Assignment 7.1 Wireguard Lab - Zacham17/my-tech-journal GitHub Wiki

In this lab two systems(xubuntu-lan and an AWS ubuntu instance) were set up to communicate using Wireguard. Wireguard is also used in this lab to secure traffic over the network.

Creating an AWS Ubuntu Peer:

In AWS Academy in the EC2 Dashboard > Instances, an instance was launched with the following information:

  • OS: Ubuntu 22.04 (Free-Tier)
  • Using t2micro
  • Default Instance Details
    • Default Network Information
    • Default Security Group(It was Assigned the "launch-wizard-1" security group with SSH traffic allowed)
  • Default Storage Settings

Testing SSH Connectivity

  • For this lab, the key from my AWS setup was used. It was generated in AWS, and the key was copied over to the xubuntu-lan system.
  • From the ubuntu-lan system, an SSH connection can be made to the AWS instance. The SSH command uses the key from the AWS server to do this. The command syntax is below

ssh-i KEYFILE.pem ubuntu@AWS_PUBLIC_IP

Wireguard Installation and Configuration

  • On BOTH the AWS ubuntu system and ubuntu-lan, run the following commands to install wireguard.
sudo apt-get update 
sudo apt-get install wireguard

Creating Key Pairs

  • On BOTH the AWS ubuntu system and ubuntu-lan, run the following commands to create key pairs.
wg genkey | sudo tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key
cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

These commands with output the private and public keys respectively, as well as storing them in the public.key and private.key files.

Wireguard Configuration

  • On each system, create a file called wg0.conf. The configurations for each system are shown below.

On the AWS Ubuntu System:

[Interface]
PrivateKey =  AWS SERVER PRIVATE KEY GOES HERE                                   
Address = 10.0.101.1   
ListenPort = 51900
SaveConfig = true

[Peer]
PublicKey = UBUNTU-LAN PUBLIC KEY GOES HERE
AllowedIps = 10.0.101.2/32
Endpoint = 10.0.5.6:51900
PersistentKeepAlive = 25

On the Ubuntu-LAN system

[Interface]
PrivateKey =  UBUNTU-LAN PRIVATE KEY GOES HERE                                   
Address = 10.0.101.2   
ListenPort = 51900
SaveConfig = true

[Peer]
PublicKey = AWS SERVER PUBLIC KEY GOES HERE
AllowedIps = 10.0.101.1/32
Endpoint = 54.204.188.80:51900
PersistentKeepAlive = 25

These configurations set the configuration for the wg0 interface, as well as for the peer. The peer configuration specifies systems that are allowed to connect using the wg0 interface.

AWS Inbound Rules

In the AWS Ec2 dashboard -> Security Groups, rules were added to the launch-wizard-1 security group to allow inbound connections to UDP port 51900 for wireguard connections, as well as All ICMP requests. image

Starting and Stopping Wireguard

  • To start wireguard, on each system use the command wg-quick up wg0
  • To show wireguard status, on each system use the command wg show
  • To stop wireguard, on each system use the command wg-quick down wg0

If any changes must be made to wg0.conf files, stop the wireguard service first.

Test 1: SSH from AWS Server to Ubuntu-LAN

From the AWS Server, SSH to the ubuntu-LAN system using ssh [email protected]. This command uses the wireguard IP address. image

Configure Apache on AWS-Ubuntu

  • Install apache2 on the AWS server using sudo apt install apache2
  • Create a simple index.html file in the /var/www/html/ directory.
  • In the /etc/apache2/ports.conf file, change the listen port from 80 to 8080.
  • Start the apache service using systemctl start apache

Test 2: Connect to AWS Server Web Server from Ubuntu-LAN

To test connectivity to the web server on the AWS server, the command curl http://10.0.101.1:8080 can be used. image The command should show the contents of the index.html page. Additionally, it should be reachable by a browser. image

Forwarding via Ubuntu-LAN

Using wireguard, connections can be forwarded through the wireguard interface. To do this, configuration must be added to the wg0.conf file on each system.

On the AWS system only add 10.0.6.0/24, and 10.0.5.0/24 to the allowed IPs section for the peer.

On ubuntu-LAN, add the following to the wg0.conf section in the [interfaces] section

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE

On the AWS Server, add the following to the wg0.conf section in the [interfaces] section

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

On both systems, turn on forwarding using the following commands:

sysctl -w net.ipv4.ip_forward=1 
sysctl -p

Test 3: Curling An Internal Web Server from AWS Server

To test forwarding, a connection can be made to an internal web server from the AWS Server. To do this, the command curl 10.0.6.10:8080 was used. image

Reflection

In this lab, I learned about using wireguard to connect two systems and also how to configure wireguard to secure the traffic over the network, allowing for connections to be forwarded using wireguard. This lab was fairly simple and built upon skills using wireguard as well as AWS.