From 72d2b97463a99215fab4ba595684c0db938ce5e6 Mon Sep 17 00:00:00 2001
From: ghe0 <gheorghe@gheo.tech>
Date: Sun, 9 Mar 2025 00:39:19 +0200
Subject: [PATCH] adding wireguard example

---
 .gitignore                                    |   1 +
 wireguard-bastion/README.md                   |  29 ++++
 wireguard-bastion/cali-bastion.yaml           |  10 ++
 wireguard-bastion/cali-protected.yaml         |  10 ++
 wireguard-bastion/create_vms.sh               |   8 ++
 wireguard-bastion/deploy.sh                   | 132 ++++++++++++++++++
 wireguard-bastion/vanc-bastion.yaml           |  10 ++
 wireguard-bastion/vanc-protected.yaml         |  10 ++
 .../wg_configs/cali-bastion-client.conf       |   8 ++
 .../wg_configs/cali-bastion-server.conf       |  20 +++
 .../wg_configs/cali-protected-cali.conf       |   9 ++
 .../wg_configs/cali-protected-vanc.conf       |   9 ++
 wireguard-bastion/wg_configs/local-cali.conf  |   8 ++
 wireguard-bastion/wg_configs/local-vanc.conf  |   8 ++
 .../wg_configs/vanc-bastion-client.conf       |   8 ++
 .../wg_configs/vanc-bastion-server.conf       |  20 +++
 .../wg_configs/vanc-protected-cali.conf       |   9 ++
 .../wg_configs/vanc-protected-vanc.conf       |   9 ++
 18 files changed, 318 insertions(+)
 create mode 100644 wireguard-bastion/README.md
 create mode 100644 wireguard-bastion/cali-bastion.yaml
 create mode 100644 wireguard-bastion/cali-protected.yaml
 create mode 100755 wireguard-bastion/create_vms.sh
 create mode 100755 wireguard-bastion/deploy.sh
 create mode 100644 wireguard-bastion/vanc-bastion.yaml
 create mode 100644 wireguard-bastion/vanc-protected.yaml
 create mode 100644 wireguard-bastion/wg_configs/cali-bastion-client.conf
 create mode 100644 wireguard-bastion/wg_configs/cali-bastion-server.conf
 create mode 100644 wireguard-bastion/wg_configs/cali-protected-cali.conf
 create mode 100644 wireguard-bastion/wg_configs/cali-protected-vanc.conf
 create mode 100644 wireguard-bastion/wg_configs/local-cali.conf
 create mode 100644 wireguard-bastion/wg_configs/local-vanc.conf
 create mode 100644 wireguard-bastion/wg_configs/vanc-bastion-client.conf
 create mode 100644 wireguard-bastion/wg_configs/vanc-bastion-server.conf
 create mode 100644 wireguard-bastion/wg_configs/vanc-protected-cali.conf
 create mode 100644 wireguard-bastion/wg_configs/vanc-protected-vanc.conf

diff --git a/.gitignore b/.gitignore
index 1944fd6..c5445da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 *.tmp
+tmp
diff --git a/wireguard-bastion/README.md b/wireguard-bastion/README.md
new file mode 100644
index 0000000..f441b0b
--- /dev/null
+++ b/wireguard-bastion/README.md
@@ -0,0 +1,29 @@
+# DeTEE WireGuard Example
+
+This examples shows how WireGuard can be used to create network overlays on top of DeTEE.
+The example is academic and real world scenarios will require improved setups.
+
+## Network Diagram
+
+```mermaid
+graph LR
+    Laptop[Laptop<br/>local-cali: 10.100.10.10/24<br/>local-vanc: 10.200.20.10/24]
+    CaliBastion[Cali Bastion<br/>Server: 10.100.10.1/24<br/>Client: 10.200.20.21/24]
+    VancBastion[Vanc Bastion<br/>Server: 10.200.20.1/24<br/>Client: 10.100.10.21/24]
+    CaliProtected[Cali Protected<br/>cali: 10.100.10.101/24<br/>vanc: 10.200.20.101/24]
+    VancProtected[Vanc Protected<br/>cali: 10.100.10.201/24<br/>vanc: 10.200.20.201/24]
+
+    Laptop -- "WireGuard" --> CaliBastion
+    Laptop -- "WireGuard" --> VancBastion
+
+    CaliBastion -- "WireGuard" --> CaliProtected
+    CaliBastion -- "WireGuard" --> VancProtected
+    VancBastion -- "WireGuard" --> CaliProtected
+    VancBastion -- "WireGuard" --> VancProtected
+```
+
+## Commands
+
+To create the VMs, run `./create_vms.sh`.
