adding wireguard example

2025-03-09 00:39:19 +02:00 · 2025-03-09 00:39:19 +02:00 · 4f1c751de3
commit 4f1c751de3
parent 862d2c335c
18 changed files with 333 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 *.tmp
+tmp
--- a/wireguard-bastion/README.md
+++ b/wireguard-bastion/README.md
@ -0,0 +1,44 @@
+# DeTEE WireGuard Example
+
+This examples shows how WireGuard can be used to create network overlays on top of DeTEE.
+The example is academic and real world scenarios will require improved setups.
+
+## Network Diagram
+
+```mermaid
+graph TD
+    Laptop(Laptop<br/>local-cali: 10.100.10.10/24<br/>local-vanc: 10.200.20.10/24)
+    CaliBastion(Cali Bastion<br/>Server: 10.100.10.1/24<br/>Client: 10.200.20.21/24)
+    VancBastion(Vanc Bastion<br/>Server: 10.200.20.1/24<br/>Client: 10.100.10.21/24)
+    CaliProtected(Cali Protected<br/>cali: 10.100.10.101/24<br/>vanc: 10.200.20.101/24)
+    VancProtected(Vanc Protected<br/>cali: 10.100.10.201/24<br/>vanc: 10.200.20.201/24)
+
+    Laptop -- "WireGuard" --> CaliBastion
+    Laptop -- "WireGuard" --> VancBastion
+
+    CaliBastion -- "WireGuard" --> CaliProtected
+    CaliBastion -- "WireGuard" --> VancProtected
+    VancBastion -- "WireGuard" --> CaliProtected
+    VancBastion -- "WireGuard" --> VancProtected
+```
+
+## Commands
+
+To create the VMs, run `./create_vms.sh`.
+
+To deploy WireGuard, run `./deploy.sh`.
+
+To test the connections, try to access services running on the protected nodes:
+```
+curl http://10.200.20.101
+curl http://10.100.10.101
+curl http://10.100.10.201
+curl http://10.200.20.201
+```
+
+## Possible improvements
+
+The following improvements would be cool for this setup:
+- create failover routing that triggers if one of the bastions goes down
+- hide SSH from the public IP and allow SSH only via private network
+
--- a/wireguard-bastion/cali-bastion.yaml
+++ b/wireguard-bastion/cali-bastion.yaml
@ -0,0 +1,10 @@
+hostname: cali-bastion
+hours: 5
+price: 20000
+location:
+  region: "California"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
--- a/wireguard-bastion/cali-protected.yaml
+++ b/wireguard-bastion/cali-protected.yaml
@ -0,0 +1,10 @@
+hostname: cali-protected
+hours: 5
+price: 20000
+location:
+  region: "California"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
--- a/wireguard-bastion/create_vms.sh
+++ b/wireguard-bastion/create_vms.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+export FORMAT=YAML
+
+detee-cli vm deploy --from-yaml cali-bastion.yaml > tmp/cali-bastion-install.yaml
+detee-cli vm deploy --from-yaml vanc-bastion.yaml > tmp/vanc-bastion-install.yaml
+detee-cli vm deploy --from-yaml cali-protected.yaml > tmp/cali-protected-install.yaml
+detee-cli vm deploy --from-yaml vanc-protected.yaml > tmp/vanc-protected-install.yaml
--- a/wireguard-bastion/deploy.sh
+++ b/wireguard-bastion/deploy.sh
@ -0,0 +1,132 @@
+#!/bin/bash
+set -e
+export FORMAT=YAML
+
+echo GETTING UUIDs
+cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml)
+cali_bastion_uuid=${cali_bastion_uuid#uuid: }
+vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml)
+vanc_bastion_uuid=${vanc_bastion_uuid#uuid: }
+cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml)
