Securing Wireguard VPN Authentication using a Jumpbox - cfloquetprojects/homelab GitHub Wiki

Introduction

So far we have successfully installed Wireguard VPN onto a Centos 7 host and properly configured the routing to allow basically any connection, however in todays lab we are going to attempt to better secure this remote connection by using a Jump box.

A Jump Server is commonly used to access and manage networks, effectively bottlenecking access to a particular location to a single hardened system.

While there are many different steps to effectively harden Centos 7, the only ones that we will be taking in todays lab are the following:

  • Creating a new uniquely named local user, and disabling root login via /etc/ssh/sshd_config
  • Enabling and configuring firewall with firewalld
  • Joining our Jump server to an existing AD domain for user authentication
  • Enabling MFA on our domain accounts for the Jump server

We will also be applying further access controls to our existing setup with the use of iptables, which allows us to configure the local kernal firewall of our Wireguard VPN server.

Pre-Flight Check

  • Ensure that you have Wireguard VPN installed on a separate VM (maybe using my previous guide) within the same subnet as the one we will be using as our Jump server, likely both on a DMZ network.

  • You can also use another guide I've previously made on joining both Fedora and Debian hosts to Windows AD Domains.

  • Make sure you have a Windows 10 host that we can use to RDP into for accessing other systems on the network from a controlled environment.

Adjust iptables Rules on Wireguard to Limit Network Access:

First thing we need to do is adjust what hosts our Wireguard VPN server can talk to, since right now we are essentially allowing it to interact and connect with any hosts on the network.

Since we already have our iptables rules configured via a .bash scripts that reside within our /etc/wireguard folder, we can make some simple changes to the iptables rules within our PostUp and PostDown configurations to only allow our clients to interact with our Jump server:

💡 iptables works well as a means of managing access control, and since the rules are processed in an order-based syntax, we can create blanket deny rules before allowing the single IP (our jumpbox).

cfloquet@wireguard01:/etc/wireguard/helper# vi addRules.bash
<...>
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -s 10.0.2.4/32 -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 2 -i $WG_FACE -d 10.0.1.0/24,10.0.2.0/29,10.0.3.0/28,192.168.1.0/24 -j REJECT
$IPT -I FORWARD 3 -i $WG_FACE -d 10.0.2.4/32 -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
<...>

Now that we have our addRules.bash file in place, we need to create essentially a mirror copy of it, with our -I flags for tables switched over to -D, which effectively removes any routing and port forwarding we do on our server when it is not operational, as a best practice.

💡 Notice how we defined a number for each of our FORWARD rules in the addRules.bash file, and we are now able to simply reference those rules for deletion, rather than having to write out the exact syntax for each iptables rule that we would like to remove.

cfloquet@wireguard:/etc/wireguard/helper# vi delRules.bash
<...>
# IPv4 rules # 
$IPT -t nat -D POSTROUTING -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -D INPUT -i $WG_FACE -j ACCEPT
$IPT -D FORWARD 1
$IPT -D FORWARD 2
$IPT -D FORWARD 3
$IPT -D INPUT -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
<...>
cfloquet@wireguard:/etc/wireguard/helper# systemctl restart [email protected]

Upon restarting your Wireguard VPN service, you should only be permitted to communicate with your jump host, which you can test with the ping utility.

Configure Windows Firewall Rules to Constrict RDP Access to Jumpbox

The next step we will need to take to better secure our workstations is prevent logins over RDP from any host other than our Jumpbox, via an static ip whitelist on the firewall of the workstation.

Navigate to Windows Defender Firewall Advanced Security by going to Control Panel > System and Security > Windows Defender Firewall > Advanced Settings and go to Inbound Rules before finally opening the properties of the Remote Desktop - User Mode (TCP-In) rule.

1

Change over to the Scope tab within the rule properties, and add a new entry under Remote IP Addresses that matches with the IP of your Jumpbox, as that is what will technically be connecting to the host.

2

Finally we can apply further security controls to the system by restricting which users can access that particular host within the Remote Desktop settings on the local system.

3

💡 This concludes our remedial setup for securing Wireguard VPN authentication a bit further, through the use of MFA and a jumpbox to access a virtualized host on a remote network. Future guides will go into a bit more detail regarding specific GPOs, logging policies, and other steps to take as I learn more in my own projects.

⚠️ **GitHub.com Fallback** ⚠️