general/examples
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

adding wireguard example

Browse Source
This commit is contained in:
ghe0 2025-03-09 00:39:19 +02:00
parent 862d2c335c
commit 2799d7f90e
Signed by: ghe0
GPG Key ID: 451028EE56A0FBB4
18 changed files with 347 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
*.tmp *.tmp
tmp

52
wireguard-bastion/README.md Normal file
View File

@ -0,0 +1,52 @@
# DeTEE WireGuard Example
This examples shows how WireGuard can be used to create network overlays on top of DeTEE.
Please keep in mind that real world scenarios will require deployments of a higher complexity.
This architecture contains 4 nodes, in a redundant setup:
- two bastion nodes, that serve as VPN servers
- two protected nodes, that connect as clients
The Laptop (the device used by the admin to deploy) also creates VPN tunnels to the two bastion nodes.
A nginx server is started on both protected nodes, in order to demonstrate how protected services can run behind VPN.
## Network Diagram
```mermaid
graph TD
Laptop(Laptop<br/>local-cali: 10.100.10.10/24<br/>local-vanc: 10.200.20.10/24)
CaliBastion(Cali Bastion<br/>Server: 10.100.10.1/24<br/>Client: 10.200.20.21/24)
VancBastion(Vanc Bastion<br/>Server: 10.200.20.1/24<br/>Client: 10.100.10.21/24)
CaliProtected(Cali Protected<br/>cali: 10.100.10.101/24<br/>vanc: 10.200.20.101/24)
VancProtected(Vanc Protected<br/>cali: 10.100.10.201/24<br/>vanc: 10.200.20.201/24)
Laptop -- "WireGuard" --> CaliBastion
Laptop -- "WireGuard" --> VancBastion
CaliBastion -- "WireGuard" --> CaliProtected
CaliBastion -- "WireGuard" --> VancProtected
VancBastion -- "WireGuard" --> CaliProtected
VancBastion -- "WireGuard" --> VancProtected
```
## Commands
To create the VMs, run `./create_vms.sh`.
To deploy WireGuard, run `./deploy.sh`.
To test the connections, try to access services running on the protected nodes:
```
curl http://10.200.20.101
curl http://10.100.10.101
curl http://10.100.10.201
curl http://10.200.20.201
```
## Possible improvements
The following improvements would be cool for this setup:
- create failover routing that triggers if one of the bastions goes down
- hide SSH from the public IP and allow SSH only via private network

10
wireguard-bastion/cali-bastion.yaml Normal file
View File

@ -0,0 +1,10 @@
hostname: cali-bastion
hours: 5
price: 20000
location:
region: "California"
ipv4: !PublishPorts [ 1337 ]
public_ipv6: false
vcpus: 2
memory_mb: 2000
disk_size_gb: 20

10
wireguard-bastion/cali-protected.yaml Normal file
View File

@ -0,0 +1,10 @@
hostname: cali-protected
hours: 5
price: 20000
location:
region: "California"
ipv4: !PublishPorts [ ]
public_ipv6: false
vcpus: 2
memory_mb: 2000
disk_size_gb: 20

14
wireguard-bastion/create_vms.sh Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
set -e
export FORMAT=YAML
detee-cli vm deploy --from-yaml cali-bastion.yaml > tmp/cali-bastion-install.yaml &&
echo "Bastion created in California." &
detee-cli vm deploy --from-yaml vanc-bastion.yaml > tmp/vanc-bastion-install.yaml &&
echo "Bastion created in Vancouver." &
detee-cli vm deploy --from-yaml cali-protected.yaml > tmp/cali-protected-install.yaml &&
echo "Protected node created in California." &
detee-cli vm deploy --from-yaml vanc-protected.yaml > tmp/vanc-protected-install.yaml &&
echo "Protected node created in Vancouver." &
wait

