garbash-www

archive of ~alex garbash.com page
git clone git://git.alexkarle.com.com/garbash-www
Log | Files | Refs | README | LICENSE

009-wireguard.md (2256B) [raw]

      1 ---
      2 title: 009-wireguard
      3 ---
      4 
      5 # 009-wireguard
      6 
      7 Tues Sep 28, 2021
      8 
      9 Wireguard is probably one of the coolest technologies I've encountered
     10 in a long time. The simplicity of public key auth (ssh-style where the
     11 protocol doesn't care how you get the public key on the server) all
     12 in the kernel? Sign me up!
     13 
     14 On our tilde, we want to set up wireguard so that we can provide vpn-only
     15 services (for security reasons such as not allowing brute-force password
     16 attempts).
     17 
     18 The very first of these services is IRC--we want people to be able to
     19 connect from mobile devices and personal computers, but our network is
     20 currently not password protected and has no services like NickServ, etc.
     21 
     22 The solution? Have it listen on a wireguard IP and distribute wg keys
     23 to trusted tilde members :)
     24 
     25 I'll start with the obligatory RTFM -- wg(8) and ifconfig(8) are both
     26 really well documented. However, there was a bit of fun hackery that went
     27 down on our tuesday pair-admining call that's worth documenting!
     28 
     29 ~anthony and I needed a simple tool to manage wireguard keys and IPs.
     30 When a new device is to be given access we want to:
     31 
     32   1) Generate a private key, public key, and wg-quick(1) config file
     33      to distribute to the user
     34   2) Obtain the next numerical hostname
     35   3) Add the peer to our wg endpoint on the server
     36 
     37 To do this, we used a small sh(1) script that has a catalog of names in
     38 a flat file like so:
     39 
     40 	host1	10.6.6.1
     41 	host2	10.6.6.2
     42 	...
     43 
     44 And then each host has a directory:
     45 
     46 	host1/
     47 	     private.key
     48 	     public.key
     49 	     client.conf
     50 
     51 The tool is called wggen(1) [1], and it ends up effectively:
     52 
     53 1. Creating a directory for NAME
     54 2. Generating a wg(8) key using openssl(1):
     55 ```
     56   openssl rand -base64 32 > private.key
     57 ```
     58 3. Creating a temporary wg endpoint to get the public key using
     59    the grep/cut hack in wg(8)'s EXAMPLES
     60 4. tail(1)-ing the host file to get the next available IP
     61 5. Using all the above to generate the client.conf
     62 6. Adding the wgpeer line to /etc/hostname.wg0 and restarting the
     63    prod endpoint with sh /etc/netstart
     64 
     65 I'll leave the exact details as an exercise for the reader to go look
     66 at the git repo :)
     67 
     68 Needless to say, this was a lot of fun to write!
     69 
     70 [1]: https://git.alexkarle.com/garbash-config/file/usr/local/bin/wggen.html