WireGuard Remote Access (SEC 350) - Chromosom3/TechNotes GitHub Wiki
Introduction
For this week’s lab we will be configuring WireGuard to allow the Windows 10 traveler system remote access into the network. This configuration can be replicated in a production network to allow an admin to have remote access to a management system while traveling or working from home. In addition to the traveler system the two firewalls, edge01 and fw-mgmt, were updated to allow the connections.
Edge Firewall
The first machine we will configure is the edge router. This is system is running VyOS which support WireGuard. For more information on configuring WireGuard on VyOS view this entry in the VyOS documentation.
Section 1: Configuring WireGuard
The first thing we will want to do is setup the WireGuard interface on the system. To do this we will need to enable configuration mode and run the following command, set interfaces wireguard wg0 address '10.0.99.1/24'. This will create a new network attached to the VyOS system where VPN clients will be placed. Now we will set the port for WireGuard by running set interfaces wireguard wg0 port '51820’. Now we just need to generate the WireGuard server’s key pair for authentication. To do this run run generate pki wireguard key-pair install interface wg0. Make sure to save your public key, you will need this for your clients.
Next we will start to configure the settings for the first peer (in this case there is only one). To do this we will run set interfaces wireguard wg0 peer traveler-dylan allowed-ips '10.0.99.100/32'. This command adds the peer with the name “traveler-dylan” and allows that client to use the 10.0.99.100 IPv4 address. Note that the CDIR notation has /32 for the subnet mask. This means the client is only able to talk with the gateway (the WireGuard interface, 10.0.99.1). Now that we have added the peer lets import the peer’s public key for authentication. To do this run the command set interfaces wireguard wg0 peer traveler-dylan public-key CLIENT_PUB_KEY where CLIENT_PUB_KEY is the key you copied from the client.
Full list of commands for section 1
# Section 1
set interfaces wireguard wg0 address '10.0.99.1/24'
set interfaces wireguard wg0 port '51820'
run generate pki wireguard key-pair install interface wg0
# Save the firewall's public key.
set interfaces wireguard wg0 peer traveler-dylan allowed-ips '10.0.99.100/32'
#set interfaces wireguard wg0 peer traveler-dylan public-key CLIENT_PUB_KEY
set interfaces wireguard wg0 peer traveler-dylan public-key 95ejY9dd5WlA3rriZOaNXnvC8UYzH5sTLXjN+YTS8W4=
Section 2: New Firewall Rules
Since we created a new subnet for WireGuard we will need to implement new firewall rules. Since this has been covered in the past this section will be brief. I will just summarize what actions were taken and provide the commands below. First thing you need to do is set a new zone for the wg0 interface. From there you need to create two new firewalls, WG-to-LAN and LAN-to-WG. These will be used to apply rules for traffic going between the WireGuard and LAN networks. Once the firewalls are made we will apply the zones to their respective zones. After that we will configure a new rule that allows the traveler machine (10.0.99.100) access to the management box via RDP (3389/tcp).
Note 1: This will not give the traveler machine access to the management box yet. Additional configurations must be taken on the fw-mgmt system.
Note 2: we are not doing anything with the DMZ network as this is intended to give an admin access to the MGMT machine only. From there they can connect to their desired systems for management.
Full list of commands for section 2
# Section 2
# Updating Firewalls
set zone-policy zone WG interface wg0
set firewall name WG-to-LAN default-action drop
set firewall name WG-to-LAN enable-default-log
set firewall name LAN-to-WG default-action drop
set firewall name LAN-to-WG enable-default-log
set zone-policy zone WG from LAN firewall name LAN-to-WG
set zone-policy zone LAN from WG firewall name WG-to-LAN
set firewall name WG-to-LAN rule 10 action accept
set firewall name WG-to-LAN rule 10 source address 10.0.99.100
set firewall name WG-to-LAN rule 10 destination address 172.16.200.11
set firewall name WG-to-LAN rule 10 destination port 3389
set firewall name WG-to-LAN rule 10 protocol tcp
set firewall name WG-to-LAN rule 10 description "Allow Traveler RDP Access to MGMT01 from VPN"
set firewall name LAN-to-WG rule 1 action accept
set firewall name LAN-to-WG rule 1 state established enable
# Need to update FW-MGMT too
FW-MGMT
Now that the first firewall is fully configured let’s configure the second one to allow remote access to the MGMT system. Luckily this is relatively simple, we will just be duplicating the WG-to-LAN rule 10 rule from the edge firewall on the LAN-to-MGMT firewall. We will also be changing the rule number to 50 so we don’t mess with any of our existing rules. See the changes below.
set firewall name LAN-to-MGMT rule 50 action accept
set firewall name LAN-to-MGMT rule 50 source address 10.0.99.100
set firewall name LAN-to-MGMT rule 50 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 50 destination port 3389
set firewall name LAN-to-MGMT rule 50 protocol tcp
set firewall name LAN-to-MGMT rule 50 description "Allow Traveler RDP Access to MGMT01 from VPN"
Traveler
The final system we need to configure for this lab is the traveler system. This system will have the VPN client on it and will simulate an admin’s laptop that they have with them on the road.
The first thing we will need to do is download WireGuard from their website. The download page can be found here. Download and install the current version. Once that is done you will want to select “Add Tunnel” and crate a new tunnel in WireGuard. For this lab the tunnel was called “mgmt-vpn”.
You will now need to configure the tunnel. Select the tunnel then click edit. You should fill out the configuration similar to the one below depending on your setup.
Copy-Paste
[Interface]
PrivateKey=THIS_WILL_BE_AUTO_GENERATED_WHEN_YOU_MAKE_THE_TUNNEL
Address=10.0.99.100/32
[Peer]
PublicKey=THIS_IS_FROM_THE_WG_SERVER
AllowedIPs=10.0.99.1/32,172.160.200.0/28
Endpoint=10.0.17.137:51820
Note: The address is the same as the one set for the peer on the edge firewall. Additionally, the endpoint is the is the destination VPN server. In this case our edge firewall is behind another firewall and is on the same subnet as the traveler system.
Once the tunnel is configured you can activate the connection. The tunnel should change to active and you should see a screen similar to the one below. To confirm the tunnel is working ping the WireGuard gateway (10.0.99.1).
Firewall Configurations
These are the firewall configurations after all the above changes have been implemented. Not that the private key for the edge firewall has been removed and will need to be regenerated.