subgraph Home Server
E[Reverse Proxy]
F[Service 1]
......@@ -158,7 +158,7 @@ This method, however good it sounds, comes with a number of drawbacks. It's a lo
With that said, these extra complexities aren't huge, nor especially complicated, and you'll learn a lot whilst doing it!
If you're interested in setting up something like this, I've written articles for both [Wireguard]({{< relref "wireguard-haproxy-gateway" >}}) and [OpenVPN]({{< relref "vpn-gateway" >}}).
If you're interested in setting up something like this, I've written articles for both [WireGuard]({{< relref "wireguard-haproxy-gateway" >}}) and [OpenVPN]({{< relref "vpn-gateway" >}}).
## Reverse Proxies
......
......@@ -6,14 +6,14 @@ image: unsplash:ln5drpv_ImI
tags: [linux, security]
---
[Wireguard]({{<relref "whyreguard">}}) has been the "hot new thing" when it comes to VPNs, but it's not always the best suited for every workload. [Nebula](https://github.com/slackhq/nebula) is a mesh network originally created by Slack, but now owned by a [separate company](https://www.defined.net/).
[WireGuard]({{<relref "whyreguard">}}) has been the "hot new thing" when it comes to VPNs, but it's not always the best suited for every workload. [Nebula](https://github.com/slackhq/nebula) is a mesh network originally created by Slack, but now owned by a [separate company](https://www.defined.net/).
- [TechSNAP 419 - Nebulous Networking](https://techsnap.systems/419)
- [Linux Unplugged 329 - Flat Network Truthers](https://linuxunplugged.com/329)
## What's a mesh network?
A conventional VPN, such as Wireguard and OpenVPN works in a hub-spoke pattern, such that all traffic flows through the central "hub", regardless of where the other devices are.
A conventional VPN, such as WireGuard and OpenVPN works in a hub-spoke pattern, such that all traffic flows through the central "hub", regardless of where the other devices are.
![Traditional VPN](./hub-spoke.svg "50")
......@@ -30,11 +30,11 @@ Nebula is constantly polling and updating the IPs usable for communications to a
{{< youtube QfcwiSkV_AU >}}
### What about wireguard
### What about WireGuard
Everyone loves Wireguard, and for good reason! It's relatively simple, fast and built-in to the Linux kernel. Unfortunately however, it doesn't natively support meshing. It's possible to make wireguard pretend it's a mesh, but it's not really designed for it. [`wg-dynamic`](https://git.zx2c4.com/wg-dynamic) is planning on changing that, but it's still under development (however inactive it may be).
Everyone loves WireGuard, and for good reason! It's relatively simple, fast and built-in to the Linux kernel. Unfortunately however, it doesn't natively support meshing. It's possible to make WireGuard pretend it's a mesh, but it's not really designed for it. [`wg-dynamic`](https://git.zx2c4.com/wg-dynamic) is planning on changing that, but it's still under development (however inactive it may be).
There is [tailscale](https://tailscale.com/), which is a mesh VPN which uses wireguard under the hood. If you really want to use wireguard, that's the closest you're going to get. However, it's missing the firewalling features of Nebula, not to mention that the server component (introducer) isn't open-source.
There is [tailscale](https://tailscale.com/), which is a mesh VPN which uses WireGuard under the hood. If you really want to use WireGuard, that's the closest you're going to get. However, it's missing the firewalling features of Nebula, not to mention that the server component (introducer) isn't open-source.
## Getting started with nebula
......@@ -192,7 +192,7 @@ PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
rtt min/avg/max/mdev = 9.692/10.139/10.565/0.356 ms
```
But that's the same as if this were using Wireguard. Where's the Nebula magic?
But that's the same as if this were using WireGuard. Where's the Nebula magic?
When doing pings, check the ping times. Pings to the lighthouse should be about what you'd expect for pings to a cloud server, but pings between the 2 clients should be significantly lower, because traffic is staying on the LAN.
