SPICE | Admin VPN Profile Setup - UMCST/SPICE-user-info GitHub Wiki

For the duration of this guide, you will need to replace <InitName#>_ with your first initial, last name, and a zero-indexed count based on how many configurations you have. Seek assistance if you share someone else's first initial and last name.

Don’t configure any wireguard VPN while using a connection facilitated by wireguard.

  1. Document the new user in the "Conf. info" sheet of the Admin VPN Configuration Tracker spreadsheet in the SPICE shared drive.

  2. Add a peer on Wasabi (the wireguard host) using wireguard-manager. At the time of writing, Wasabi is located at wasabi.mapa.spicelab.org, herein referred to as <vpnhost>, and is accessible through the jumpbox. The utilities used to maintain our wireguard connections are part of the wireguard-manager suite. Use /usr/local/bin/wireguard-server.sh to manage peer configurations. To quickly add a peer, run sudo /usr/local/bin/wireguard-server.sh --add Otherwise, simply running the script is enough, as there is a wizard to aid the process.

  3. Once you have added the new peer, verify that the configuration is similar to others before it by checking the wasabi directory /etc/wireguard/clients. Expect to see differences in the name, the address, the listenport, the private key, and the preshared key lines. Do not compare to the tester configs. Compare to one of the test configs. Use the following command:

sudo diff /etc/wireguard/clients/mapa-tester0-wg0.conf /etc/wireguard/clients/mapa-<InitName#>-wg0.conf

  1. If you have verified the presence and correctness of your configuration, verify that there are no users connected (look for a “latest handshake” within the last 30 seconds) using sudo wg show (note that the config names must be under 15 characters long) If so, then you may restart the wireguard interface by running sudo wg-quick down wg0 followed by sudo wg-quick up wg0

  2. Verify that the new peer's configuration shows up using sudo wg show This indicates the addition of the new peer was successful. Match the IP address to the peer using the spreadsheet.

  3. In order to share the configuration with an end-user, you should encrypt it before sending it off. Generate a passphrase to encrypt the file with the Bitwarden Password Generator , and store it securely on BitWarden Send

  4. Encrypt the file in the GPG format using the passphrase which was generated. A command which will perform this encryption is sudo gpg -c /etc/wireguard/clients/<InitName#>.conf which will output a file of the same name with ".gpg" appended to the filename.

  5. Copy the encrypted configuration file from /etc/wireguard/clients/<InitName#>.conf.gpg to /tmp. Feel free to use the following command: sudo cp /etc/wireguard/clients/mapa-<InitName#>-wg0.conf.gpg /tmp

  6. SCP the encrypted configuration file to so that you or someone else can retrieve the configuration. The following command may work for you, running from the jumpbox: scp <user>@<vpnhost>:/tmp/mapa-<InitName#>-wg0.conf.gpg /tmp/ (Don’t miss the period at the end.)

  7. Clean up /tmp

User guide: WireGuard Application Setup

⚠️ **GitHub.com Fallback** ⚠️