NOTE: See items marked as Deliverable for deliverables.

• First, get into AWS and create a new instance. Create it with these specs:
  • t2 micro
  • Default instance details
• Make note of the:
  • Security Group
  • VPC
  • Subnet
  • IPv4 DNS
  • Keypair (Make a new one and upload it to xubuntu-lan)
• Launch the new instance and connect via SSH using the key you saved there. If it's downloaded, you can run chmod 400 <key> and then ssh -i <key> ec2-user@<public ip>
• Once in your instance, run these commands on both AWS and xubuntu-lan:

sudo apt-get update (yum update on ec2)
sudo apt-get install wireguard (replace with yum on ec2)
(both below to be run as root)
wg genkey | tee /etc/wireguard/privkey_aws | wg pubkey > /etc/wireguard/pubkey_aws
wg genkey | tee /etc/wireguard/privkey_xu | wg pubkey > /etc/wireguard/pubkey_xu

• Then, run ip link add wg0 type wireguard on both endpoints. On AWS, run ip addr add 10.0.101.1/24 dev wg0, and run the same on xubuntu-lan replacing the addres with 10.0.101.2/24. Then, run wg set wg0 listen-port 51900 on both endpoints, as well as specifying the private key location with wg set wg0 private-key /etc/wireguard/<privkey>. Now, the interfaces can be brought up using ip link set wg0 up.
• Now to configure peering, copy the xubuntu-lan public key and enter the following on AWS:

wg set wg0 peer <xubuntu pub key> allowed-ips 10.0.101.2/32 endpoint 10.0.5.6:51900

• Now copy the AWS public key and enter the following on xubuntu-lan:

wg set wg0 peer <aws pub key> allowed-ips 10.0.101.1/32 endpoint ec2-<public ip>.compute-1.amazonaws.com:51900

• Go into AWS on the web and add in a custom inbound UDP rule to allow 51900 through. Also add an ICMP inbound rule to allow if it's not already there. Should look like this:

• Save your configs on both machines with wg showconf wg0 | tee /etc/wireguard/wg0.conf

• Go into these conf files and add the Address field. On AWS, set the address to 10.0.101.1, and on ubuntu set itt to 10.0.101.2 and add a PersistentKeepAlive = 25 to the bottom.

• To start wg, run wg-quick up wg0 and to stop it, replace with down. You can see status with wg show. If it tells you it already exists, just run ip link delete wg0.

• At this point, you should be able to SSH like the following:

Deliverable 1: Successful VPN SSH:

• Now we will set up a webserver to test. Install apache2 on AWS, and create a new index.html file in the /var/www/html directory. Update the file /etc/apache2/ports.conf to listen on port 8080 rather than port 80 (change 80 to 8080 in /etc/apache2/sites-enabled/000-default.conf as well), and then start the apache2 service. Try to curl the webpage to ensure it works. (NOTE: don't need to inclue the 8080 port in curl.)
• On xubuntu-lan, you should now be able to curl the web server via the 10.0.101.1:8080 address.

Deliverable 2: Screenshot of HTTP Curl over VPN on port 8080:

• Now add these commands at the bottom of the Interface section on AWS's wg0.conf:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 
(ALSO add 10.0.6.0/24 as an additional AllowedIPs!!)

• Add the following to xubuntu-lan's conf:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE

• On both boxes, run:

sysctl -w net.ipv4.ip_forward=1
sysctl -p

• You should be able to curl your VRRP for the OPT network to see your internal web servers and their load balancing!

Deliverable 3: Curl on Internal LAN HAProxy Load Balanced Web Servers over VPN: