creating automated wireguard mesh

2025-05-26 04:11:24 +03:00 · 2025-05-26 04:11:24 +03:00 · 020261d431
commit 020261d431
parent ae3999d4f7
9 changed files with 171 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -3,5 +3,6 @@
 This repository has various deployment examples of real world software to the DeTEE network. The examples currently include:
 - [Gitea on DeTEE](https://gitea.detee.cloud/general/examples/src/branch/master/gitea/deploy_gitea.sh) - A small bash script that deploys a Gitea server (just like this one) to a VM on DeTEE
 - [Ansible Postgres](https://gitea.detee.cloud/general/examples/src/branch/master/ansible-postgres) - Deploy a Postgres DB and a read replica via Ansible to two DeTEE VMs.
- [Wireguard Overlay](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind VPN, by leveraging VM deployments on DeTEE.
+- [Wireguard DMZ](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind WireGuard VPN, by leveraging VM deployments on DeTEE.
+- [Overlay Network](https://gitea.detee.cloud/general/examples/src/branch/master/overlay-network) - Automated deployment of an encrypted network overlay (full-mesh between VMs).
 - [Kubernetes (k3s)](https://gitea.detee.cloud/general/examples/src/branch/master/kubernetes) - Use k3s to deploy 5 Kubernetes nodes to DeTEE VMs, forming a small cluster.
--- a/overlay-network/README.md
+++ b/overlay-network/README.md
@ -0,0 +1,15 @@
+# Overlay Network
+
+These scripts allow you to create an overlay network on top of DeTEE VMs. These
+VMs do not need a public IP, however they require an extra port to be
+forwarded. Every VM in the network will get an IP in the subnet `10.254.254.0/24`.
+
+The VMs will be connected in a full-mesh topology, meaning each VM can
+communicate with each other VM directly. Here is a graphical representation of a
+full mesh from wikipedia: https://en.wikipedia.org/wiki/File:FullMeshNetwork.svg
+
+To create the VMs, run `./create_vms.sh`.
+
+To deploy the network overlay, run `./setup_wg_mesh.sh`. This will create an
+overlay on top of all the VMs created previously using the `./create_vms.sh`
+script, assigning IPs in alphabetical order.
--- a/overlay-network/create_vms.sh
+++ b/overlay-network/create_vms.sh
@ -0,0 +1,14 @@
+#!/bin/bash
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $script_dir
+set -e
+export FORMAT=YAML
+mkdir -p tmp/vms
+
+for vm_config in vm_configs/*; do
+  vm_name=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1)
+  detee-cli vm deploy --from-yaml $vm_config > tmp/vms/${vm_name}_install.yaml &&
+    echo "The VM $vm_name got created." &
+done
+
+wait
--- a/overlay-network/setup_wg_mesh.sh
+++ b/overlay-network/setup_wg_mesh.sh
@ -0,0 +1,90 @@
+#!/bin/bash
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $script_dir
+set -e
+export FORMAT=YAML
+mkdir -p tmp/wg
+mkdir -p tmp/logs
+vms=()
+
+# inspect VMs
+for vm_config in $(grep -r uuid: tmp/vms/ | awk '{ print $2}'); do
+  vm_id=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1)
+  detee-cli vm inspect $vm_id > tmp/vms/${vm_id}_inspect.yaml
+  vm_name=$(grep 'hostname: ' tmp/vms/${vm_id}_inspect.yaml |
+    awk '{ print $2 }')
+  mv tmp/vms/${vm_id}_inspect.yaml tmp/vms/${vm_name}_inspect.yaml
+done
+
+# define VM object
+vm_count=0
+new_vm() {
+  (( vm_count++ )) || true
+  local vm_name="$1"
+  local vm_id="vm$vm_count"
+
+  local vm_install_data="tmp/vms/${vm_name}_install.yaml"
+  local vm_inspect_data="tmp/vms/${vm_name}_inspect.yaml"
+
+  vm_node_ip=$(grep 'ip: ' $vm_install_data | awk '{ print $2 }')