......@@ -212,7 +212,7 @@ When doing the first connection between nodes, you may notice some latency befor
### Performance
Nebula is still pretty fast, and for regular use you'll be hard pushed to notice any issues. However, the default settings aren't tuned perfectly for performance. In my testing, I topped out at around 700MB symmetrical over a gigabit link. Now that's nothing to turn your nose up at, but there's definitely room for improvement. Wireguard sets the bar for what performance can be like for a VPN.
Nebula is still pretty fast, and for regular use you'll be hard pushed to notice any issues. However, the default settings aren't tuned perfectly for performance. In my testing, I topped out at around 700MB symmetrical over a gigabit link. Now that's nothing to turn your nose up at, but there's definitely room for improvement. WireGuard sets the bar for what performance can be like for a VPN.
This performance issue **isn't** an issue with Nebula. Speaking with one of the original developers of Nebula, Slack have seen Nebula networks fully saturate 5 / 10 gigabit links without sweat. I was given some suggestions for how to boost the performance:
......@@ -224,20 +224,20 @@ With these applied, I was topping out much nearer to 900MB. The default are rath
## Application
It's all well and good singing the praises of Nebula, and it's a great tool to know for solving certain situations, but it's not globally useful everywhere. As far as more user-facing VPN servers, don't expect companies like Mullvad and PIA to start offering Nebula-based VPNs. Nebula isn't just a non-optimal technology for this, it's the wrong technology. In these cases meshing isn't useful, and may actually be a hindrance, so sticking to technologies like OpenVPN and Wireguard is a much better decision.
It's all well and good singing the praises of Nebula, and it's a great tool to know for solving certain situations, but it's not globally useful everywhere. As far as more user-facing VPN servers, don't expect companies like Mullvad and PIA to start offering Nebula-based VPNs. Nebula isn't just a non-optimal technology for this, it's the wrong technology. In these cases meshing isn't useful, and may actually be a hindrance, so sticking to technologies like OpenVPN and WireGuard is a much better decision.
So, when should you use Nebula? Or more specifically, when am I going to use Nebula? Currently, I have a wireguard VPN deployed to a Vultr VPS which serves 2 functions:
So, when should you use Nebula? Or more specifically, when am I going to use Nebula? Currently, I have a WireGuard VPN deployed to a Vultr VPS which serves 2 functions:
1. Access to non-public ports / devices
2. [Tunnel traffic between the VPS and my home server to route traffic to internally hosted applications]({{<relref "wireguard-haproxy-gateway">}})
For the latter use, I won't be changing from Wireguard. Whilst I could use Nebula, I don't have any benefits in that use for a mesh, as there will only ever be 2 nodes. Wireguard has been working great for this use, and I don't really see a reason or a need to switch.
For the latter use, I won't be changing from WireGuard. Whilst I could use Nebula, I don't have any benefits in that use for a mesh, as there will only ever be 2 nodes. WireGuard has been working great for this use, and I don't really see a reason or a need to switch.
For the former, however, Nebula fits really well. In the interest of security, I have some services only listening on a VPN interface. For remote servers, this means I have to be on the VPN network to SSH in. For home devices, I can just use the local IP address, unless I'm out the house that is. Currently, I have to use a different IP or SSH alias to access home services depending on whether I'm at home or not, which is quite a hack. The alternative is that traffic flows from my desktop to my server via a VPS in London, even though the 2 devices are on a gigabit LAN - what a waste!
The meshing nature of Nebula means that when I'm at home, traffic flows purely on my LAN, and when I'm not, it flows direct, rather than via the server. That means I can still connect to services hosted in my house easily, but when I'm at home they run superfast! In an ideal world I'd route everything via Traefik, and just use IP whitelists to restrict access to certain web services, rather than use ports on VPN IPs. Unfortunately, whilst Wireguard supports overriding DNS, Nebula [does not](https://github.com/slackhq/nebula/issues/318).
The meshing nature of Nebula means that when I'm at home, traffic flows purely on my LAN, and when I'm not, it flows direct, rather than via the server. That means I can still connect to services hosted in my house easily, but when I'm at home they run superfast! In an ideal world I'd route everything via Traefik, and just use IP whitelists to restrict access to certain web services, rather than use ports on VPN IPs. Unfortunately, whilst WireGuard supports overriding DNS, Nebula [does not](https://github.com/slackhq/nebula/issues/318).
