SEC‐440 Wireguard LAB 7‐1 - FlameSpyro/Tech-Journal GitHub Wiki

SEC-440 Wireguard LAB

image

Objectives

  • Access AWS wireguard peer (xubuntu-lan) behind a nat network via ssh and icmp
  • Access your LAN web server (or pool) via HTTP
  • The LAN system xubuntu-lan can access HTTP on port 8080 on the AWS ubuntu peer through the Wireguard tunnel

AWS Ubuntu Peer

  • Launch AWS instance
  • Choose Ubuntu 22.04 Free tier
  • Select and Save keypair to google drive
  • Copy network settings (saved on personal google lab doc)
  • On the ssh make sure to modify the key document before sshing:
chmod 400 Desktop/*.pem 
ssh -i Desktop/*.pem ubuntu@*.amazonaws.com

Step 2: Wireguard VPN

  • On both devices:
sudo apt-get update 
sudo apt-get install wireguard
  • A key pair needs to be made on BOTH devices:
cd /etc
cd wireguard
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
  • To config on AWS:
ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.101.1/24
wg set wg0 private-key /etc/wireguard/private.key
wg set wg0 listen-port 51900
ip link set wg0 up
wg
  • On Ubuntu-LAN
ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.101.2/24
wg set wg0 private-key /etc/wireguard/private.key
wg set wg0 listen-port 51900
ip link set wg0 up
wg
  • To setup an endpoint, start by entering
# On AWS
wg set wg0 peer **KEY** allowed-ips 10.0.102.2/32 endpoint 10.0.5.6:51900

# On Ubuntu-lan
wg set wg0 peer **KEY** allowed-ips 10.0.101.1/32 endpoint 10.0.5.6:51900

  • Inbound rules will need to be configured. On the existing security group, ssh and HTTP will need to be added aswell to keep connection

  • UDP, port: 51900, Anywhere IPv4

  • ICMP IPv4, Anywhere IPv4

  • SSH, Anywhere IPv4

  • HTTP, Anywhere IPv4

Saving configuration:

wg showconf wg0 | tee /etc/wireguard/wg0.conf
  • On AWS add the following below private key:
Address = 10.0.101.1
  • Do the same for Ubuntu LAN except:
Address = 10.0.101.2

#Below endpoint
PersistentKeepAlive = 25

Apache2 on AWS

apt-get install apache2
cd /var/www/html/
mv index.html index.txt
chmod 644 index.html
  • On the /etc/apache2/ports.conf change port 80 to 8080

AWS-Ubuntu to web via forwarding

  • You will need to add , 10.0.5.0/24 to the end of the wg0.conf
  • Add to the interfaces section of wg0.conf:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  • For Xubuntu:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens162 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens162 -j MASQUERADE