adding wireguard example

2025-03-09 00:39:19 +02:00 · 2025-03-09 00:39:19 +02:00 · 4f1c751de3
commit 4f1c751de3
parent 862d2c335c
18 changed files with 333 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 *.tmp
 tmp
--- a/wireguard-bastion/README.md
+++ b/wireguard-bastion/README.md
@ -0,0 +1,44 @@
 # DeTEE WireGuard Example
 This examples shows how WireGuard can be used to create network overlays on top of DeTEE.
 The example is academic and real world scenarios will require improved setups.
 ## Network Diagram
 ```mermaid
 graph TD
    Laptop(Laptop<br/>local-cali: 10.100.10.10/24<br/>local-vanc: 10.200.20.10/24)
    CaliBastion(Cali Bastion<br/>Server: 10.100.10.1/24<br/>Client: 10.200.20.21/24)
    VancBastion(Vanc Bastion<br/>Server: 10.200.20.1/24<br/>Client: 10.100.10.21/24)
    CaliProtected(Cali Protected<br/>cali: 10.100.10.101/24<br/>vanc: 10.200.20.101/24)
    VancProtected(Vanc Protected<br/>cali: 10.100.10.201/24<br/>vanc: 10.200.20.201/24)
    Laptop -- "WireGuard" --> CaliBastion
    Laptop -- "WireGuard" --> VancBastion
    CaliBastion -- "WireGuard" --> CaliProtected
    CaliBastion -- "WireGuard" --> VancProtected
    VancBastion -- "WireGuard" --> CaliProtected
    VancBastion -- "WireGuard" --> VancProtected
 ```
 ## Commands
 To create the VMs, run `./create_vms.sh`.
 To deploy WireGuard, run `./deploy.sh`.
 To test the connections, try to access services running on the protected nodes:
 ```
 curl http://10.200.20.101
 curl http://10.100.10.101
 curl http://10.100.10.201
 curl http://10.200.20.201
 ```
 ## Possible improvements
 The following improvements would be cool for this setup:
 - create failover routing that triggers if one of the bastions goes down
 - hide SSH from the public IP and allow SSH only via private network
--- a/wireguard-bastion/cali-bastion.yaml
+++ b/wireguard-bastion/cali-bastion.yaml
@ -0,0 +1,10 @@
 hostname: cali-bastion
 hours: 5
 price: 20000
 location:
  region: "California"
 ipv4: !PublishPorts [ 1337 ]
 public_ipv6: false
 vcpus: 2
 memory_mb: 2000
 disk_size_gb: 20
--- a/wireguard-bastion/cali-protected.yaml
+++ b/wireguard-bastion/cali-protected.yaml
@ -0,0 +1,10 @@
 hostname: cali-protected
 hours: 5
 price: 20000
 location:
  region: "California"
 ipv4: !PublishPorts [ ]
 public_ipv6: false
 vcpus: 2
 memory_mb: 2000
 disk_size_gb: 20
--- a/wireguard-bastion/create_vms.sh
+++ b/wireguard-bastion/create_vms.sh
@ -0,0 +1,8 @@
 #!/bin/bash
 set -e
 export FORMAT=YAML
 detee-cli vm deploy --from-yaml cali-bastion.yaml > tmp/cali-bastion-install.yaml
 detee-cli vm deploy --from-yaml vanc-bastion.yaml > tmp/vanc-bastion-install.yaml
 detee-cli vm deploy --from-yaml cali-protected.yaml > tmp/cali-protected-install.yaml
 detee-cli vm deploy --from-yaml vanc-protected.yaml > tmp/vanc-protected-install.yaml
--- a/wireguard-bastion/deploy.sh
+++ b/wireguard-bastion/deploy.sh
@ -0,0 +1,132 @@
 #!/bin/bash
 set -e
 export FORMAT=YAML
 echo GETTING UUIDs
 cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml)
 cali_bastion_uuid=${cali_bastion_uuid#uuid: }
 vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml)
 vanc_bastion_uuid=${vanc_bastion_uuid#uuid: }
 cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml)
 cali_protected_uuid=${cali_protected_uuid#uuid: }
 vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml)
 vanc_protected_uuid=${vanc_protected_uuid#uuid: }
