Lab 7 1 Wireguard VPN - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

This page journals content related to SEC-440 lab 7. Used my AWS reference during the lab.

Table of contents:

Setting up AWS Ubuntu instance
Initial Wireguard setup
- Connectivity test 1
- Web Server test
  - Connectivity Test 2
AWS forwarding into LAN
- Connectivity test 3

Setting up AWS Ubuntu instance

First I booted up AWS through the learner lab.

Went to EC2:

Went to instances:

Pressed Launch instances > Created a instance with the following configuration:

(NOTE: Created a new key, first picture below shows the button to make a new key and the second shows the settings)

(NOTE: Created a new security group - used the upper right hand corners "Edit" button not seen in the below screenshot BUT was needed to add the rule for 51900)

(NOTE: Nothing was changed about the storage or advanced details!)

Pressed "Launch instance":

(NOTE: Would later need to add ICMP inbound rule by going to the security group I made (sidebar > "Security Groups" > "aws-wireguardlab-ubuntu-security" > edit inbound rules > "Add rule" and added the following rule then saved the rule with "Save rules":)

Completed security group:

Then on xubuntulan I sent over my key, afterwards I found the key and set my correct permissions as well as SSHing into my aws instance:

chmod 400 aws-wireguardlab-ubuntu.pem
ssh -i aws-wireguardlab-ubuntu.pem [email protected]

Initial Wireguard setup

I installed wireguard on both my aws instance and xubuntulan with:

sudo apt-get update -y
sudo apt-get install wireguard -y

On xubuntulan I used the following to setup my keys (RUN AS ROOT):

wg genkey | tee /etc/wireguard/server_private_key | wg pubkey > /etc/wireguard/server_public_key

Then on the aws instance I setup my keys (RUN AS ROOT):

wg genkey | tee /etc/wireguard/aws_private_key | wg pubkey > /etc/wireguard/aws_public_key

After that I made the following configuration for xubuntulan in /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.101.2/24
SaveConfig = true
ListenPort = 51900
PrivateKey = {CONTENTS OF '/etc/wireguard/server_private_key'}

[Peer]
PublicKey = {CONTENTS OF '/etc/wireguard/aws_public_key'}
AllowedIPs = 10.0.101.1/32
Endpoint = 54.242.212.179:51900

Then I made the following wireguard configuration for my aws instance in /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = {CONTENTS OF '/etc/wireguard/aws_private_key'}
Address = 10.0.101.1/24
ListenPort = 51900

[Peer]
PublicKey ={CONTENTS OF '/etc/wireguard/server_public_key'}
AllowedIPs = 10.0.101.2/32
Endpoint = 10.0.5.6:51900
PersistentKeepalive = 25

(NOTE: Recommended to do a wg-quick down wg0 before changing configurations after initial setup!)

Connectivity test 1

Web Server test

Then I installed apache2 and configured a index.html page on aws instance AS ROOT:

sudo apt install apache2 -y
echo "oliver mustoe | SEC-440 Wireguard Lab" > /var/www/html/index.html

After I updated my /etc/apache2/ports.conf to use port 8080 instead of 80 on aws instance:

Finally on aws instance started apache2:

sudo systemctl restart apache2

Connectivity Test 2

AWS forwarding into LAN

I updated the aws instance's /etc/wireguard/wg0.conf with the following:

[Interface]
PrivateKey = {CONTENTS OF '/etc/wireguard/aws_private_key'}
Address = 10.0.101.1/24
ListenPort = 51900
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = sysctl -p
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 

[Peer]
PublicKey = {CONTENTS OF '/etc/wireguard/server_public_key'}
AllowedIPs = 10.0.101.2/32,10.0.6.0/24
Endpoint = 10.0.5.6:51900
PersistentKeepalive = 25

(NOTE: Did run sysctl -p separately once but I did not run it on xubuntulan)

As well updated xubuntulan's /etc/wireguard/wg0.conf with the following:

[Interface]
Address = 10.0.101.2/24
SaveConfig = true
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = sysctl -p
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
ListenPort = 51900
PrivateKey = {CONTENTS OF '/etc/wireguard/server_private_key'}

[Peer]
PublicKey = {CONTENTS OF '/etc/wireguard/aws_public_key'}
AllowedIPs = 10.0.101.1/32
Endpoint = 54.242.212.179:51900

And after I restarted wireguard on both I could curl the 10.0.6.0/24 subnet from my AWS box!

Connectivity test 3

NOTE: As a security measure all keys were changed at the end of the lab BUT all of the connectivity tests were ensured to be working!