{{<mermaid caption="Intended network setup (solid lines being Nebula, thick lines being Wireguard)">}}
{{<mermaid caption="Intended network setup (solid lines being Nebula, thick lines being WireGuard)">}}
graph TD
N[Nebula Lighthouse]
......@@ -270,4 +270,4 @@ D---L
S2===H
{{</mermaid>}}
Once deployed, I'll just have a single 2-peer wireguard tunnel, and everything else going over Nebula!
Once deployed, I'll just have a single 2-peer WireGuard tunnel, and everything else going over Nebula!
......@@ -6,7 +6,7 @@ subtitle: Routing traffic to devices outside Nebula
tags: [linux, security]
---
[Nebula](https://github.com/slackhq/nebula) is a great mesh network I [recently deployed]({{< relref "nebula-intro" >}}) into my stack. For connecting nodes spread between networks, it's great, much better than my previous [wireguard]({{< relref "wireguard-haproxy-gateway" >}}) installation.
[Nebula](https://github.com/slackhq/nebula) is a great mesh network I [recently deployed]({{< relref "nebula-intro" >}}) into my stack. For connecting nodes spread between networks, it's great, much better than my previous [WireGuard]({{< relref "wireguard-haproxy-gateway" >}}) installation.
An additional feature of nebula is `unsafe_routes`. Unsafe routes allow nodes which don't have Nebula installed to be accessible to other Nebula nodes. Traffic for those nodes is sent via an intermediary node which has access to the devices on its own network. This means you can use a node as a form of gateway to bride to another network, all through Nebula.
......
......@@ -25,7 +25,7 @@ To get a sense of your open ports, you can use `nmap` or [shodan.io](https://www
#### VPN
Sometimes, you want to access things from outside your network, but not expose it to the internet fully. For example, you may want web traffic accessible to anyone, but only you to access SSH. The simplest way to do that is with a VPN, tunnelling traffic through a single port opened on the firewall. Both [wireguard]({{< relref "wireguard-haproxy-gateway" >}}) and [nebula]({{< relref "nebula-intro" >}}) are great options for something like this. Alongside SSH, this may also be useful for web applications, if you only allow access to VPN IPs.
Sometimes, you want to access things from outside your network, but not expose it to the internet fully. For example, you may want web traffic accessible to anyone, but only you to access SSH. The simplest way to do that is with a VPN, tunnelling traffic through a single port opened on the firewall. Both [WireGuard]({{< relref "wireguard-haproxy-gateway" >}}) and [nebula]({{< relref "nebula-intro" >}}) are great options for something like this. Alongside SSH, this may also be useful for web applications, if you only allow access to VPN IPs.
This is far from an all-or-nothing type deal. If you just want to give access to your Jellyfin server from outside the house, that's fine (and probably doesn't need a VPN). By mixing firewalls and IP restrictions, it's simple to achieve this opt-in publicity.
......
......@@ -65,7 +65,7 @@ I've seen many people talking about how they really like [bitwarden](https://bit
The primary reasons I had a VPN was for untrusted networks and downloading **Linux ISOs**. Given I've spent the majority of this year at home, the former hasn't come up very often.
I'm currently still using my previous [PIA](https://www.privateinternetaccess.com/) subscription, and the drama with the buyout has definitely gone down, but it's still there in the background. I think once the subscription runs out I'll be switching back to [mullvad](https://mullvad.net/en/) indefinitely. Their clients are pretty good, entirely open source, and the fact you can just download the wireguard configuration direct is also handy for when I can't be bothered to mess with clients.
I'm currently still using my previous [PIA](https://www.privateinternetaccess.com/) subscription, and the drama with the buyout has definitely gone down, but it's still there in the background. I think once the subscription runs out I'll be switching back to [mullvad](https://mullvad.net/en/) indefinitely. Their clients are pretty good, entirely open source, and the fact you can just download the WireGuard configuration direct is also handy for when I can't be bothered to mess with clients.