132
wireguard-bastion/deploy.sh Executable file
View File

@ -0,0 +1,132 @@
#!/bin/bash
set -e
export FORMAT=YAML
echo GETTING UUIDs
cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml)
cali_bastion_uuid=${cali_bastion_uuid#uuid: }
vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml)
vanc_bastion_uuid=${vanc_bastion_uuid#uuid: }
cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml)
cali_protected_uuid=${cali_protected_uuid#uuid: }
vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml)
vanc_protected_uuid=${vanc_protected_uuid#uuid: }
echo BUILDING SSH COMMANDS
key_path=$(grep 'key_path:' tmp/cali-bastion-install.yaml | awk '{ print $2 }')
ssh_cali_bastion="ssh -i ${key_path} \
-p $(grep port tmp/cali-bastion-install.yaml | cut -d "'" -f2) \
root@$(grep ip tmp/cali-bastion-install.yaml | awk '{ print $2 }')"
ssh_vanc_bastion="ssh -i ${key_path} \
-p $(grep port tmp/vanc-bastion-install.yaml | cut -d "'" -f2) \
root@$(grep ip tmp/vanc-bastion-install.yaml | awk '{ print $2 }')"
ssh_cali_protected="ssh -i ${key_path} \
-p $(grep port tmp/cali-protected-install.yaml | cut -d "'" -f2) \
root@$(grep ip tmp/cali-protected-install.yaml | awk '{ print $2 }')"
ssh_vanc_protected="ssh -i ${key_path} \
-p $(grep port tmp/vanc-protected-install.yaml | cut -d "'" -f2) \
root@$(grep ip tmp/vanc-protected-install.yaml | awk '{ print $2 }')"
echo INSPECTING VMs
detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml
detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml
detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml
detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml
echo GETTING WIREGUARD IP AND PORTS
cali_wg_ip=$(grep 'ip: ' tmp/cali-bastion-install.yaml)
cali_wg_ip=${cali_wg_ip#ip: }
vanc_wg_ip=$(grep 'ip: ' tmp/vanc-bastion-install.yaml)
vanc_wg_ip=${vanc_wg_ip#ip: }
cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail -1)
cali_wg_port=${cali_wg_port#- }
vanc_wg_port=$(grep exposed_ports -A 2 tmp/vanc-bastion-inspect.yaml | tail -1)
vanc_wg_port=${vanc_wg_port#- }
echo GENERATING WIREGUARD KEYS
wg genkey > tmp/cali_bastion_private.key
cat tmp/cali_bastion_private.key | wg pubkey > tmp/cali_bastion_public.key
wg genkey > tmp/vanc_bastion_private.key
cat tmp/vanc_bastion_private.key | wg pubkey > tmp/vanc_bastion_public.key
wg genkey > tmp/cali_protected_private.key
cat tmp/cali_protected_private.key | wg pubkey > tmp/cali_protected_public.key
wg genkey > tmp/vanc_protected_private.key
cat tmp/vanc_protected_private.key | wg pubkey > tmp/vanc_protected_public.key
wg genkey > tmp/local_private.key
cat tmp/local_private.key | wg pubkey > tmp/local_public.key
echo PREPARING WIREGUARD CONFIGS
cp -r wg_configs tmp/
sed -i "s,CALI_BASTION_PRIVATE,$(cat tmp/cali_bastion_private.key)," tmp/wg_configs/*
sed -i "s,CALI_BASTION_PUBLIC,$(cat tmp/cali_bastion_public.key)," tmp/wg_configs/*
sed -i "s,VANC_BASTION_PRIVATE,$(cat tmp/vanc_bastion_private.key)," tmp/wg_configs/*
sed -i "s,VANC_BASTION_PUBLIC,$(cat tmp/vanc_bastion_public.key)," tmp/wg_configs/*
sed -i "s,CALI_PROTECTED_PRIVATE,$(cat tmp/cali_protected_private.key)," tmp/wg_configs/*
