alexkarle.com

Source for alexkarle.com
git clone git://git.alexkarle.com/alexkarle.com.git
Log | Files | Refs | README | LICENSE

009-wireguard.txt (2165B) [raw]

      1 # 009-wireguard
      2 
      3 _Tues Sep 28, 2021_
      4 
      5 Wireguard is probably one of the coolest technologies I've encountered
      6 in a long time. The simplicity of public key auth (ssh-style where the
      7 protocol doesn't care how you get the public key on the server) all
      8 in the kernel? Sign me up!
      9 
     10 On our tilde, we want to set up wireguard so that we can provide vpn-only
     11 services (for security reasons such as not allowing brute-force password
     12 attempts).
     13 
     14 The very first of these services is IRC--we want people to be able to
     15 connect from mobile devices and personal computers, but our network is
     16 currently not password protected and has no services like NickServ, etc.
     17 
     18 The solution? Have it listen on a wireguard IP and distribute wg keys
     19 to trusted tilde members :)
     20 
     21 I'll start with the obligatory RTFM -- wg(8) and ifconfig(8) are both
     22 really well documented. However, there was a bit of fun hackery that went
     23 down on our tuesday pair-admining call that's worth documenting!
     24 
     25 ~anthony and I needed a simple tool to manage wireguard keys and IPs.
     26 When a new device is to be given access we want to:
     27 
     28 1. Generate a private key, public key, and wg-quick(1) config file
     29    to distribute to the user
     30 2. Obtain the next numerical hostname
     31 3. Add the peer to our wg endpoint on the server
     32 
     33 To do this, we used a small sh(1) script that has a catalog of names in
     34 a flat file like so:
     35 
     36 	host1	10.6.6.1
     37 	host2	10.6.6.2
     38 	...
     39 
     40 And then each host has a directory:
     41 
     42 	host1/
     43 	     private.key
     44 	     public.key
     45 	     client.conf
     46 
     47 The tool is called [wggen(1)](https://git.alexkarle.com/garbash-config/file/usr/local/bin/wggen.html),
     48 and it ends up effectively:
     49 
     50 1. Creating a directory for NAME
     51 2. Generating a wg(8) key using openssl(1):
     52 3. Creating a temporary wg endpoint to get the public key using
     53    the grep/cut hack in wg(8)'s EXAMPLES
     54 4. tail(1)-ing the host file to get the next available IP
     55 5. Using all the above to generate the client.conf
     56 6. Adding the wgpeer line to /etc/hostname.wg0 and restarting the
     57    prod endpoint with sh /etc/netstart
     58 
     59 I'll leave the exact details as an exercise for the reader to go look
     60 at the git repo :)
     61 
     62 Needless to say, this was a lot of fun to write!