### Email
......
---
title: Why Wireguard
title: Why WireGuard
subtitle: ~~whyreguard~~
date: 2020-03-06
tags: [self-hosting, security]
---
## What is Wireguard?
## What is WireGuard?
The website defines it as "... extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.". Which basically means it's a VPN, but sane. The point of a VPN is to allow two machines to talk to eachother, no matter how the network inbetween is set up.
## Modern Features
Wireguard has a lot of nice, modern features.
WireGuard has a lot of nice, modern features.
Roaming, If I shut my laptop, go home, and open it again, the tunnel will be in the same state: just fine! None of this weird messed up state issues where you have to disconnect and reconnect.
Configuration is also incredibly simple. There's just one file of configuration, none of this multiple file fun like OpenVPN. Just a single ini file for the server, and a single, very similar, ini file for the client.
Wireguard's authentication model is incredibly simple. The client and server share public keys, and add them to their config files. If you've ever provisioned SSH keys, you'll feel right at home!
WireGuard's authentication model is incredibly simple. The client and server share public keys, and add them to their config files. If you've ever provisioned SSH keys, you'll feel right at home!
Having a simple command-line interface is also really handy to quickly iterate on configuration if something doesn't go right. `wg-quick` has a single command to start/stop a Wireguard connection, whether you're the server or client.
Having a simple command-line interface is also really handy to quickly iterate on configuration if something doesn't go right. `wg-quick` has a single command to start/stop a WireGuard connection, whether you're the server or client.
## No customization
Whilst I've said it's got a lot of features, most of them are an inherent part of the system. Wireguard in itself actually doesn't let you customize much, which sounds like a drawback, but it's really not. There's no complex configuration around authentication, authorization, or any auth backends, nor is there configuration for different encryption standards. You use what's provided, or you use something else.
Whilst I've said it's got a lot of features, most of them are an inherent part of the system. WireGuard in itself actually doesn't let you customize much, which sounds like a drawback, but it's really not. There's no complex configuration around authentication, authorization, or any auth backends, nor is there configuration for different encryption standards. You use what's provided, or you use something else.
In this way, Wireguard is very unix-y. If you need to do something Wireguard doesn't, there's a different tool you can use, which will probably do a better job than Wireguard ever could, or should. Most of the time, the tool you want is `iptables`, something I wouldn't wish on my worst enemy.
In this way, WireGuard is very unix-y. If you need to do something WireGuard doesn't, there's a different tool you can use, which will probably do a better job than WireGuard ever could, or should. Most of the time, the tool you want is `iptables`, something I wouldn't wish on my worst enemy.
## Built in, almost
Not that installing Wireguard is especially difficult, but soon it'll be built in, to Linux anyway. As of kernel 5.6, it's right there, ready to use, no installation required. In theory, it'll also be backported into Ubuntu 20.04 ready for its release, so people using LTS versions can be reliably using it for years to come.
Not that installing WireGuard is especially difficult, but soon it'll be built in, to Linux anyway. As of kernel 5.6, it's right there, ready to use, no installation required. In theory, it'll also be backported into Ubuntu 20.04 ready for its release, so people using LTS versions can be reliably using it for years to come.
Linus Torvalds, the creator of Linux, has a great quote about Wireguard: "Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art."
Linus Torvalds, the creator of Linux, has a great quote about WireGuard: "Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art."
## Not _chatty_
Wireguard is a very clean protocol, it'll only send packets when there's something to talk about. There's no handshake needed to set up a tunnel. There's a small handshake needed to keep the tunnel alive if you're behind NAT, but that's about it. If there's no data to send, there's no data transmitted. On top of this, Wireguard will only respond to authenticated and authorized packets, any other rubbish is just dropped. This makes it impossible to scan the internet and discover Wireguard servers, which is nice.
WireGuard is a very clean protocol, it'll only send packets when there's something to talk about. There's no handshake needed to set up a tunnel. There's a small handshake needed to keep the tunnel alive if you're behind NAT, but that's about it. If there's no data to send, there's no data transmitted. On top of this, WireGuard will only respond to authenticated and authorized packets, any other rubbish is just dropped. This makes it impossible to scan the internet and discover WireGuard servers, which is nice.
