Wireguard Lab - LouisNajdek/sec440 GitHub Wiki

DEMONSTRATION VIDEO

Click the link above or this text to watch the demonstration video

Prerequisites

Setup an ubuntu 20.04 server on the AWS console. Note the name and public ipv4 address of the server, then download the keypair to your XUbuntu-LAN server. Change the permissions to read only for the downloaded keypair file with sudo chmod 400 Desktop/aws-sec440-f21.pem

This will enable you to ssh into the AWS hosted Ubuntu system with the keypair as authentication. SSH with your own IP with-

ssh -i Desktop/aws-sec440-f21.pem [email protected]

Wireguard installation

On both ubuntu-peer and xubuntu-lan, install wireguard

sudo apt-get update && sudo apt-get install wireguard

Create a keypair on both systems in the wireguard folder

cd /etc/wireguard

umask 077; wg genkey | tee privatekey | wgpubkey > publickey

aws-ubuntu-peer Configuration

Configured in the terminal, create an ip link named wg0 with it's own address of 10.0.101.1, with the previously created private key. The wireguard connection will occur across port 51900. Then configure the peer information with the previously created public key from the peer system, then add to file wg0.conf.

ip link add wg0 type wireguard

ip addr add 10.0.101.1/24 dev wg0

wg set wg0 private-key privatekey

wg set wg0 listen-port 51900

ip link set wg0 up

`wg set wg0 peer

wg set wg0 peer Qgym9SXYMleaS9J6I7jtg1m5e16OSLPCKlTCIe9S4xg= allowed-ips 10.0.101.2/32 endpoint 10.0.5.6:51900

wg showconf wg0 | tee /etc/wireguard/wg0.conf

You'll need to edit wg0.conf and change some things manually. Update the configuration with the wgquick wg0 up command.

[Interface]
ListenPort = 51900
PrivateKey = QOA04LNiQ3IpRHF9liQlub7wVkGgXV6wxLRCKL7YT0s=
Address = 10.0.101.1
[Peer]
PublicKey = Qgym9SXYMleaS9J6I7jtg1m5e16OSLPCKlTCIe9S4xg=
AllowedIPs = 10.0.101.2/32, 10.0.5.0/24
Endpoint = 10.0.5.6:51900

Xubuntu-LAN Configuration

Configured in the terminal, create an ip link named wg0 with it's own address of 10.0.101.2, with the previously created private key. The wireguard connection will occur across port 51900. Then configure the peer information with the previously created public key from the peer system, then add to file wg0.conf.

ip link add wg0 type wireguard

ip addr add 10.0.101.2/24 dev wg0

wg set wg0 private-key privatekey

wg set wg0 listen-port 51900

ip link set wg0 up

wg set wg0 peer SB+tlsBFZDXeYJopWFMbSfvjo5YZOREw08PyF6sWAhM= allowed-ips 10.0.101.1/32 endpoint 54.175.20.238:51900

wg showconf wg0 | tee /etc/wireguard/wg0.conf

You'll need to change the config file, wg0.conf, manually to add some things. This will include PostUp iptables rules and PostDown iptables rules for port forwarding to function correctly. It should look like this.

[Interface]
ListenPort = 51900
PrivateKey = sPFj60HNxfMWKz2XRPK3vVICXtRdW5WfjwtXutlJLUU=
Address = 10.0.101.2
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
[Peer]
PublicKey = SB+tlsBFZDXeYJopWFMbSfvjo5YZOREw08PyF6sWAhM=
AllowedIPs = 10.0.101.1/32
Endpoint = 54.175.20.238:51900
PersistentKeepAlive = 25

Enable port forwarding

sysctl -w net.ipv4.ip_forward=1

sysctl -p