+
+To deploy WireGuard, run `./deploy.sh`.
diff --git a/wireguard-bastion/cali-bastion.yaml b/wireguard-bastion/cali-bastion.yaml
new file mode 100644
index 0000000..ae601cb
--- /dev/null
+++ b/wireguard-bastion/cali-bastion.yaml
@@ -0,0 +1,10 @@
+hostname: cali-bastion
+hours: 5
+price: 20000
+location:
+  region: "California"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/cali-protected.yaml b/wireguard-bastion/cali-protected.yaml
new file mode 100644
index 0000000..998be32
--- /dev/null
+++ b/wireguard-bastion/cali-protected.yaml
@@ -0,0 +1,10 @@
+hostname: cali-protected
+hours: 5
+price: 20000
+location:
+  region: "California"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/create_vms.sh b/wireguard-bastion/create_vms.sh
new file mode 100755
index 0000000..ae76937
--- /dev/null
+++ b/wireguard-bastion/create_vms.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+export FORMAT=YAML
+
+detee-cli vm deploy --from-yaml cali-bastion.yaml > tmp/cali-bastion-install.yaml
+detee-cli vm deploy --from-yaml vanc-bastion.yaml > tmp/vanc-bastion-install.yaml
+detee-cli vm deploy --from-yaml cali-protected.yaml > tmp/cali-protected-install.yaml
+detee-cli vm deploy --from-yaml vanc-protected.yaml > tmp/vanc-protected-install.yaml
diff --git a/wireguard-bastion/deploy.sh b/wireguard-bastion/deploy.sh
new file mode 100755
index 0000000..2d5debf
--- /dev/null
+++ b/wireguard-bastion/deploy.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+set -e
+export FORMAT=YAML
+
+echo GETTING UUIDs
+cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml)
+cali_bastion_uuid=${cali_bastion_uuid#uuid: }
+vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml)
+vanc_bastion_uuid=${vanc_bastion_uuid#uuid: }
+cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml)
+cali_protected_uuid=${cali_protected_uuid#uuid: }
+vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml)
+vanc_protected_uuid=${vanc_protected_uuid#uuid: }
+
+echo BUILDING SSH COMMANDS
+key_path=$(grep 'key_path:' tmp/cali-bastion-install.yaml | awk '{ print $2 }')
+ssh_cali_bastion="ssh -i ${key_path} \
+  -p $(grep port tmp/cali-bastion-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/cali-bastion-install.yaml | awk '{ print $2 }')"
+ssh_vanc_bastion="ssh -i ${key_path} \
+  -p $(grep port tmp/vanc-bastion-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/vanc-bastion-install.yaml | awk '{ print $2 }')"
+ssh_cali_protected="ssh -i ${key_path} \
+  -p $(grep port tmp/cali-protected-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/cali-protected-install.yaml | awk '{ print $2 }')"
+ssh_vanc_protected="ssh -i ${key_path} \
+  -p $(grep port tmp/vanc-protected-install.yaml | cut -d "'" -f2) \
+  root@$(grep ip tmp/vanc-protected-install.yaml | awk '{ print $2 }')"
+
+echo INSPECTING VMs
+detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml
+detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml
+detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml
+detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml
+
+echo GETTING WIREGUARD IP AND PORTS
+cali_wg_ip=$(grep 'ip: ' tmp/cali-bastion-install.yaml)
+cali_wg_ip=${cali_wg_ip#ip: }
+vanc_wg_ip=$(grep 'ip: ' tmp/vanc-bastion-install.yaml)