sed -i "s,CALI_PROTECTED_PUBLIC,$(cat tmp/cali_protected_public.key)," tmp/wg_configs/*
sed -i "s,VANC_PROTECTED_PRIVATE,$(cat tmp/vanc_protected_private.key)," tmp/wg_configs/*
sed -i "s,VANC_PROTECTED_PUBLIC,$(cat tmp/vanc_protected_public.key)," tmp/wg_configs/*
sed -i "s,LOCAL_PRIVATE,$(cat tmp/local_private.key)," tmp/wg_configs/*
sed -i "s,LOCAL_PUBLIC,$(cat tmp/local_public.key)," tmp/wg_configs/*
sed -i "s,VANC_BASTION_IP,${vanc_wg_ip}," tmp/wg_configs/*
sed -i "s,CALI_BASTION_IP,${cali_wg_ip}," tmp/wg_configs/*
sed -i "s,VANC_BASTION_PORT,${vanc_wg_port}," tmp/wg_configs/*
sed -i "s,CALI_BASTION_PORT,${cali_wg_port}," tmp/wg_configs/*
echo INSTALLING SOFTWARE
$ssh_cali_bastion pacman -Syu --noconfirm > tmp/cali_bastion.log 2>&1
$ssh_vanc_bastion pacman -Syu --noconfirm > tmp/vanc_bastion.log 2>&1
$ssh_cali_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/cali_bastion.log 2>&1
$ssh_vanc_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/vanc_bastion.log 2>&1
$ssh_cali_bastion sysctl -w net.ipv4.conf.all.forwarding=1
$ssh_vanc_bastion sysctl -w net.ipv4.conf.all.forwarding=1
$ssh_cali_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
$ssh_vanc_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
$ssh_cali_protected pacman -S wireguard-tools nginx \
--needed --noconfirm > tmp/vanc_protected.log 2>&1
$ssh_vanc_protected pacman -S wireguard-tools nginx \
--needed --noconfirm > tmp/vanc_protected.log 2>&1
$ssh_cali_protected systemctl start nginx
$ssh_vanc_protected systemctl start nginx
echo UPLOADING WIREGUARD CONFIG
{
cat tmp/wg_configs/cali-bastion-server.conf | $ssh_cali_bastion tee /etc/wireguard/server.conf
cat tmp/wg_configs/cali-bastion-client.conf | $ssh_cali_bastion tee /etc/wireguard/vanc.conf
cat tmp/wg_configs/vanc-bastion-server.conf | $ssh_vanc_bastion tee /etc/wireguard/server.conf
cat tmp/wg_configs/vanc-bastion-client.conf | $ssh_vanc_bastion tee /etc/wireguard/cali.conf
cat tmp/wg_configs/cali-protected-cali.conf | $ssh_cali_protected tee /etc/wireguard/cali.conf
cat tmp/wg_configs/cali-protected-vanc.conf | $ssh_cali_protected tee /etc/wireguard/vanc.conf
cat tmp/wg_configs/vanc-protected-cali.conf | $ssh_vanc_protected tee /etc/wireguard/cali.conf
cat tmp/wg_configs/vanc-protected-vanc.conf | $ssh_vanc_protected tee /etc/wireguard/vanc.conf
} > /dev/null
echo STARTING WIREGUARD
$ssh_cali_bastion wg-quick up server
$ssh_vanc_bastion wg-quick up server
$ssh_vanc_bastion wg-quick up cali
$ssh_cali_protected wg-quick up cali
$ssh_vanc_protected wg-quick up cali
$ssh_cali_bastion wg-quick up vanc
$ssh_cali_protected wg-quick up vanc
$ssh_vanc_protected wg-quick up vanc
# SETTING UP LOCAL CLIENT
if [[ $(whoami) == "root" ]]; then
sudo=""
else
sudo="sudo"
fi
$sudo cp tmp/wg_configs/local-cali.conf /etc/wireguard/
$sudo cp tmp/wg_configs/local-vanc.conf /etc/wireguard/
$sudo wg-quick up local-cali
$sudo wg-quick up local-vanc
echo To check if VPN works to the protected nodes, try to access a protected service:
echo curl http://10.200.20.101
echo curl http://10.100.10.101
echo curl http://10.100.10.201
echo curl http://10.200.20.201