## Small
The Wireguard codebase is nice and small. Compared to OpenVPN it's practically microscopic. There's an obvious reason for this, it does a lot less. A smaller codebase makes it significantly easier to audit, and less code means there's _theoretically_ less to go wrong.
The WireGuard codebase is nice and small. Compared to OpenVPN it's practically microscopic. There's an obvious reason for this, it does a lot less. A smaller codebase makes it significantly easier to audit, and less code means there's _theoretically_ less to go wrong.
## Performance
Wireguard is incredibly fast. Take these benchmarks from the Wireguard website, captured over a gigabit network.
WireGuard is incredibly fast. Take these benchmarks from the WireGuard website, captured over a gigabit network.
![Wireguard benchmarks. [src](https://www.Wireguard.com/performance/#results)](charts.png)
![WireGuard benchmarks. [src](https://www.wireguard.com/performance/#results)](charts.png)
Not only is Wireguard significantly faster than OpenVPN, and slightly faster still than IPSec, there's an important extra bit of detail. The Wireguard version was the only one not maxing out the CPU, meaning whatever's limiting Wireguard's score, it's not Wireguard itself, it's likely something far more fundamental like networking overhead, seeing as 1011mb is pretty close to one gigabit.
Not only is WireGuard significantly faster than OpenVPN, and slightly faster still than IPSec, there's an important extra bit of detail. The WireGuard version was the only one not maxing out the CPU, meaning whatever's limiting WireGuard's score, it's not WireGuard itself, it's likely something far more fundamental like networking overhead, seeing as 1011mb is pretty close to one gigabit.
What's yet more scary impressive is this [quote](https://www.Wireguard.com/performance/#performance-roadmap):
What's yet more scary impressive is this [quote](https://www.wireguard.com/performance/#performance-roadmap):
> Right now, however, WireGuard is completely unoptimized.
## More
If you're thinking to yourself "This sounds great, where can I get started?", then you're in luck! Not only is the [Wireguard website](https://www.Wireguard.com/) a pretty good resource, but I've got a pretty good [getting started guide]({{< relref "posts/wireguard-getting-started" >}}), if I do say so myself.
If you're thinking to yourself "This sounds great, where can I get started?", then you're in luck! Not only is the [WireGuard website](https://www.wireguard.com/) a pretty good resource, but I've got a pretty good [getting started guide]({{< relref "posts/wireguard-getting-started" >}}), if I do say so myself.
---
title: Getting started with Wireguard
title: Getting started with WireGuard
date: 2019-09-15
tags: [security]
---
Wireguard is taking the VPN world by storm, coming very close to the current champion OpenVPN in simple, small-scale deployments. It's just unfortunate few people know about it, and quite how incredible it is!
WireGuard is taking the VPN world by storm, coming very close to the current champion OpenVPN in simple, small-scale deployments. It's just unfortunate few people know about it, and quite how incredible it is!
## What is wireguard?
## What is WireGuard?
> WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
https://www.wireguard.com/
Wireguard is not only lighter weight than OpenVPN, it's simpler, smaller, and most importantly does less. The final point may to some seem like a bad thing, but is actually great! The Unix Philosophy defines that tools should do one thing, and do it well. Wireguard simply creates networks and tunnels, no funky networking, no custom authentication, no complexity.
WireGuard is not only lighter weight than OpenVPN, it's simpler, smaller, and most importantly does less. The final point may to some seem like a bad thing, but is actually great! The Unix Philosophy defines that tools should do one thing, and do it well. WireGuard simply creates networks and tunnels, no funky networking, no custom authentication, no complexity.
## Getting started with Wireguard
## Getting started with WireGuard
There is an [official quick start guide](https://www.wireguard.com/quickstart/), however as someone just getting started with wireguard, and with little experience in the Linux network stack, it was a lot to understand at once. There is however a much simpler way of getting started: `wg-quick`.
