Wireguard - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Intro
For this first lab, plan to research Wireguard VPN and install it on peer systems. MThe goal is to secure and hide both ssh and http session traffic between between EC2 and a LAN host. This lab will illustrate how wireguard can be used to secure traffic across an untrusted network.
Part One: AWS Ubuntu Peer
Download your private key from AWS Lab
chmod 400 privatekey.txt # Yes it can be a .txt file
Access the AWS Academy Learner Lab Console
Launch a Ubuntu 22.04 Free-Tier Instance
Create a new instance with the default parameters
Record the Parameters:
- security group: launch-wizard-1
- vpc: vpc-0e6c4199ed8dbdbe2
- subnet: subnet-053df813ec9eaeaff
- ipv4 DNS: ec2-3-83-89-84.compute-1.amazonaws.com
I changed the name of the file from notakey.pem to nothing.txt as the previous name was giving me errors.
Part Two: Wireguard VPN Installation and Configuration
Install wireguard on both aws ubuntu-peer and xubunutu-lan
sudo apt-get update sudo apt-get install wireguard
I used (this)[https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04] guide to set up wireguard on ubuntu and AWS
Tips:
- Do as sudo user
- Create everything in /etc/wireguard for convenience
On AWS Ubuntu
- Add wg0 interface using ip link with type “wireguard”
- Set the wg0 ip address to 10.0.101.1/24 (ip addr command)
- Use “wg set” to specify the private key file
- Use “wg set” to specify the listening port as 51900
- “Ip link” can be used to bring up wg0
On Xubuntu-LAN
- Almost identical config except set ip to 10.0.101.2/24
sudo -i
cd /etc/wireguard
wg genkey | tee private.key
sudo chmod go= private.key
sudo cat private.key | wg pubkey | tee public.key
ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.101.1/24
wg set wg0 private-key private.key
wg set wg0 listen-port 51900
ip link set wg0 up
wg
ip a
Configure xubuntu-lan as a peer on aws-ubuntu-peer
copy text of public xubuntu-lan public key (example pubkey below)
on aws paste the key in.
wg set wg0 peer CHOgWp7S4aBVvdk/8pYac9nfTYqvjWTVJLnupOHaulM= allowed-ips 10.0.101.2/32 endpoint 10.0.5.6:51900
Configure aws-ubuntu-peer as a peer on xubuntu-lan
copy text of aws wireguard public key
on xubuntu-lan do the same (example pubkey below)
wg set wg0 peer tBsGnPUqj7LaB9xZBrJ4905I6Rj0qioINpUagBW0418= allowed-ips 10.0.101.1/32 endpoint ec2-3-88-197-168.compute-1.amazonaws.com:51900
Inbound Rules on AWS
Edit the security group you assigned to your ubuntu instance
- Add Custom Inbound UDP rule to allow port 51900
- Add ICMP Inbound Rule to allow (if it doesn’t exist already)
Save Configurations on aws and xubuntu-lan
wg showconf wg0 | tee /etc/wireguard/wg0.conf
This will take the current wireguard config for wg0 and save it as a config file
NOTE: Address is not saved using showconf. Edit both wg0.conf to add Address such that wg0.conf looks like this
aws:
xubuntu-lan:
Part Three: Configure Apache on AWS-Ubuntu
Install and configure apache on AWS-Ubuntu and have it listen on port 8080
- Install service (called apache2)
- Once installed, create a new /var/www/html/index.html file. Can just be a text file that includes your name and SEC-440 Wireguard Lab. Make sure file is readable by everyone
- Update apache config to listen on port 8080 instead of 80 (tip /etc/apache2/ports.conf)
- Start the apache2 service and make sure you can access the page locally (e.g. with curl)
DELIVERABLE:
Screenshot showing successful connectivity via wireguard address from AWS to xubuntu-lan:
Part Four:
On AWS, edit wg0.conf to include another (don’t remove the 10.0.101.2/32) allowed IP network (either 10.0.6.0/24 or 10.0.5.0/24 - depending on where the SEC-440 net web server is located). In this case, we will be allowing 10.0.6.0/24.
on xubuntu-lan and aws-ubunti you need to create “post up” and “post down” rules in your wg0.conf
These are iptables rules that allow the server to forward packets with Postrouting NAT (basically NAT’ing for the internal network.
Something like the following should go into the wg0.conf file in the Interface section - but make sure that the correct interface is named as the postrouting outbound interface (-o in the POSTROUTING command)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0/ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0/ens160 -j MASQUERADE
Afterwards, type
sysctl -w net.ipv4.ip_forward=1
sysctl -p
Make sure that all the network adapters are correct and everything is spelled correctly.
DELIVERABLE:
Successful curl from aws to internal webserver: