From 3db953ff395d65b97e9faa3d01e27be380eae368 Mon Sep 17 00:00:00 2001 From: ghe0 Date: Mon, 26 May 2025 04:11:24 +0300 Subject: [PATCH] creating automated wireguard mesh --- README.md | 3 +- overlay-network/README.md | 16 +++++ overlay-network/create_vms.sh | 24 +++++++ overlay-network/setup_wg_mesh.sh | 82 ++++++++++++++++++++++ overlay-network/vm_configs/template-1.yaml | 10 +++ overlay-network/vm_configs/template-2.yaml | 10 +++ overlay-network/vm_configs/template-3.yaml | 10 +++ overlay-network/vm_configs/template-n.yaml | 10 +++ overlay-network/vm_configs/template-x.yaml | 10 +++ 9 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 overlay-network/README.md create mode 100755 overlay-network/create_vms.sh create mode 100755 overlay-network/setup_wg_mesh.sh create mode 100644 overlay-network/vm_configs/template-1.yaml create mode 100644 overlay-network/vm_configs/template-2.yaml create mode 100644 overlay-network/vm_configs/template-3.yaml create mode 100644 overlay-network/vm_configs/template-n.yaml create mode 100644 overlay-network/vm_configs/template-x.yaml diff --git a/README.md b/README.md index 05dfdea..b392199 100644 --- a/README.md +++ b/README.md @@ -3,5 +3,6 @@ This repository has various deployment examples of real world software to the DeTEE network. The examples currently include: - [Gitea on DeTEE](https://gitea.detee.cloud/general/examples/src/branch/master/gitea/deploy_gitea.sh) - A small bash script that deploys a Gitea server (just like this one) to a VM on DeTEE - [Ansible Postgres](https://gitea.detee.cloud/general/examples/src/branch/master/ansible-postgres) - Deploy a Postgres DB and a read replica via Ansible to two DeTEE VMs. -- [Wireguard Overlay](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind VPN, by leveraging VM deployments on DeTEE. +- [Wireguard DMZ](https://gitea.detee.cloud/general/examples/src/branch/master/wireguard-bastion) - Hide resources behind WireGuard VPN, by leveraging VM deployments on DeTEE. +- [Overlay Network](https://gitea.detee.cloud/general/examples/src/branch/master/overlay-network) - Automated deployment of an encrypted network overlay (full-mesh between VMs). - [Kubernetes (k3s)](https://gitea.detee.cloud/general/examples/src/branch/master/kubernetes) - Use k3s to deploy 5 Kubernetes nodes to DeTEE VMs, forming a small cluster. diff --git a/overlay-network/README.md b/overlay-network/README.md new file mode 100644 index 0000000..e0b9ea3 --- /dev/null +++ b/overlay-network/README.md @@ -0,0 +1,16 @@ +# Overlay Network + +These scripts allow you to create an overlay network on top of DeTEE VMs. These +VMs do not need a public IP, however they require an extra port to be +forwarded. Every VM in the network will get an IP in the subnet `10.254.254.0/24`. + +The VMs will be connected in a full-mesh topology, meaning each VM can +communicate with each other VM directly. Here is a graphical representation of a +full mesh from wikipedia: https://en.wikipedia.org/wiki/File:FullMeshNetwork.svg + +To create the VMs, run `./create_vms.sh`. This allows you to also specify a +different folder as the first argument. + +To deploy the network overlay, run `./setup_wg_mesh.sh`. This will create an +overlay on top of all the VMs created previously using the `./create_vms.sh` +script, assigning IPs in alphabetical order. diff --git a/overlay-network/create_vms.sh b/overlay-network/create_vms.sh new file mode 100755 index 0000000..df3c260 --- /dev/null +++ b/overlay-network/create_vms.sh @@ -0,0 +1,24 @@ +#!/bin/bash +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $script_dir +set -e +export FORMAT=YAML +mkdir -p tmp/vms +vm_dir="$1" +: "${vm_dir:=vm_configs}" + +for vm_config in "${vm_dir}"/*; do + vm_name=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1) + detee-cli vm deploy --from-yaml $vm_config > tmp/vms/${vm_name}_install.yaml && + echo "The VM $vm_name got created." & +done + +wait + +for vm_config in $(grep -r uuid: tmp/vms/ | awk '{ print $2}'); do + vm_id=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1) + detee-cli vm inspect $vm_id > tmp/vms/${vm_id}_inspect.yaml + vm_name=$(grep 'hostname: ' tmp/vms/${vm_id}_inspect.yaml | + awk '{ print $2 }') + mv tmp/vms/${vm_id}_inspect.yaml tmp/vms/${vm_name}_inspect.yaml +done diff --git a/overlay-network/setup_wg_mesh.sh b/overlay-network/setup_wg_mesh.sh new file mode 100755 index 0000000..20aaba7 --- /dev/null +++ b/overlay-network/setup_wg_mesh.sh @@ -0,0 +1,82 @@ +#!