+cali_protected_uuid=${cali_protected_uuid#uuid: }
+vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml)
+vanc_protected_uuid=${vanc_protected_uuid#uuid: }
+
+echo BUILDING SSH COMMANDS
+key_path=$(grep 'key_path:' tmp/cali-bastion-install.yaml | awk '{ print $2 }')
+ssh_cali_bastion="ssh -i ${key_path} \
+  -p $(grep port tmp/cali-bastion-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/cali-bastion-install.yaml | awk '{ print $2 }')"
+ssh_vanc_bastion="ssh -i ${key_path} \
+  -p $(grep port tmp/vanc-bastion-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/vanc-bastion-install.yaml | awk '{ print $2 }')"
+ssh_cali_protected="ssh -i ${key_path} \
+  -p $(grep port tmp/cali-protected-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/cali-protected-install.yaml | awk '{ print $2 }')"
+ssh_vanc_protected="ssh -i ${key_path} \
+  -p $(grep port tmp/vanc-protected-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/vanc-protected-install.yaml | awk '{ print $2 }')"
+
+echo INSPECTING VMs
+detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml
+detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml
+detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml
+detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml
+
+echo GETTING WIREGUARD IP AND PORTS
+cali_wg_ip=$(grep 'ip: ' tmp/cali-bastion-install.yaml)
+cali_wg_ip=${cali_wg_ip#ip: }
+vanc_wg_ip=$(grep 'ip: ' tmp/vanc-bastion-install.yaml)
+vanc_wg_ip=${vanc_wg_ip#ip: }
+cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail -1)
+cali_wg_port=${cali_wg_port#- }
+vanc_wg_port=$(grep exposed_ports -A 2 tmp/vanc-bastion-inspect.yaml | tail -1)
+vanc_wg_port=${vanc_wg_port#- }
+
+echo GENERATING WIREGUARD KEYS
+wg genkey > tmp/cali_bastion_private.key
+cat tmp/cali_bastion_private.key | wg pubkey > tmp/cali_bastion_public.key
+wg genkey > tmp/vanc_bastion_private.key
+cat tmp/vanc_bastion_private.key | wg pubkey > tmp/vanc_bastion_public.key
+wg genkey > tmp/cali_protected_private.key
+cat tmp/cali_protected_private.key | wg pubkey > tmp/cali_protected_public.key
+wg genkey > tmp/vanc_protected_private.key
+cat tmp/vanc_protected_private.key | wg pubkey > tmp/vanc_protected_public.key
+wg genkey > tmp/local_private.key
+cat tmp/local_private.key | wg pubkey > tmp/local_public.key
+
+echo PREPARING WIREGUARD CONFIGS
+cp -r wg_configs tmp/
+sed -i "s,CALI_BASTION_PRIVATE,$(cat tmp/cali_bastion_private.key)," tmp/wg_configs/*
+sed -i "s,CALI_BASTION_PUBLIC,$(cat tmp/cali_bastion_public.key)," tmp/wg_configs/*
+sed -i "s,VANC_BASTION_PRIVATE,$(cat tmp/vanc_bastion_private.key)," tmp/wg_configs/*
+sed -i "s,VANC_BASTION_PUBLIC,$(cat tmp/vanc_bastion_public.key)," tmp/wg_configs/*
+sed -i "s,CALI_PROTECTED_PRIVATE,$(cat tmp/cali_protected_private.key)," tmp/wg_configs/*
+sed -i "s,CALI_PROTECTED_PUBLIC,$(cat tmp/cali_protected_public.key)," tmp/wg_configs/*
+sed -i "s,VANC_PROTECTED_PRIVATE,$(cat tmp/vanc_protected_private.key)," tmp/wg_configs/*
+sed -i "s,VANC_PROTECTED_PUBLIC,$(cat tmp/vanc_protected_public.key)," tmp/wg_configs/*
+
+sed -i "s,LOCAL_PRIVATE,$(cat tmp/local_private.key)," tmp/wg_configs/*
+sed -i "s,LOCAL_PUBLIC,$(cat tmp/local_public.key)," tmp/wg_configs/*
+