+vanc_wg_ip=${vanc_wg_ip#ip: }
+cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail -1)
+cali_wg_port=${cali_wg_port#- }
+vanc_wg_port=$(grep exposed_ports -A 2 tmp/vanc-bastion-inspect.yaml | tail -1)
+vanc_wg_port=${vanc_wg_port#- }
+
+echo GENERATING WIREGUARD KEYS
+wg genkey > tmp/cali_bastion_private.key
+cat tmp/cali_bastion_private.key | wg pubkey > tmp/cali_bastion_public.key
+wg genkey > tmp/vanc_bastion_private.key
+cat tmp/vanc_bastion_private.key | wg pubkey > tmp/vanc_bastion_public.key
+wg genkey > tmp/cali_protected_private.key
+cat tmp/cali_protected_private.key | wg pubkey > tmp/cali_protected_public.key
+wg genkey > tmp/vanc_protected_private.key
+cat tmp/vanc_protected_private.key | wg pubkey > tmp/vanc_protected_public.key
+wg genkey > tmp/local_private.key
+cat tmp/local_private.key | wg pubkey > tmp/local_public.key
+
+echo PREPARING WIREGUARD CONFIGS
+cp -r wg_configs tmp/
+sed -i "s,CALI_BASTION_PRIVATE,$(cat tmp/cali_bastion_private.key)," tmp/wg_configs/*
+sed -i "s,CALI_BASTION_PUBLIC,$(cat tmp/cali_bastion_public.key)," tmp/wg_configs/*
+sed -i "s,VANC_BASTION_PRIVATE,$(cat tmp/vanc_bastion_private.key)," tmp/wg_configs/*
+sed -i "s,VANC_BASTION_PUBLIC,$(cat tmp/vanc_bastion_public.key)," tmp/wg_configs/*
+sed -i "s,CALI_PROTECTED_PRIVATE,$(cat tmp/cali_protected_private.key)," tmp/wg_configs/*
+sed -i "s,CALI_PROTECTED_PUBLIC,$(cat tmp/cali_protected_public.key)," tmp/wg_configs/*
+sed -i "s,VANC_PROTECTED_PRIVATE,$(cat tmp/vanc_protected_private.key)," tmp/wg_configs/*
+sed -i "s,VANC_PROTECTED_PUBLIC,$(cat tmp/vanc_protected_public.key)," tmp/wg_configs/*
+
+sed -i "s,LOCAL_PRIVATE,$(cat tmp/local_private.key)," tmp/wg_configs/*
+sed -i "s,LOCAL_PUBLIC,$(cat tmp/local_public.key)," tmp/wg_configs/*
+
+sed -i "s,VANC_BASTION_IP,${vanc_wg_ip}," tmp/wg_configs/*
+sed -i "s,CALI_BASTION_IP,${cali_wg_ip}," tmp/wg_configs/*
+sed -i "s,VANC_BASTION_PORT,${vanc_wg_port}," tmp/wg_configs/*
+sed -i "s,CALI_BASTION_PORT,${cali_wg_port}," tmp/wg_configs/*
+
+echo INSTALLING SOFTWARE
+$ssh_cali_bastion pacman -Syu --noconfirm > tmp/cali_bastion.log 2>&1
+$ssh_vanc_bastion pacman -Syu --noconfirm > tmp/vanc_bastion.log 2>&1
+$ssh_cali_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/cali_bastion.log 2>&1
+$ssh_vanc_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/vanc_bastion.log 2>&1
+$ssh_cali_bastion sysctl -w net.ipv4.conf.all.forwarding=1
+$ssh_vanc_bastion sysctl -w net.ipv4.conf.all.forwarding=1
+
+$ssh_cali_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_vanc_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_cali_protected pacman -S wireguard-tools nginx \
+  --needed --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_vanc_protected pacman -S wireguard-tools nginx \
+  --needed --noconfirm > tmp/vanc_protected.log 2>&1
+$ssh_cali_protected systemctl start nginx
+$ssh_vanc_protected systemctl start nginx
+
+echo UPLOADING WIREGUARD CONFIG
+{
+ cat tmp/wg_configs/cali-bastion-server.conf | $ssh_cali_bastion tee /etc/wireguard/server.conf
+ cat tmp/wg_configs/cali-bastion-client.conf | $ssh_cali_bastion tee /etc/wireguard/vanc.conf
+ cat tmp/wg_configs/vanc-bastion-server.conf | $ssh_vanc_bastion tee /etc/wireguard/server.conf
