examples/wireguard-bastion/README.md

# DeTEE WireGuard Example

This examples shows how WireGuard can be used to create network overlays on top of DeTEE.
Please keep in mind that real world scenarios will require deployments of a higher complexity.

This architecture contains 4 nodes, in a redundant setup:
- two bastion nodes, that serve as VPN servers
- two protected nodes, that connect as clients

The Laptop (the device used by the admin to deploy) also creates VPN tunnels to the two bastion nodes.

A nginx server is started on both protected nodes, in order to demonstrate how protected services can run behind VPN.

## Network Diagram

```mermaid
graph TD
    Laptop(Laptop<br/>local-cali: 10.100.10.10/24<br/>local-vanc: 10.200.20.10/24)
    CaliBastion(Cali Bastion<br/>Server: 10.100.10.1/24<br/>Client: 10.200.20.21/24)
    VancBastion(Vanc Bastion<br/>Server: 10.200.20.1/24<br/>Client: 10.100.10.21/24)
    CaliProtected(Cali Protected<br/>cali: 10.100.10.101/24<br/>vanc: 10.200.20.101/24)
    VancProtected(Vanc Protected<br/>cali: 10.100.10.201/24<br/>vanc: 10.200.20.201/24)

    Laptop -- "WireGuard" --> CaliBastion
    Laptop -- "WireGuard" --> VancBastion

    CaliBastion -- "WireGuard" --> CaliProtected
    CaliBastion -- "WireGuard" --> VancProtected
    VancBastion -- "WireGuard" --> CaliProtected
    VancBastion -- "WireGuard" --> VancProtected
```

## Commands

To create the VMs, run `./create_vms.sh`.

To deploy WireGuard, run `./deploy.sh`.

To test the connections, try to access services running on the protected nodes:
```
curl http://10.200.20.101
curl http://10.100.10.101
curl http://10.100.10.201
curl http://10.200.20.201
```

## Possible improvements

The following improvements would be cool for this setup:
- create failover routing that triggers if one of the bastions goes down
- hide SSH from the public IP and allow SSH only via private network