+sed -i "s,VANC_BASTION_IP,${vanc_wg_ip}," tmp/wg_configs/*
+sed -i "s,CALI_BASTION_IP,${cali_wg_ip}," tmp/wg_configs/*
+sed -i "s,VANC_BASTION_PORT,${vanc_wg_port}," tmp/wg_configs/*
+sed -i "s,CALI_BASTION_PORT,${cali_wg_port}," tmp/wg_configs/*
+
+echo INSTALLING SOFTWARE
+$ssh_cali_bastion pacman -Syu --noconfirm > tmp/cali_bastion.log 2>&1
+$ssh_vanc_bastion pacman -Syu --noconfirm > tmp/vanc_bastion.log 2>&1
+$ssh_cali_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/cali_bastion.log 2>&1
+$ssh_vanc_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/vanc_bastion.log 2>&1
+$ssh_cali_bastion sysctl -w net.ipv4.conf.all.forwarding=1
+$ssh_vanc_bastion sysctl -w net.ipv4.conf.all.forwarding=1
+
+$ssh_cali_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_vanc_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_cali_protected pacman -S wireguard-tools nginx \
+  --needed --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_vanc_protected pacman -S wireguard-tools nginx \
+  --needed --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_cali_protected systemctl start nginx
+$ssh_vanc_protected systemctl start nginx
+
+echo UPLOADING WIREGUARD CONFIG
+{
+ cat tmp/wg_configs/cali-bastion-server.conf | $ssh_cali_bastion tee /etc/wireguard/server.conf
+ cat tmp/wg_configs/cali-bastion-client.conf | $ssh_cali_bastion tee /etc/wireguard/vanc.conf
+ cat tmp/wg_configs/vanc-bastion-server.conf | $ssh_vanc_bastion tee /etc/wireguard/server.conf
+ cat tmp/wg_configs/vanc-bastion-client.conf | $ssh_vanc_bastion tee /etc/wireguard/cali.conf
+ cat tmp/wg_configs/cali-protected-cali.conf | $ssh_cali_protected tee /etc/wireguard/cali.conf
+ cat tmp/wg_configs/cali-protected-vanc.conf | $ssh_cali_protected tee /etc/wireguard/vanc.conf
+ cat tmp/wg_configs/vanc-protected-cali.conf | $ssh_vanc_protected tee /etc/wireguard/cali.conf
+ cat tmp/wg_configs/vanc-protected-vanc.conf | $ssh_vanc_protected tee /etc/wireguard/vanc.conf
+} > /dev/null
+
+echo STARTING WIREGUARD
+$ssh_cali_bastion wg-quick up server
+$ssh_vanc_bastion wg-quick up server
+$ssh_vanc_bastion wg-quick up cali
+$ssh_cali_protected wg-quick up cali
+$ssh_vanc_protected wg-quick up cali
+$ssh_cali_bastion wg-quick up vanc
+$ssh_cali_protected wg-quick up vanc
+$ssh_vanc_protected wg-quick up vanc
+
+# SETTING UP LOCAL CLIENT
+if [[ $(whoami) == "root" ]]; then
+    sudo=""
+else
+    sudo="sudo"
+fi
+$sudo cp tmp/wg_configs/local-cali.conf /etc/wireguard/
+$sudo cp tmp/wg_configs/local-vanc.conf /etc/wireguard/
+$sudo wg-quick up local-cali
+$sudo wg-quick up local-vanc
+
+
+echo To check if VPN works to the protected nodes, try to access a protected service:
+echo     curl http://10.200.20.101
+echo     curl http://10.100.10.101
+echo     curl http://10.100.10.201
+echo     curl http://10.200.20.201
--- a/wireguard-bastion/vanc-bastion.yaml
+++ b/wireguard-bastion/vanc-bastion.yaml
@ -0,0 +1,10 @@
+hostname: vanc-bastion
+hours: 5
+price: 20000
+location:
+  city: "Vancouver"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
--- a/wireguard-bastion/vanc-protected.yaml
+++ b/wireguard-bastion/vanc-protected.yaml
@ -0,0 +1,10 @@
+hostname: vanc-protected
+hours: 5
+price: 20000
