Project 2 Remote Access Research and Integration

Video: https://drive.google.com/file/d/1lTtL6IRoDflSOgDftErRxShmRunX4e8C/view

VPN: Wireguard

Sources

https://www.wireguard.com/

https://docs.vyos.io/en/equuleus/configuration/interfaces/ethernet.html

https://docs.vyos.io/en/equuleus/configuration/interfaces/wireguard.html

https://bootstrap-it.com/wireguard-vpn/

https://jasonschaefer.com/wireguard-vpn-on-vyos/

https://mullvad.net/en/help/wireguard-app-windows/

Initial Downloads (Traveler and Edge01)

Traveler Wireguard Install

1. Go to the website: https://www.wireguard.com/install/

2. Install for whatever OS is being used, in the case of this project using the Traveler box windows will be used

3. Once properly installed a blank wireguard window will open

Edge 01 Wireguard Install

1. Run sudo apt update to make sure everything is up to date and ready to be installed

2. Then run sudo apt install wireguard to install wireguard

Setting up the tunnel (Traveler)

1. Right click in the tunnel section of the interface and click "add empty tunnel"

2. Then you will be prompted to create a name for the tunnel and you will see your public key and private key

3. Click save

Create a keypair for edge01

1. create private and public keys with (source: https://bootstrap-it.com/wireguard-vpn/) :

wg genkey | sudo tee /etc/wireguard/private.key

chmod go= /etc/wireguard/private.key

cat /etc/wireguard/private.key | wg pubkey | sudo tee

Configure Wireguard tunnel

1. Right click the tunnel you made earlier and click edit tunnel

2. Set up the tunnel like I did below

• Address = the address you want the VPN assigning

• Public Key = the public key for edge01

• Allowed IPs = The IP for the start of the subnet of the VPN and the mgmt networks subnet

• Endpoint = Personal WAN IP with port 51820 (default wireguard port)

Setting up wireguard interface in edge01

1. Go into config mode and create/configure the new interface:

• set interface wireguard wg0

• set interface wireguard wg0 address xxx.xxx.xxx.xxx/xx (in this case I did 10.0.45.1/24)

• set interface wireguard wg0 peer x (in this case it was traveler-max)

• set interface wireguard wg0 allowed-ips xxx.xxx.xxx.xxx/xx (this will be the IP you want the VPN to use in this case 10.0.45.20/32)

• set interface wireguard wg0 public-key xxxxxxxx (insert public key of peer in this case traveler-max)

• set interface wireguard wg0 port 51820 (this is the default wireguard port)

• set interface wireguard wg0 private-key xxxxxxxx (insert private key of the firewall in this case edge01)

Configuring Required Firewall Rules (Edge01 & FW-MGMT)

BOTH FIREWALLS

Set both a basic rule 10 and a rule 1

set firewall name VPN-to-LAN default-action drop

set firewall name VPN-to-LAN enable-default-log

set firewall name VPN-to-LAN rule 10 action accept

set firewall name VPN-to-LAN rule 10 destination address 172.16.200.11 (mgmt02 address)

set firewall name VPN-to-LAN rule 10 destination port 3389 (rdp port)

set firewall name VPN-to-LAN rule 10 protocol tcp

set firewall name VPN-to-LAN rule 10 source address 10.0.45.20 (VPN IP)

Set zone policies

set zone-policy zone LAN from VPN firewall name VPN-to-LAN

set zone-policy zone VPN from LAN firewall name LAN-to-VPN

set zone-policy zone VPN interface wg0

JUST FW-MGMT

set firewall name LAN-to-MGMT rule 30 action accept

set firewall name LAN-to-MGMT rule 30 destination address 172.16.200.11 (mgmt02 address)

set firewall name LAN-to-MGMT rule 30 destination port 3389 (rdp port)

set firewall name LAN-to-MGMT rule 30 protocol tcp

Now its time to test

1. On traveler activate the tunnel, it should say that the tunnel is active and there should be a green shield with a check mark

2. Open rdp on traveler and use the IP of mgmt02 (172.16.200.11)

3. Click connect and you should be prompted to login

4. If everything is setup right the RDP should work!

5. If it is not working this is the prompt you would get