| .. | ||
| wg_configs | ||
| cali-bastion.yaml | ||
| cali-protected.yaml | ||
| create_vms.sh | ||
| deploy.sh | ||
| README.md | ||
| vanc-bastion.yaml | ||
| vanc-protected.yaml | ||
DeTEE WireGuard Example
This examples shows how WireGuard can be used to create network overlays on top of DeTEE. Please keep in mind that real world scenarios will require deployments of a higher complexity.
This architecture contains 4 nodes, in a redundant setup:
- two bastion nodes, that serve as VPN servers
- two protected nodes, that connect as clients
The Laptop (the device used by the admin to deploy) also creates VPN tunnels to the two bastion nodes.
A nginx server is started on both protected nodes, in order to demonstrate how protected services can run behind VPN.
Network Diagram
graph TD
Laptop(Laptop<br/>local-cali: 10.100.10.10/24<br/>local-vanc: 10.200.20.10/24)
CaliBastion(Cali Bastion<br/>Server: 10.100.10.1/24<br/>Client: 10.200.20.21/24)
VancBastion(Vanc Bastion<br/>Server: 10.200.20.1/24<br/>Client: 10.100.10.21/24)
CaliProtected(Cali Protected<br/>cali: 10.100.10.101/24<br/>vanc: 10.200.20.101/24)
VancProtected(Vanc Protected<br/>cali: 10.100.10.201/24<br/>vanc: 10.200.20.201/24)
Laptop -- "WireGuard" --> CaliBastion
Laptop -- "WireGuard" --> VancBastion
CaliBastion -- "WireGuard" --> CaliProtected
CaliBastion -- "WireGuard" --> VancProtected
VancBastion -- "WireGuard" --> CaliProtected
VancBastion -- "WireGuard" --> VancProtected
Commands
To create the VMs, run ./create_vms.sh.
To deploy WireGuard, run ./deploy.sh.
To test the connections, try to access services running on the protected nodes:
curl http://10.200.20.101
curl http://10.100.10.101
curl http://10.100.10.201
curl http://10.200.20.201
Possible improvements
The following improvements would be cool for this setup:
- create failover routing that triggers if one of the bastions goes down
- hide SSH from the public IP and allow SSH only via private network