There is an [official quick start guide](https://www.wireguard.com/quickstart/), however as someone just getting started with WireGuard, and with little experience in the Linux network stack, it was a lot to understand at once. There is however a much simpler way of getting started: `wg-quick`.
`wg-quick` creates standard wireguard tunnels, but generates the underlying commands for you, even printing them as it goes, so you can see how it's working.
`wg-quick` creates standard WireGuard tunnels, but generates the underlying commands for you, even printing them as it goes, so you can see how it's working.
### Installation
With wireguard, the server and client are the same, and so installing either side is just as simple. Wireguard maintain a list of [how to install on various platforms](https://www.wireguard.com/install/), read that! No point duplicating good documentation!
With WireGuard, the server and client are the same, and so installing either side is just as simple. WireGuard maintain a list of [how to install on various platforms](https://www.wireguard.com/install/), read that! No point duplicating good documentation!
As this creates a new type of network interface, it's highly likely you'll need to reboot.
......@@ -31,9 +31,9 @@ As this creates a new type of network interface, it's highly likely you'll need
### Authentication
Unlike OpenVPN, which (by default) uses a username/password based authentication system, Wireguard works using a public/private key. Keys are used to both verify the client is connecting to the correct server, and that the client is authorized to connect to the server.
Unlike OpenVPN, which (by default) uses a username/password based authentication system, WireGuard works using a public/private key. Keys are used to both verify the client is connecting to the correct server, and that the client is authorized to connect to the server.
Wireguard comes with commands to generate the key-pairs securely:
WireGuard comes with commands to generate the key-pairs securely:
```bash
wg genkey | tee privatekey | wg pubkey > publickey
......@@ -43,7 +43,7 @@ This creates two files, `publickey` and `privatekey` which contain, well, the pu
### Configuration
Wireguard's configuration lives in `ini` files in `/etc/wireguard/*.conf`, where `*` is the name of the wireguard interface (that'll be useful later).
WireGuard's configuration lives in `ini` files in `/etc/wireguard/*.conf`, where `*` is the name of the WireGuard interface (that'll be useful later).
Be sure to take care when specifying keys. Be sure to specify the correct keys for the correct device, else you'll receive configuration error.
......@@ -51,9 +51,9 @@ Be sure to take care when specifying keys. Be sure to specify the correct keys f
```ini
[Interface]
Address = 10.1.10.1 # IP of this device on this wireguard network
Address = 10.1.10.1 # IP of this device on this WireGuard network
PrivateKey = <server privatekey> # The servers private key
ListenPort = 51820 # The port for wireguard to listen on (51820 is the standard)
ListenPort = 51820 # The port for WireGuard to listen on (51820 is the standard)
# Specify one "Peer" block for each connecting device
......@@ -62,7 +62,7 @@ PublicKey = <client publickey> # The clients public key
AllowedIPs = 10.1.10.2/32 # The IP and mask the client should be assigned
```
Yes, that's really it! This isn't just a simple config, Wireguard just has a super simple configuration!
Yes, that's really it! This isn't just a simple config, WireGuard just has a super simple configuration!
#### Client configuration
......@@ -73,7 +73,7 @@ PrivateKey = <client privatekey> # The clients private key
[Peer]
PublicKey = <servers publickey> # The servers public key
Endpoint = <servers ip>:51820 # The IP (or hostname) of the server, along with the port wireguard is listening on
Endpoint = <servers ip>:51820 # The IP (or hostname) of the server, along with the port WireGuard is listening on
AllowedIPs = 10.1.10.2/24 # The IPs and masks the client should route through the tunnel
PersistentKeepalive = 25 # Ensure connections remain active, especially useful over NAT
......@@ -94,7 +94,7 @@ Assuming this didn't output any errors, you should see a new interface in `ifcon
#### Connecting the client
To connect a client, you can also run `wg-quick up <interface>`, and again, you'll see a wireguard interface with the specified IP allocated. `ip route` will also contain some entries for routing the required IP ranges through this new interface.
To connect a client, you can also run `wg-quick up <interface>`, and again, you'll see a WireGuard interface with the specified IP allocated. `ip route` will also contain some entries for routing the required IP ranges through this new interface.