+  vm_ssh_port=$(grep exposed_ports -A 1 $vm_inspect_data | tail -1 | grep -oE "[0-9]*")
+  vm_wg_port=$(grep exposed_ports -A 2 $vm_inspect_data | tail -1 | grep -oE "[0-9]*")
+  wg_privkey=$(wg genkey)
+  wg_pubkey=$(echo $wg_privkey | wg pubkey)
+
+  declare -gA "$vm_id"
+  eval "$vm_id[id]=$vm_count"
+  eval "$vm_id[name]=$vm_name"
+  eval "$vm_id[ssh_port]=$vm_ssh_port"
+  eval "$vm_id[wg_port]=$vm_wg_port"
+  eval "$vm_id[node_ip]=$vm_node_ip"
+  eval "$vm_id[private_ip]=10.254.254.$vm_count"
+  eval "$vm_id[wg_priv]=$wg_privkey"
+  eval "$vm_id[wg_pub]=$wg_pubkey"
+
+  vms+=("$vm_id")
+}
+
+# loops over all VMs
+for vm_install_file in tmp/vms/*_install.yaml; do
+  vm_name=$(echo $vm_install_file | cut -d '/' -f3 | cut -d '_' -f1)
+  new_vm $vm_name
+done
+
+# loops over all VMs in array
+for main_vm_loop in "${vms[@]}"; do
+  declare -n main_vm_ref="$main_vm_loop"
+  wg_file="tmp/wg/${main_vm_ref[name]}.ini"
+  {
+    echo "[Interface]"
+    echo "Address = "${main_vm_ref[private_ip]}" "
+    echo "PrivateKey = "${main_vm_ref[wg_priv]}" "
+    echo "ListenPort = 1337"
+  } > ${wg_file}
+
+  for inner_vm_loop in "${vms[@]}"; do
+    declare -n inner_vm_ref="$inner_vm_loop"
+    [[ "${inner_vm_ref[id]}" == "${main_vm_ref[id]}" ]] && continue
+    {
+      echo
+      echo "[Peer]"
+      echo "PublicKey = ${inner_vm_ref[wg_pub]}"
+      echo "Endpoint = ${inner_vm_ref[node_ip]}:${inner_vm_ref[wg_port]}"
+      echo "AllowedIPs = ${inner_vm_ref[private_ip]}"
+      echo "PersistentKeepalive = 25"
+    } >> ${wg_file}
+  done
+  echo WireGuard config written to ${wg_file}
+
+  ssh="ssh -p ${main_vm_ref[ssh_port]} root@${main_vm_ref[node_ip]}"
+  $ssh pacman -Syu --noconfirm > tmp/logs/${main_vm_ref[name]}.log 2>&1
+  $ssh pacman -S wireguard-tools --needed --noconfirm >> tmp/logs/${main_vm_ref[name]}.log 2>&1
+  echo Packages installed for ${main_vm_ref[name]}
+
+  # TODO: make this reboot persistant
+  $ssh sysctl -w net.ipv4.conf.all.forwarding=1 > /dev/null
+  cat ${wg_file} | $ssh tee /etc/wireguard/brain.conf > /dev/null
+  $ssh wg-quick down brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true
+  $ssh wg-quick up brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true
+  echo WireGuard started on ${main_vm_ref[name]}
+done
--- a/overlay-network/vm_configs/template-1.yaml
+++ b/overlay-network/vm_configs/template-1.yaml
@ -0,0 +1,10 @@
+hostname: template-1
+hours: 2
+price: 20000
+location:
+  country: "FR"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60
--- a/overlay-network/vm_configs/template-2.yaml
+++ b/overlay-network/vm_configs/template-2.yaml
@ -0,0 +1,10 @@
+hostname: template-2
+hours: 2
+price: 20000
+location:
+  country: "GB"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60
--- a/overlay-network/vm_configs/template-3.yaml
+++ b/overlay-network/vm_configs/template-3.yaml
@ -0,0 +1,10 @@
+hostname: template-3
+hours: 2
+price: 20000
+location:
+  country: "US"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60
--- a/overlay-network/vm_configs/template-n.yaml
+++ b/overlay-network/vm_configs/template-n.yaml
@ -0,0 +1,10 @@
+hostname: template-n
+hours: 2
+price: 20000
+location:
+  country: "US"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60
--- a/overlay-network/vm_configs/template-x.yaml
+++ b/overlay-network/vm_configs/template-x.yaml
@ -0,0 +1,10 @@
+hostname: template-x
+hours: 2
+price: 20000
+location:
+  country: "FR"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 4
+memory_mb: 8000
+disk_size_gb: 60