+ cat tmp/wg_configs/vanc-bastion-client.conf | $ssh_vanc_bastion tee /etc/wireguard/cali.conf
+ cat tmp/wg_configs/cali-protected-cali.conf | $ssh_cali_protected tee /etc/wireguard/cali.conf
+ cat tmp/wg_configs/cali-protected-vanc.conf | $ssh_cali_protected tee /etc/wireguard/vanc.conf
+ cat tmp/wg_configs/vanc-protected-cali.conf | $ssh_vanc_protected tee /etc/wireguard/cali.conf
+ cat tmp/wg_configs/vanc-protected-vanc.conf | $ssh_vanc_protected tee /etc/wireguard/vanc.conf
+} > /dev/null
+
+echo STARTING WIREGUARD
+$ssh_cali_bastion wg-quick up server
+$ssh_vanc_bastion wg-quick up server
+$ssh_vanc_bastion wg-quick up cali
+$ssh_cali_protected wg-quick up cali
+$ssh_vanc_protected wg-quick up cali
+$ssh_cali_bastion wg-quick up vanc
+$ssh_cali_protected wg-quick up vanc
+$ssh_vanc_protected wg-quick up vanc
+
+# SETTING UP LOCAL CLIENT
+if [[ $(whoami) == "root" ]]; then
+    sudo=""
+else
+    sudo="sudo"
+fi
+$sudo cp tmp/wg_configs/local-cali.conf /etc/wireguard/
+$sudo cp tmp/wg_configs/local-vanc.conf /etc/wireguard/
+$sudo wg-quick up local-cali
+$sudo wg-quick up local-vanc
+
+
+echo To check if VPN works to the protected nodes, try to access a protected service:
+echo     curl http://10.200.20.101
+echo     curl http://10.100.10.101
+echo     curl http://10.100.10.201
+echo     curl http://10.200.20.201
diff --git a/wireguard-bastion/vanc-bastion.yaml b/wireguard-bastion/vanc-bastion.yaml
new file mode 100644
index 0000000..f603bf0
--- /dev/null
+++ b/wireguard-bastion/vanc-bastion.yaml
@@ -0,0 +1,10 @@
+hostname: vanc-bastion
+hours: 5
+price: 20000
+location:
+  city: "Vancouver"
+ipv4: !PublishPorts [ 1337 ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/vanc-protected.yaml b/wireguard-bastion/vanc-protected.yaml
new file mode 100644
index 0000000..8d06ba1
--- /dev/null
+++ b/wireguard-bastion/vanc-protected.yaml
@@ -0,0 +1,10 @@
+hostname: vanc-protected
+hours: 5
+price: 20000
+location:
+  city: "Vancouver"
+ipv4: !PublishPorts [ ]
+public_ipv6: false
+vcpus: 2
+memory_mb: 2000
+disk_size_gb: 20
diff --git a/wireguard-bastion/wg_configs/cali-bastion-client.conf b/wireguard-bastion/wg_configs/cali-bastion-client.conf
new file mode 100644
index 0000000..a5341aa
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-bastion-client.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.21/24
+PrivateKey = CALI_BASTION_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/cali-bastion-server.conf b/wireguard-bastion/wg_configs/cali-bastion-server.conf
new file mode 100644
index 0000000..6e5b7fb
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-bastion-server.conf
@@ -0,0 +1,20 @@
+[Interface]
+Address = 10.100.10.1/24
+PrivateKey = CALI_BASTION_PRIVATE
+ListenPort = 1337
+
+[Peer]
+PublicKey = CALI_PROTECTED_PUBLIC
+AllowedIPs = 10.100.10.101/32
+
+[Peer]
+PublicKey = VANC_PROTECTED_PUBLIC
+AllowedIPs = 10.100.10.201/32
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.100.10.21/32
+
+[Peer]
+PublicKey = LOCAL_PUBLIC
+AllowedIPs = 10.100.10.10/32
diff --git a/wireguard-bastion/wg_configs/cali-protected-cali.conf b/wireguard-bastion/wg_configs/cali-protected-cali.conf
new file mode 100644
index 0000000..e4f70b5