 echo BUILDING SSH COMMANDS
 key_path=$(grep 'key_path:' tmp/cali-bastion-install.yaml | awk '{ print $2 }')
 ssh_cali_bastion="ssh -i ${key_path} \
  -p $(grep port tmp/cali-bastion-install.yaml | cut -d "'" -f2) \
  root@$(grep ip tmp/cali-bastion-install.yaml | awk '{ print $2 }')"
 ssh_vanc_bastion="ssh -i ${key_path} \
  -p $(grep port tmp/vanc-bastion-install.yaml | cut -d "'" -f2) \
  root@$(grep ip tmp/vanc-bastion-install.yaml | awk '{ print $2 }')"
 ssh_cali_protected="ssh -i ${key_path} \
  -p $(grep port tmp/cali-protected-install.yaml | cut -d "'" -f2) \
  root@$(grep ip tmp/cali-protected-install.yaml | awk '{ print $2 }')"
 ssh_vanc_protected="ssh -i ${key_path} \
  -p $(grep port tmp/vanc-protected-install.yaml | cut -d "'" -f2) \
  root@$(grep ip tmp/vanc-protected-install.yaml | awk '{ print $2 }')"
 echo INSPECTING VMs
 detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml
 detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml
 detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml
 detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml
 echo GETTING WIREGUARD IP AND PORTS
 cali_wg_ip=$(grep 'ip: ' tmp/cali-bastion-install.yaml)
 cali_wg_ip=${cali_wg_ip#ip: }
 vanc_wg_ip=$(grep 'ip: ' tmp/vanc-bastion-install.yaml)
 vanc_wg_ip=${vanc_wg_ip#ip: }
 cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail -1)
 cali_wg_port=${cali_wg_port#- }
 vanc_wg_port=$(grep exposed_ports -A 2 tmp/vanc-bastion-inspect.yaml | tail -1)
 vanc_wg_port=${vanc_wg_port#- }
 echo GENERATING WIREGUARD KEYS
 wg genkey > tmp/cali_bastion_private.key
 cat tmp/cali_bastion_private.key | wg pubkey > tmp/cali_bastion_public.key
 wg genkey > tmp/vanc_bastion_private.key
 cat tmp/vanc_bastion_private.key | wg pubkey > tmp/vanc_bastion_public.key
 wg genkey > tmp/cali_protected_private.key
 cat tmp/cali_protected_private.key | wg pubkey > tmp/cali_protected_public.key
 wg genkey > tmp/vanc_protected_private.key
 cat tmp/vanc_protected_private.key | wg pubkey > tmp/vanc_protected_public.key
 wg genkey > tmp/local_private.key
 cat tmp/local_private.key | wg pubkey > tmp/local_public.key
 echo PREPARING WIREGUARD CONFIGS
 cp -r wg_configs tmp/
 sed -i "s,CALI_BASTION_PRIVATE,$(cat tmp/cali_bastion_private.key)," tmp/wg_configs/*
 sed -i "s,CALI_BASTION_PUBLIC,$(cat tmp/cali_bastion_public.key)," tmp/wg_configs/*
 sed -i "s,VANC_BASTION_PRIVATE,$(cat tmp/vanc_bastion_private.key)," tmp/wg_configs/*
 sed -i "s,VANC_BASTION_PUBLIC,$(cat tmp/vanc_bastion_public.key)," tmp/wg_configs/*
 sed -i "s,CALI_PROTECTED_PRIVATE,$(cat tmp/cali_protected_private.key)," tmp/wg_configs/*
 sed -i "s,CALI_PROTECTED_PUBLIC,$(cat tmp/cali_protected_public.key)," tmp/wg_configs/*
 sed -i "s,VANC_PROTECTED_PRIVATE,$(cat tmp/vanc_protected_private.key)," tmp/wg_configs/*
 sed -i "s,VANC_PROTECTED_PUBLIC,$(cat tmp/vanc_protected_public.key)," tmp/wg_configs/*
 sed -i "s,LOCAL_PRIVATE,$(cat tmp/local_private.key)," tmp/wg_configs/*
 sed -i "s,LOCAL_PUBLIC,$(cat tmp/local_public.key)," tmp/wg_configs/*
 sed -i "s,VANC_BASTION_IP,${vanc_wg_ip}," tmp/wg_configs/*
 sed -i "s,CALI_BASTION_IP,${cali_wg_ip}," tmp/wg_configs/*
 sed -i "s,VANC_BASTION_PORT,${vanc_wg_port}," tmp/wg_configs/*
 sed -i "s,CALI_BASTION_PORT,${cali_wg_port}," tmp/wg_configs/*
 echo INSTALLING SOFTWARE
 $ssh_cali_bastion pacman -Syu --noconfirm > tmp/cali_bastion.log 2>&1
