Remote Access Research Project - devinziegler/Devin-Tech-Journal GitHub Wiki

🛳️ Outline

• Allow traveler to rdp into mgmt01
• Use a secure VPN with server on jump and traveler acting as client

Wireguard introduction

🔑 Install on traveler & jump

Windows Installation (Client)

1. Download GUI installer from wireguard.com
2. Open the installer and create a new tunnel ctrl + n
3. Use the following config - the server public key will be added later

[Interface]
PrivateKey = <Client_PrivateKey>
ListenPort = 51820
Address = 10.0.18.2/24
DNS = 10.0.18.1

[Peer]
PublicKey = <Server_Publickey>
AllowedIPs = 172.16.200.11/32
Endpoint = <edge01_WAN_interface_IP>

This is mostly it for the client configuration, the PublicKey for the server will need to be added after Wireguard is installed on jump.

Linux Installation (Server)

1. Install Wireguard with the following command:

sudo apt install wireguard

2. Create a public and private key (courtacy of wireguard quickstart)

wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

3. Create the server config in /etc/wireguard.wg0.conf

[Interface]
Address = 10.0.18.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <Server_PrivateKey>

[Peer]
PublicKey = <Client_PublicKey>
AllowedIPs = 10.0.18.2/32
Endpoint = 10.0.17.47:51820

The final step in configuring the VPN is to add the server public key into the client config.

1. On Traveler Right click the new client tunnel and click edit
2. Edit the following with the server public key:

[Peer]
PublicKey = <Server_Publickey>

That concludes everything needed for wireguard configuration

🔥 Firewall Additions

Overview

• Create a rule to allow RDP from DMZ to MGMT
• Create a rule to allow wireguard from WAN to DMZ
• Create a nat Destination rule for jump

Forward Jump

set firewall name DMZ-to-LAN rule 50 action 'accept'
set firewall name DMZ-to-LAN rule 50 description 'RDP forward'
set firewall name DMZ-to-LAN rule 50 destination port '3389'
set firewall name DMZ-to-LAN rule 50 protocol 'tcp'
set firewall name DMZ-to-LAN rule 50 source address '172.16.50.4'

WAN-to-DMZ wireguard rule

firewall name WAN-to-DMZ rule 50 action 'accept'
set firewall name WAN-to-DMZ rule 50 destination address '172.16.50.4'
set firewall name WAN-to-DMZ rule 50 destination port '51820'
set firewall name WAN-to-DMZ rule 50 protocol 'udp'

This rule is essentail and allows wireguard connections from traveler to Jump

DMZ to LAN RDP rule

set firewall name DMZ-to-LAN rule 50 action 'accept'
set firewall name DMZ-to-LAN rule 50 description 'RDP to LAN/MGMT'
set firewall name DMZ-to-LAN rule 50 destination port '3389'
set firewall name DMZ-to-LAN rule 50 protocol 'tcp'
set firewall name DMZ-to-LAN rule 50 source address '172.16.50.4'

This rule is essential for allowing RDP from DMZ to LAN

🔌Test Connectivity

Now that firewall rules are in place, enable the interface on jump with the following:

wg-quick up wg0

If the config is named something else, use that name for example: wg-quick up wg1

Test the connection connecting to mgmt01 via RDP:

🧾Sources Used

• Wireguard Quickstart
• Mark Loveless Blog
• Netmaker.io wireguard VPN