/bin/bash +script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $script_dir +set -e +export FORMAT=YAML +mkdir -p tmp/wg +mkdir -p tmp/logs + +vms=() + +# define VM object +vm_count=0 +new_vm() { + (( vm_count++ )) || true + local vm_name="$1" + local vm_id="vm$vm_count" + + local vm_install_data="tmp/vms/${vm_name}_install.yaml" + local vm_inspect_data="tmp/vms/${vm_name}_inspect.yaml" + + vm_node_ip=$(grep 'ip: ' $vm_install_data | awk '{ print $2 }') + vm_ssh_port=$(grep exposed_ports -A 1 $vm_inspect_data | tail -1 | grep -oE "[0-9]*") + vm_wg_port=$(grep exposed_ports -A 2 $vm_inspect_data | tail -1 | grep -oE "[0-9]*") + wg_privkey=$(wg genkey) + wg_pubkey=$(echo $wg_privkey | wg pubkey) + + declare -gA "$vm_id" + eval "$vm_id[id]=$vm_count" + eval "$vm_id[name]=$vm_name" + eval "$vm_id[ssh_port]=$vm_ssh_port" + eval "$vm_id[wg_port]=$vm_wg_port" + eval "$vm_id[node_ip]=$vm_node_ip" + eval "$vm_id[private_ip]=10.254.254.$vm_count" + eval "$vm_id[wg_priv]=$wg_privkey" + eval "$vm_id[wg_pub]=$wg_pubkey" + + vms+=("$vm_id") +} + +# loops over all VMs +for vm_install_file in tmp/vms/*_install.yaml; do + vm_name=$(echo $vm_install_file | cut -d '/' -f3 | cut -d '_' -f1) + new_vm $vm_name +done + +# loops over all VMs in array +for main_vm_loop in "${vms[@]}"; do + declare -n main_vm_ref="$main_vm_loop" + wg_file="tmp/wg/${main_vm_ref[name]}.ini" + { + echo "[Interface]" + echo "Address = "${main_vm_ref[private_ip]}" " + echo "PrivateKey = "${main_vm_ref[wg_priv]}" " + echo "ListenPort = 1337" + } > ${wg_file} + + for inner_vm_loop in "${vms[@]}"; do + declare -n inner_vm_ref="$inner_vm_loop" + [[ "${inner_vm_ref[id]}" == "${main_vm_ref[id]}" ]] && continue + { + echo + echo "[Peer]" + echo "PublicKey = ${inner_vm_ref[wg_pub]}" + echo "Endpoint = ${inner_vm_ref[node_ip]}:${inner_vm_ref[wg_port]}" + echo "AllowedIPs = ${inner_vm_ref[private_ip]}" + echo "PersistentKeepalive = 25" + } >> ${wg_file} + done + echo WireGuard config written to ${wg_file} + + ssh="ssh -p ${main_vm_ref[ssh_port]} root@${main_vm_ref[node_ip]}" + $ssh pacman -Syu --noconfirm > tmp/logs/${main_vm_ref[name]}.log 2>&1 + $ssh pacman -S wireguard-tools --needed --noconfirm >> tmp/logs/${main_vm_ref[name]}.log 2>&1 + echo Packages installed for ${main_vm_ref[name]} + + # TODO: make this reboot persistant + $ssh sysctl -w net.ipv4.conf.all.forwarding=1 > /dev/null + cat ${wg_file} | $ssh tee /etc/wireguard/brain.conf > /dev/null + $ssh wg-quick down brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true + $ssh wg-quick up brain >> tmp/logs/${main_vm_ref[name]}.log 2>&1 || true + echo WireGuard started on ${main_vm_ref[name]} +done diff --git a/overlay-network/vm_configs/template-1.yaml b/overlay-network/vm_configs/template-1.yaml new file mode 100644 index 0000000..853e18b --- /dev/null +++ b/overlay-network/vm_configs/template-1.yaml @@ -0,0 +1,10 @@ +hostname: template-1 +hours: 2 +price: 20000 +location: + country: "FR" +ipv4: !PublishPorts [ 1337 ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-2.yaml b/overlay-network/vm_configs/template-2.yaml new file mode 100644 index 0000000..b177d74 --- /dev/null +++ b/overlay-network/vm_configs/template-2.yaml @@ -0,0 +1,10 @@ +hostname: template-2 +hours: 2 +price: 20000 +location: + country: "GB" +ipv4: !PublishPorts [ 1337 ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-3.yaml b/overlay-network/vm_configs/template-3.yaml new file mode 100644 index 0000000..6cd7a0a --- /dev/null +++ b/overlay-network/vm_configs/template-3.yaml @@ -0,0 +1,10 @@ +hostname: template-3 +hours: 2 +price: 20000 +location: + country: "US" +ipv4: !PublishPorts [ 1337 ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-n.yaml b/overlay-network/vm_configs/template-n.yaml new file mode 100644 index 0000000..292de1a --- /dev/null +++ b/overlay-network/vm_configs/template-n.yaml @@ -0,0 +1,10 @@ +hostname: template-n +hours: 2 +price: 20000 +location: + country: "US" +ipv4: !PublishPorts [ 1337 ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60 diff --git a/overlay-network/vm_configs/template-x.yaml b/overlay-network/vm_configs/template-x.yaml new file mode 100644 index 0000000..630959c --- /dev/null +++ b/overlay-network/vm_configs/template-x.yaml @@ -0,0 +1,10 @@ +hostname: template-x +hours: 2 +price: 20000 +location: + country: "FR" +ipv4: !PublishPorts [ 1337 ] +public_ipv6: false +vcpus: 4 +memory_mb: 8000 +disk_size_gb: 60