 $ssh_vanc_bastion pacman -Syu --noconfirm > tmp/vanc_bastion.log 2>&1
 $ssh_cali_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/cali_bastion.log 2>&1
 $ssh_vanc_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/vanc_bastion.log 2>&1
 $ssh_cali_bastion sysctl -w net.ipv4.conf.all.forwarding=1
 $ssh_vanc_bastion sysctl -w net.ipv4.conf.all.forwarding=1
 $ssh_cali_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
 $ssh_vanc_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
 $ssh_cali_protected pacman -S wireguard-tools nginx \
  --needed --noconfirm > tmp/vanc_protected.log 2>&1
 $ssh_vanc_protected pacman -S wireguard-tools nginx \
  --needed --noconfirm > tmp/vanc_protected.log 2>&1
 $ssh_cali_protected systemctl start nginx
 $ssh_vanc_protected systemctl start nginx
 echo UPLOADING WIREGUARD CONFIG
 {
 cat tmp/wg_configs/cali-bastion-server.conf | $ssh_cali_bastion tee /etc/wireguard/server.conf
 cat tmp/wg_configs/cali-bastion-client.conf | $ssh_cali_bastion tee /etc/wireguard/vanc.conf
 cat tmp/wg_configs/vanc-bastion-server.conf | $ssh_vanc_bastion tee /etc/wireguard/server.conf
 cat tmp/wg_configs/vanc-bastion-client.conf | $ssh_vanc_bastion tee /etc/wireguard/cali.conf
 cat tmp/wg_configs/cali-protected-cali.conf | $ssh_cali_protected tee /etc/wireguard/cali.conf
 cat tmp/wg_configs/cali-protected-vanc.conf | $ssh_cali_protected tee /etc/wireguard/vanc.conf
 cat tmp/wg_configs/vanc-protected-cali.conf | $ssh_vanc_protected tee /etc/wireguard/cali.conf
 cat tmp/wg_configs/vanc-protected-vanc.conf | $ssh_vanc_protected tee /etc/wireguard/vanc.conf
 } > /dev/null
 echo STARTING WIREGUARD
 $ssh_cali_bastion wg-quick up server
 $ssh_vanc_bastion wg-quick up server
 $ssh_vanc_bastion wg-quick up cali
 $ssh_cali_protected wg-quick up cali
 $ssh_vanc_protected wg-quick up cali
 $ssh_cali_bastion wg-quick up vanc
 $ssh_cali_protected wg-quick up vanc
 $ssh_vanc_protected wg-quick up vanc
 # SETTING UP LOCAL CLIENT
 if [[ $(whoami) == "root" ]]; then
    sudo=""
 else
    sudo="sudo"
 fi
 $sudo cp tmp/wg_configs/local-cali.conf /etc/wireguard/
 $sudo cp tmp/wg_configs/local-vanc.conf /etc/wireguard/
 $sudo wg-quick up local-cali
 $sudo wg-quick up local-vanc
 echo To check if VPN works to the protected nodes, try to access a protected service:
 echo     curl http://10.200.20.101
 echo     curl http://10.100.10.101
 echo     curl http://10.100.10.201
 echo     curl http://10.200.20.201
--- a/wireguard-bastion/vanc-bastion.yaml
+++ b/wireguard-bastion/vanc-bastion.yaml
@ -0,0 +1,10 @@
 hostname: vanc-bastion
 hours: 5
 price: 20000
 location:
  city: "Vancouver"
 ipv4: !PublishPorts [ 1337 ]
 public_ipv6: false
 vcpus: 2
 memory_mb: 2000
 disk_size_gb: 20
--- a/wireguard-bastion/vanc-protected.yaml
+++ b/wireguard-bastion/vanc-protected.yaml
@ -0,0 +1,10 @@
 hostname: vanc-protected
 hours: 5
 price: 20000
 location:
  city: "Vancouver"
 ipv4: !PublishPorts [ ]
 public_ipv6: false
 vcpus: 2
 memory_mb: 2000
 disk_size_gb: 20
--- a/wireguard-bastion/wg_configs/cali-bastion-client.conf
+++ b/wireguard-bastion/wg_configs/cali-bastion-client.conf
@ -0,0 +1,8 @@
 [Interface]
 Address = 10.200.20.21/24
 PrivateKey = CALI_BASTION_PRIVATE
 [Peer]
 PublicKey = CALI_BASTION_PUBLIC
 AllowedIPs = 10.200.20.0/24
 Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
--- a/wireguard-bastion/wg_configs/cali-bastion-server.conf
