Wireguard - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

Intro

For this first lab, plan to research Wireguard VPN and install it on peer systems. MThe goal is to secure and hide both ssh and http session traffic between between EC2 and a LAN host. This lab will illustrate how wireguard can be used to secure traffic across an untrusted network.

Part One: AWS Ubuntu Peer

Download your private key from AWS Lab

chmod 400 privatekey.txt # Yes it can be a .txt file

image

Access the AWS Academy Learner Lab Console

Launch a Ubuntu 22.04 Free-Tier Instance

image

Create a new instance with the default parameters

Record the Parameters:

  • security group: launch-wizard-1
  • vpc: vpc-0e6c4199ed8dbdbe2
  • subnet: subnet-053df813ec9eaeaff
  • ipv4 DNS: ec2-3-83-89-84.compute-1.amazonaws.com

image

I changed the name of the file from notakey.pem to nothing.txt as the previous name was giving me errors.

Part Two: Wireguard VPN Installation and Configuration

Install wireguard on both aws ubuntu-peer and xubunutu-lan

sudo apt-get update sudo apt-get install wireguard

I used (this)[https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04] guide to set up wireguard on ubuntu and AWS

Tips:

  • Do as sudo user
  • Create everything in /etc/wireguard for convenience

On AWS Ubuntu

  • Add wg0 interface using ip link with type “wireguard”
  • Set the wg0 ip address to 10.0.101.1/24 (ip addr command)
  • Use “wg set” to specify the private key file
  • Use “wg set” to specify the listening port as 51900
  • “Ip link” can be used to bring up wg0

On Xubuntu-LAN

  • Almost identical config except set ip to 10.0.101.2/24
sudo -i
cd /etc/wireguard
wg genkey | tee private.key
sudo chmod go= private.key
sudo cat private.key | wg pubkey | tee public.key

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.101.1/24
wg set wg0 private-key private.key
wg set wg0 listen-port 51900
ip link set wg0 up
wg
ip a

Configure xubuntu-lan as a peer on aws-ubuntu-peer

copy text of public xubuntu-lan public key (example pubkey below)

on aws paste the key in.

wg set wg0 peer CHOgWp7S4aBVvdk/8pYac9nfTYqvjWTVJLnupOHaulM= allowed-ips 10.0.101.2/32 endpoint 10.0.5.6:51900

Configure aws-ubuntu-peer as a peer on xubuntu-lan

copy text of aws wireguard public key

on xubuntu-lan do the same (example pubkey below)

wg set wg0 peer tBsGnPUqj7LaB9xZBrJ4905I6Rj0qioINpUagBW0418= allowed-ips 10.0.101.1/32 endpoint ec2-3-88-197-168.compute-1.amazonaws.com:51900

Inbound Rules on AWS

Edit the security group you assigned to your ubuntu instance

  • Add Custom Inbound UDP rule to allow port 51900
  • Add ICMP Inbound Rule to allow (if it doesn’t exist already)

Save Configurations on aws and xubuntu-lan

wg showconf wg0 | tee /etc/wireguard/wg0.conf

This will take the current wireguard config for wg0 and save it as a config file

NOTE: Address is not saved using showconf. Edit both wg0.conf to add Address such that wg0.conf looks like this

aws: image

xubuntu-lan: image

Part Three: Configure Apache on AWS-Ubuntu

Install and configure apache on AWS-Ubuntu and have it listen on port 8080

  1. Install service (called apache2)
  2. Once installed, create a new /var/www/html/index.html file. Can just be a text file that includes your name and SEC-440 Wireguard Lab. Make sure file is readable by everyone
  3. Update apache config to listen on port 8080 instead of 80 (tip /etc/apache2/ports.conf)
  4. Start the apache2 service and make sure you can access the page locally (e.g. with curl)

DELIVERABLE:

Screenshot showing successful connectivity via wireguard address from AWS to xubuntu-lan:

image

Part Four:

On AWS, edit wg0.conf to include another (don’t remove the 10.0.101.2/32) allowed IP network (either 10.0.6.0/24 or 10.0.5.0/24 - depending on where the SEC-440 net web server is located). In this case, we will be allowing 10.0.6.0/24.

on xubuntu-lan and aws-ubunti you need to create “post up” and “post down” rules in your wg0.conf

These are iptables rules that allow the server to forward packets with Postrouting NAT (basically NAT’ing for the internal network.

Something like the following should go into the wg0.conf file in the Interface section - but make sure that the correct interface is named as the postrouting outbound interface (-o in the POSTROUTING command)

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0/ens160 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0/ens160 -j MASQUERADE

Afterwards, type

sysctl -w net.ipv4.ip_forward=1 
sysctl -p

Make sure that all the network adapters are correct and everything is spelled correctly.

DELIVERABLE:

Successful curl from aws to internal webserver:

image