Lab 7‐1 Wireguard VPN - benjigifford/SEC-440 GitHub Wiki

Objectives

The AWS system will be able to:

• access it's wireguard peer (xubuntu-lan) behind a nat network via ssh and icmp
• access your LAN web server (or pool) via http

The LAN system xubuntu-lan can access HTTP on port 8080 on the AWS ubuntu peer through the Wireguard tunnel

Step 1: AWS Ubuntu Peer

• Go to AWS Learner Lab EC2 console
• Launch instance
• Amazon Machine Image, Ubuntu Free Tier eligible

• t2.micro instance type
• Select the SEC440 key pair
• Default network settings
• Review and launch

On xubuntu-lan:

• Connect to instance with key pair and SSH

sudo chmod 400 Documents/SEC440.pem 
ssh -i Documents/SEC440.pem [email protected]

Step 2: Wireguard VPN Installation and Configuration

Install wireguard on both aws ubuntu-peer and xubuntu-lan:

sudo apt-get update 
sudo apt-get install wireguard 

Create Key Pairs

Create a wireguard keypair on both aws ubuntu-peer and xubuntu-lan

Tips:

• Use sudo -i to do as root
• Create them in the /etc/wireguard folder
• Use the wg genkey and wg pubkey commands

On both boxes:

sudo -i
cd /etc
cd wireguard
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Wireguard - Create wg0 Interface

On AWS Ubuntu box:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.101.1/24
wg set wg0 private-key /etc/wireguard/private.key
wg set wg0 listen-port 51900
ip link set wg0 up
wg
ip a
hostname -I

On xubuntu LAN:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.101.2/24
wg set wg0 private-key /etc/wireguard/private.key
wg set wg0 listen-port 51900
ip link set wg0 up
wg
ip a
hostname -I

Configure xubuntu-lan as a peer on aws-ubuntu-peer

• copy text of public xubuntu-lan public key
• On AWS ubuntu:

wg set wg0 peer (insert key here) allowed-ips 10.0.101.2/32 endpoint 10.0.5.6:51900
wg

Configure aws-ubuntu-peer as a peer on xubuntu-lan

• Add aws ubuntu's public key to xubuntu-lan
• On xubuntu-lan::

wg set wg0 peer (insert key here) allowed-ips 10.0.101.1/32 endpoint ec2-34-204-5-52.compute-1.amazonaws.com:51900
wg

Inbound Rules on AWS

Edit the security group you assigned to your ubuntu instance

• Add Custom Inbound UDP rule to allow port 51900
• Add ICMP Inbound Rule to allow (if it doesn’t exist already)

Save Configurations on aws and xubuntu-lan

wg showconf wg0 | tee /etc/wireguard/wg0.conf

This will take the current wireguard config for wg0 and save it as a config file

On AWS ubuntu:

sudo nano wg0.conf

• Add Address = 10.0.101.1 below private key

On xubuntu-lan:

sudo nano wg0.conf

• Add Address = 10.0.101.2 below private key
• Add PersistentKeepAlive = 25 below endpoint

Starting/stopping wireguard and showing status

• Start wireguard with wg-quick up wg0
• Stop wireguard with wg-quick down wg0
• Show wireguard status with “wg show”

NOTE: If you stop working on the lab and come back to it later - your AWS Ubuntu server may have a new IP address.

• Simply updating the peer address in wg0.conf on xubuntu-lan will work
• “wg-quick up wg0” on both systems will re-establish the tunnel

Connectivity Test #1

ssh [email protected]

Step 3: Configure Apache on AWS-Ubuntu

Install and configure apache on AWS-Ubuntu and have it listen on port 8080

• Install service (called apache2)
• Once installed, create a new /var/www/html/index.html file. Can just be a text file that includes your name and SEC-440 Wireguard Lab. Make sure file is readable by everyone
• Update apache config to listen on port 8080 instead of 80 (tip /etc/apache2/ports.conf)
• Start the apache2 service and make sure you can access the page locally (e.g. with curl)

On AWS Ubuntu:

sudo apt-get install apache2
cd /var/www/html/
sudo mv index.html index.txt
sudo nano index.html
sudo chmod 644 index.html
ls -l
cd ..
cd /etc/apache2
sudo nano ports.conf

Change Listen 80 to Listen 8080

sudo systemctl restart apache2
sudo systemctl status apache2

On xubuntu-lan:

curl http://10.0.101.1:8080

Connectivity Test #2

xubuntu-lan to aws-peer over an arbitrary port

Step 4: AWS-Ubuntu to web via xubuntu-lan forwarding

On AWS ubuntu:

sudo -i
cd /etc/wireguard
sudo nano wg0.conf

• Add 10.0.5.0/24 to the end of the allowed the allowed IPs line
• Add this to interfaces section:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 

On xubuntu-WAN:

sudo nano wg0.conf

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE 

On box boxes:

sudo sysctl -w net.ipv4.ip_forward=1 
sudo sysctl -p
wg-quick down wg0
wg-quick up wg0
wg show

Connectivity Test #3

• From AWS-Ubuntu - curl to a web server inside the SEC-440 network (e.g.10.0.6.10 which should be HAProxy pointing to your web servers)

curl http://10.0.5.100