+++ b/wireguard-bastion/wg_configs/cali-bastion-server.conf
@ -0,0 +1,20 @@
 [Interface]
 Address = 10.100.10.1/24
 PrivateKey = CALI_BASTION_PRIVATE
 ListenPort = 1337
 [Peer]
 PublicKey = CALI_PROTECTED_PUBLIC
 AllowedIPs = 10.100.10.101/32
 [Peer]
 PublicKey = VANC_PROTECTED_PUBLIC
 AllowedIPs = 10.100.10.201/32
 [Peer]
 PublicKey = VANC_BASTION_PUBLIC
 AllowedIPs = 10.100.10.21/32
 [Peer]
 PublicKey = LOCAL_PUBLIC
 AllowedIPs = 10.100.10.10/32
--- a/wireguard-bastion/wg_configs/cali-protected-cali.conf
+++ b/wireguard-bastion/wg_configs/cali-protected-cali.conf
@ -0,0 +1,9 @@
 [Interface]
 Address = 10.100.10.101/24
 PrivateKey = CALI_PROTECTED_PRIVATE
 [Peer]
 PublicKey = CALI_BASTION_PUBLIC
 AllowedIPs = 10.100.10.0/24
 Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
 PersistentKeepalive = 25
--- a/wireguard-bastion/wg_configs/cali-protected-vanc.conf
+++ b/wireguard-bastion/wg_configs/cali-protected-vanc.conf
@ -0,0 +1,9 @@
 [Interface]
 Address = 10.200.20.101/24
 PrivateKey = CALI_PROTECTED_PRIVATE
 [Peer]
 PublicKey = VANC_BASTION_PUBLIC
 AllowedIPs = 10.200.20.0/24
 Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
 PersistentKeepalive = 25
--- a/wireguard-bastion/wg_configs/local-cali.conf
+++ b/wireguard-bastion/wg_configs/local-cali.conf
@ -0,0 +1,8 @@
 [Interface]
 Address = 10.100.10.10/24
 PrivateKey = LOCAL_PRIVATE
 [Peer]
 PublicKey = CALI_BASTION_PUBLIC
 AllowedIPs = 10.100.10.0/24
 Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
--- a/wireguard-bastion/wg_configs/local-vanc.conf
+++ b/wireguard-bastion/wg_configs/local-vanc.conf
@ -0,0 +1,8 @@
 [Interface]
 Address = 10.200.20.10/24
 PrivateKey = LOCAL_PRIVATE
 [Peer]
 PublicKey = VANC_BASTION_PUBLIC
 AllowedIPs = 10.200.20.0/24
 Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
--- a/wireguard-bastion/wg_configs/vanc-bastion-client.conf
+++ b/wireguard-bastion/wg_configs/vanc-bastion-client.conf
@ -0,0 +1,8 @@
 [Interface]
 Address = 10.100.10.21/24
 PrivateKey = VANC_BASTION_PRIVATE
 [Peer]
 PublicKey = CALI_BASTION_PUBLIC
 AllowedIPs = 10.100.10.0/24
 Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
--- a/wireguard-bastion/wg_configs/vanc-bastion-server.conf
+++ b/wireguard-bastion/wg_configs/vanc-bastion-server.conf
@ -0,0 +1,20 @@
 [Interface]
 Address = 10.200.20.1/24
 PrivateKey = VANC_BASTION_PRIVATE
 ListenPort = 1337
 [Peer]
 PublicKey = CALI_PROTECTED_PUBLIC
 AllowedIPs = 10.200.20.101/32
 [Peer]
 PublicKey = VANC_PROTECTED_PUBLIC
 AllowedIPs = 10.200.20.201/32
 [Peer]
 PublicKey = CALI_BASTION_PUBLIC
 AllowedIPs = 10.200.20.21/32
 [Peer]
 PublicKey = LOCAL_PUBLIC
 AllowedIPs = 10.200.20.10/32
--- a/wireguard-bastion/wg_configs/vanc-protected-cali.conf
+++ b/wireguard-bastion/wg_configs/vanc-protected-cali.conf
@ -0,0 +1,9 @@
 [Interface]
 Address = 10.100.10.201/24
 PrivateKey = VANC_PROTECTED_PRIVATE
 [Peer]
 PublicKey = CALI_BASTION_PUBLIC
 AllowedIPs = 10.100.10.0/24
 Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
 PersistentKeepalive = 25
--- a/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
+++ b/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
@ -0,0 +1,9 @@
 [Interface]
 Address = 10.200.20.201/24
 PrivateKey = VANC_PROTECTED_PRIVATE
 [Peer]
 PublicKey = VANC_BASTION_PUBLIC
 AllowedIPs = 10.200.20.0/24
 Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
 PersistentKeepalive = 25