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-protected-cali.conf
@@ -0,0 +1,9 @@
+[Interface]
+Address = 10.100.10.101/24
+PrivateKey = CALI_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
+PersistentKeepalive = 25
diff --git a/wireguard-bastion/wg_configs/cali-protected-vanc.conf b/wireguard-bastion/wg_configs/cali-protected-vanc.conf
new file mode 100644
index 0000000..c1e3953
--- /dev/null
+++ b/wireguard-bastion/wg_configs/cali-protected-vanc.conf
@@ -0,0 +1,9 @@
+[Interface]
+Address = 10.200.20.101/24
+PrivateKey = CALI_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
+PersistentKeepalive = 25
diff --git a/wireguard-bastion/wg_configs/local-cali.conf b/wireguard-bastion/wg_configs/local-cali.conf
new file mode 100644
index 0000000..afaaf51
--- /dev/null
+++ b/wireguard-bastion/wg_configs/local-cali.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.10/24
+PrivateKey = LOCAL_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/local-vanc.conf b/wireguard-bastion/wg_configs/local-vanc.conf
new file mode 100644
index 0000000..f12d50c
--- /dev/null
+++ b/wireguard-bastion/wg_configs/local-vanc.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.200.20.10/24
+PrivateKey = LOCAL_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/vanc-bastion-client.conf b/wireguard-bastion/wg_configs/vanc-bastion-client.conf
new file mode 100644
index 0000000..20161a6
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-bastion-client.conf
@@ -0,0 +1,8 @@
+[Interface]
+Address = 10.100.10.21/24
+PrivateKey = VANC_BASTION_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
diff --git a/wireguard-bastion/wg_configs/vanc-bastion-server.conf b/wireguard-bastion/wg_configs/vanc-bastion-server.conf
new file mode 100644
index 0000000..525abc4
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-bastion-server.conf
@@ -0,0 +1,20 @@
+[Interface]
+Address = 10.200.20.1/24
+PrivateKey = VANC_BASTION_PRIVATE
+ListenPort = 1337
+
+[Peer]
+PublicKey = CALI_PROTECTED_PUBLIC
+AllowedIPs = 10.200.20.101/32
+
+[Peer]
+PublicKey = VANC_PROTECTED_PUBLIC
+AllowedIPs = 10.200.20.201/32
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.200.20.21/32
+
+[Peer]
+PublicKey = LOCAL_PUBLIC
+AllowedIPs = 10.200.20.10/32
diff --git a/wireguard-bastion/wg_configs/vanc-protected-cali.conf b/wireguard-bastion/wg_configs/vanc-protected-cali.conf
new file mode 100644
index 0000000..5eb3d3d
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-protected-cali.conf
@@ -0,0 +1,9 @@
+[Interface]
+Address = 10.100.10.201/24
+PrivateKey = VANC_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = CALI_BASTION_PUBLIC
+AllowedIPs = 10.100.10.0/24
+Endpoint = CALI_BASTION_IP:CALI_BASTION_PORT
+PersistentKeepalive = 25
diff --git a/wireguard-bastion/wg_configs/vanc-protected-vanc.conf b/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
new file mode 100644
index 0000000..82aab48
--- /dev/null
+++ b/wireguard-bastion/wg_configs/vanc-protected-vanc.conf
@@ -0,0 +1,9 @@
+[Interface]
+Address = 10.200.20.201/24
+PrivateKey = VANC_PROTECTED_PRIVATE
+
+[Peer]
+PublicKey = VANC_BASTION_PUBLIC
+AllowedIPs = 10.200.20.0/24
+Endpoint = VANC_BASTION_IP:VANC_BASTION_PORT
+PersistentKeepalive = 25