+location:
+  city: "Vancouver"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
--- a/wireguard-bastion/wg_configs/cali-bastion-client.conf
+++ b/wireguard-bastion/wg_configs/cali-bastion-client.conf
@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.21/24
+PrivateKey = CALI_BASTION_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
--- a/wireguard-bastion/wg_configs/cali-bastion-server.conf
+++ b/wireguard-bastion/wg_configs/cali-bastion-server.conf
@ -0,0 +1,20 @@
+[Interface]
+Address = 10.100.10.1/24
+PrivateKey = CALI_BASTION_PRIVATE
+ListenPort = 1337
+
+[Peer]
+PublicKey = CALI_PROTECTED_PUBLIC
+AllowedIPs = 10.100.10.101/32
+
+[Peer]
+PublicKey = VANC_PROTECTED_PUBLIC
+AllowedIPs = 10.100.10.201/32
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.100.10.21/32
+
+[Peer]
+PublicKey = LOCAL_PUBLIC
+AllowedIPs = 10.100.10.10/32
--- a/wireguard-bastion/wg_configs/cali-protected-cali.conf
+++ b/wireguard-bastion/wg_configs/cali-protected-cali.conf
@ -0,0 +1,9 @@
+[Interface]
+Address = 10.100.10.101/24
+PrivateKey = CALI_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
+PersistentKeepalive = 25
--- a/wireguard-bastion/wg_configs/cali-protected-vanc.conf
+++ b/wireguard-bastion/wg_configs/cali-protected-vanc.conf
@ -0,0 +1,9 @@
+[Interface]
+Address = 10.200.20.101/24
+PrivateKey = CALI_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
+PersistentKeepalive = 25
--- a/wireguard-bastion/wg_configs/local-cali.conf
+++ b/wireguard-bastion/wg_configs/local-cali.conf
@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.10/24
+PrivateKey = LOCAL_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
--- a/wireguard-bastion/wg_configs/local-vanc.conf
+++ b/wireguard-bastion/wg_configs/local-vanc.conf
@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.10/24
+PrivateKey = LOCAL_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
--- a/wireguard-bastion/wg_configs/vanc-bastion-client.conf
+++ b/wireguard-bastion/wg_configs/vanc-bastion-client.conf
@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.21/24
+PrivateKey = VANC_BASTION_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
--- a/wireguard-bastion/wg_configs/vanc-bastion-server.conf
+++ b/wireguard-bastion/wg_configs/vanc-bastion-server.conf
@ -0,0 +1,20 @@
+[Interface]
+Address = 10.200.20.1/24
+PrivateKey = VANC_BASTION_PRIVATE
+ListenPort = 1337
+
+[Peer]
+PublicKey = CALI_PROTECTED_PUBLIC
+AllowedIPs = 10.200.20.101/32
+
+[Peer]
+PublicKey = VANC_PROTECTED_PUBLIC
+AllowedIPs = 10.200.20.201/32
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.200.20.21/32
+
+[Peer]
+PublicKey = LOCAL_PUBLIC
+AllowedIPs = 10.200.20.10/32
--- a/wireguard-bastion/wg_configs/vanc-protected-cali.conf
+++ b/wireguard-bastion/wg_configs/vanc-protected-cali.conf
@ -0,0 +1,9 @@
+[Interface]
+Address = 10.100.10.201/24
+PrivateKey = VANC_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
+PersistentKeepalive = 25
--- a/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
+++ b/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
@ -0,0 +1,9 @@
+[Interface]
+Address = 10.200.20.201/24
+PrivateKey = VANC_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
+PersistentKeepalive = 25