10
wireguard-bastion/vanc-bastion.yaml Normal file
View File

@ -0,0 +1,10 @@
hostname: vanc-bastion
hours: 5
price: 20000
location:
city: "Vancouver"
ipv4: !PublishPorts [ 1337 ]
public_ipv6: false
vcpus: 2
memory_mb: 2000
disk_size_gb: 20

10
wireguard-bastion/vanc-protected.yaml Normal file
View File

@ -0,0 +1,10 @@
hostname: vanc-protected
hours: 5
price: 20000
location:
city: "Vancouver"
ipv4: !PublishPorts [ ]
public_ipv6: false
vcpus: 2
memory_mb: 2000
disk_size_gb: 20

8
wireguard-bastion/wg_configs/cali-bastion-client.conf Normal file
View File

@ -0,0 +1,8 @@
[Interface]
Address = 10.200.20.21/24
PrivateKey = CALI_BASTION_PRIVATE
[Peer]
PublicKey = CALI_BASTION_PUBLIC
AllowedIPs = 10.200.20.0/24
Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT

20
wireguard-bastion/wg_configs/cali-bastion-server.conf Normal file
View File

@ -0,0 +1,20 @@
[Interface]
Address = 10.100.10.1/24
PrivateKey = CALI_BASTION_PRIVATE
ListenPort = 1337
[Peer]
PublicKey = CALI_PROTECTED_PUBLIC
AllowedIPs = 10.100.10.101/32
[Peer]
PublicKey = VANC_PROTECTED_PUBLIC
AllowedIPs = 10.100.10.201/32
[Peer]
PublicKey = VANC_BASTION_PUBLIC
AllowedIPs = 10.100.10.21/32
[Peer]
PublicKey = LOCAL_PUBLIC
AllowedIPs = 10.100.10.10/32

9
wireguard-bastion/wg_configs/cali-protected-cali.conf Normal file
View File

@ -0,0 +1,9 @@
[Interface]
Address = 10.100.10.101/24
PrivateKey = CALI_PROTECTED_PRIVATE
[Peer]
PublicKey = CALI_BASTION_PUBLIC
AllowedIPs = 10.100.10.0/24
Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
PersistentKeepalive = 25

9
wireguard-bastion/wg_configs/cali-protected-vanc.conf Normal file
View File

@ -0,0 +1,9 @@
[Interface]
Address = 10.200.20.101/24
PrivateKey = CALI_PROTECTED_PRIVATE
[Peer]
PublicKey = VANC_BASTION_PUBLIC
AllowedIPs = 10.200.20.0/24
Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
PersistentKeepalive = 25

8
wireguard-bastion/wg_configs/local-cali.conf Normal file
View File

@ -0,0 +1,8 @@
[Interface]
Address = 10.100.10.10/24
PrivateKey = LOCAL_PRIVATE
[Peer]
PublicKey = CALI_BASTION_PUBLIC
AllowedIPs = 10.100.10.0/24
Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT

8
wireguard-bastion/wg_configs/local-vanc.conf Normal file
View File

@ -0,0 +1,8 @@
[Interface]
Address = 10.200.20.10/24
PrivateKey = LOCAL_PRIVATE
[Peer]
PublicKey = VANC_BASTION_PUBLIC
AllowedIPs = 10.200.20.0/24
Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT

8
wireguard-bastion/wg_configs/vanc-bastion-client.conf Normal file
View File

@ -0,0 +1,8 @@
[Interface]
Address = 10.100.10.21/24
PrivateKey = VANC_BASTION_PRIVATE
[Peer]
PublicKey = CALI_BASTION_PUBLIC
AllowedIPs = 10.100.10.0/24
Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT

20
wireguard-bastion/wg_configs/vanc-bastion-server.conf Normal file
View File

@ -0,0 +1,20 @@
[Interface]
Address = 10.200.20.1/24
PrivateKey = VANC_BASTION_PRIVATE
ListenPort = 1337
[Peer]
PublicKey = CALI_PROTECTED_PUBLIC
AllowedIPs = 10.200.20.101/32
[Peer]
PublicKey = VANC_PROTECTED_PUBLIC
AllowedIPs = 10.200.20.201/32
[Peer]
PublicKey = CALI_BASTION_PUBLIC
AllowedIPs = 10.200.20.21/32
[Peer]
PublicKey = LOCAL_PUBLIC
AllowedIPs = 10.200.20.10/32

9
wireguard-bastion/wg_configs/vanc-protected-cali.conf Normal file
View File

@ -0,0 +1,9 @@
[Interface]
Address = 10.100.10.201/24
PrivateKey = VANC_PROTECTED_PRIVATE
[Peer]
PublicKey = CALI_BASTION_PUBLIC
AllowedIPs = 10.100.10.0/24
Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
PersistentKeepalive = 25

9
wireguard-bastion/wg_configs/vanc-protected-vanc.conf Normal file
View File

@ -0,0 +1,9 @@
[Interface]
Address = 10.200.20.201/24
PrivateKey = VANC_PROTECTED_PRIVATE
[Peer]
PublicKey = VANC_BASTION_PUBLIC
AllowedIPs = 10.200.20.0/24
Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
PersistentKeepalive = 25