### _Profit_?
......@@ -102,4 +102,4 @@ That's it!
There's now an encrypted tunnel set up between your two machines, which can be used to send any kind of traffic over, whether it be web traffic, media streaming, or email (if you're reading this guide and thinking about using the tunnel for email, please don't!).
If your needs are simply to forward traffic via another computer / network, or connect devices to the network of another, look past OpenVPN and give Wireguard a shot!
If your needs are simply to forward traffic via another computer / network, or connect devices to the network of another, look past OpenVPN and give WireGuard a shot!
---
title: Wireguard HAProxy Gateway
title: WireGuard HAProxy Gateway
subtitle: Tunnelling traffic
date: 2020-03-21
tags: [self-hosting, security]
......@@ -24,19 +24,19 @@ Don't get me wrong, none of these issues are actually that bad - I'm just a perf
The requirements are pretty similar to last time. There's a VPS, and an internal device.
This is where things diverge slightly: [Wireguard](https://www.wireguard.com/)! Since writing the original post, I've had a change to play with Wireguard, and fallen in love with its simplicity.
This is where things diverge slightly: [WireGuard](https://www.wireguard.com/)! Since writing the original post, I've had a change to play with WireGuard, and fallen in love with its simplicity.
The VPS will act as the VPN server, as before. This time, I'm using debian, because it's the far superior distribution for this kind of deployment. Realistically any distribution which supports Wireguard will do.
The VPS will act as the VPN server, as before. This time, I'm using debian, because it's the far superior distribution for this kind of deployment. Realistically any distribution which supports WireGuard will do.
The internal device now simply needs to run the Wireguard client. In this setup, it's also the device which serves the hosted applications, but could easily be used in the same setup as before, proxying to external servers.
The internal device now simply needs to run the WireGuard client. In this setup, it's also the device which serves the hosted applications, but could easily be used in the same setup as before, proxying to external servers.
The external device now simply forwards incoming traffic downstream, with little to no modification. This is done in a way which doesn't require modifying the packages, and so can be done without access to the TLS private keys, which is important.
# Installation
## Configure Wireguard
## Configure WireGuard
Configuring a wireguard tunnel is an incredibly straightforward process. I suggest you read [my getting started guide]({{< relref "wireguard-getting-started" >}}) to find out how to do it.
Configuring a WireGuard tunnel is an incredibly straightforward process. I suggest you read [my getting started guide]({{< relref "wireguard-getting-started" >}}) to find out how to do it.
## Install HAProxy
......@@ -48,7 +48,7 @@ HAProxy is generally used as a load balancer, but it works perfectly fine with a
## Enable automatic connections
When building a tunnel like this, it's important for each end of the tunnel to reconnect in the event of issues. This was an incredibly annoying caveat with OpenVPN, but wireguard deals with this very well.
When building a tunnel like this, it's important for each end of the tunnel to reconnect in the event of issues. This was an incredibly annoying caveat with OpenVPN, but WireGuard deals with this very well.
To do this, we simply enable a systemd service, based on the name of the config file. If the config is at `/etc/wireguard/my-tun.conf`, then enable `wg-quick@my-tun.service`.
......@@ -79,7 +79,7 @@ If you're using docker, [Traefik](https://docs.traefik.io/) accepts both proxy p
## Wrapping up
Web traffic comes in to your VPS, is received by HAProxy, has proxy protocol details added, forwarded down a wireguard tunnel, and to your internal applications, all with almost no overhead.
Web traffic comes in to your VPS, is received by HAProxy, has proxy protocol details added, forwarded down a WireGuard tunnel, and to your internal applications, all with almost no overhead.
{{<mermaid caption="Network layout">}}
graph LR
......@@ -87,11 +87,11 @@ graph LR
A[End Users]
subgraph VPS
B[HAProxy]
C[Wireguard Server]
C[WireGuard Server]
end
subgraph Home Server
D[Wireguard Client]
D[WireGuard Client]
E[Traefik]
F[Service 1]
G[Service 2]
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment