garbash-www

archive of ~alex garbash.com page
git clone git://git.alexkarle.com.com/garbash-www
Log | Files | Refs | README | LICENSE
commit e917f26955a70793166c7b3cc7a65309d2bf669d (patch)
parent a67c31b1e3405da41165467ab8c6179d22a8aa58
Author: alex <alex@garbash.com>
Date:   Wed, 29 Sep 2021 23:24:47 -0400

notes: Add wireguard writeup

I wonder how many of these writeups will become "check out the
source over on git"

It does feel a bit redundant to copy it all into the notes..
but OTOH, the source may change over time. hm

Diffstat:

Mindex.html | 2+-


Anotes/009-wireguard.txt | 64++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


2 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html
@@ -21,7 +21,6 @@ this site along with my field notes on how I set each thing up!
 
 <h3>TODO:</h3>
 <ul>
-<li>Set up wireguard</li>
 <li>Set up IRC bouncer</li>
 <li>Set up IRC services (NickServ)</li>
 <li>Basic backup solution</li>
@@ -43,6 +42,7 @@ this site along with my field notes on how I set each thing up!
 <li><a href="notes/006-use-the-src.txt">Obtained the source code for the system</a></li>
 <li><a href="notes/007-git-coding.txt">Set up git hosting via stagit(1)</a></li>
 <li><a href="notes/008-local-irc.txt">Set up IRC for tilde members</a></li>
+<li><a href="notes/009-wireguard.txt">Set up wireguard</a></li>
 </ul>
 </body>
 </html>
diff --git a/notes/009-wireguard.txt b/notes/009-wireguard.txt
@@ -0,0 +1,64 @@
+009-wireguard -- Tues Sep 28, 2021
+
+Wireguard is probably one of the coolest technologies I've encountered
+in a long time. The simplicity of public key auth (ssh-style where the
+protocol doesn't care how you get the public key on the server) all
+in the kernel? Sign me up!
+
+On our tilde, we want to set up wireguard so that we can provide vpn-only
+services (for security reasons such as not allowing brute-force password
+attempts).
+
+The very first of these services is IRC--we want people to be able to
+connect from mobile devices and personal computers, but our network is
+currently not password protected and has no services like NickServ, etc.
+
+The solution? Have it listen on a wireguard IP and distribute wg keys
+to trusted tilde members :)
+
+I'll start with the obligatory RTFM -- wg(8) and ifconfig(8) are both
+really well documented. However, there was a bit of fun hackery that went
+down on our tuesday pair-admining call that's worth documenting!
+
+~anthony and I needed a simple tool to manage wireguard keys and IPs.
+When a new device is to be given access we want to:
+
+  1) Generate a private key, public key, and wg-quick(1) config file
+     to distribute to the user
+  2) Obtain the next numerical hostname
+  3) Add the peer to our wg endpoint on the server
+
+To do this, we used a small sh(1) script that has a catalog of names in
+a flat file like so:
+
+	host1	10.6.6.1
+	host2	10.6.6.2
+	...
+
+And then each host has a directory:
+
+	host1/
+	     private.key
+	     public.key
+	     client.conf
+
+The tool is called wggen(1) [1], and it ends up effectively:
+
+	1) Creating a directory for NAME
+	2) Generating a wg(8) key using openssl(1):
+		
+		openssl rand -base64 32 > private.key
+
+	3) Creating a temporary wg endpoint to get the public key using
+	   the grep/cut hack in wg(8)'s EXAMPLES
+	4) tail(1)-ing the host file to get the next available IP
+	5) Using all the above to generate the client.conf
+	6) Adding the wgpeer line to /etc/hostname.wg0 and restarting the
+	   prod endpoint with sh /etc/netstart
+
+I'll leave the exact details as an exercise for the reader to go look
+at the git repo :)
+
+Needless to say, this was a lot of fun to write!
+
+[1]: https://git.garbash.com/alex/config/file/usr/local/bin/wggen.html