git clone git://git.garbash.com/alex/www
Log | Files | Refs | README | LICENSE

commit e917f26955a70793166c7b3cc7a65309d2bf669d
parent a67c31b1e3405da41165467ab8c6179d22a8aa58
Author: alex <alex@garbash.com>
Date:   Wed, 29 Sep 2021 23:24:47 -0400

notes: Add wireguard writeup

I wonder how many of these writeups will become "check out the
source over on git"

It does feel a bit redundant to copy it all into the notes..
but OTOH, the source may change over time. hm

Mindex.html | 2+-
Anotes/009-wireguard.txt | 64++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html @@ -21,7 +21,6 @@ this site along with my field notes on how I set each thing up! <h3>TODO:</h3> <ul> -<li>Set up wireguard</li> <li>Set up IRC bouncer</li> <li>Set up IRC services (NickServ)</li> <li>Basic backup solution</li> @@ -43,6 +42,7 @@ this site along with my field notes on how I set each thing up! <li><a href="notes/006-use-the-src.txt">Obtained the source code for the system</a></li> <li><a href="notes/007-git-coding.txt">Set up git hosting via stagit(1)</a></li> <li><a href="notes/008-local-irc.txt">Set up IRC for tilde members</a></li> +<li><a href="notes/009-wireguard.txt">Set up wireguard</a></li> </ul> </body> </html> diff --git a/notes/009-wireguard.txt b/notes/009-wireguard.txt @@ -0,0 +1,64 @@ +009-wireguard -- Tues Sep 28, 2021 + +Wireguard is probably one of the coolest technologies I've encountered +in a long time. The simplicity of public key auth (ssh-style where the +protocol doesn't care how you get the public key on the server) all +in the kernel? Sign me up! + +On our tilde, we want to set up wireguard so that we can provide vpn-only +services (for security reasons such as not allowing brute-force password +attempts). + +The very first of these services is IRC--we want people to be able to +connect from mobile devices and personal computers, but our network is +currently not password protected and has no services like NickServ, etc. + +The solution? Have it listen on a wireguard IP and distribute wg keys +to trusted tilde members :) + +I'll start with the obligatory RTFM -- wg(8) and ifconfig(8) are both +really well documented. However, there was a bit of fun hackery that went +down on our tuesday pair-admining call that's worth documenting! + +~anthony and I needed a simple tool to manage wireguard keys and IPs. +When a new device is to be given access we want to: + + 1) Generate a private key, public key, and wg-quick(1) config file + to distribute to the user + 2) Obtain the next numerical hostname + 3) Add the peer to our wg endpoint on the server + +To do this, we used a small sh(1) script that has a catalog of names in +a flat file like so: + + host1 + host2 + ... + +And then each host has a directory: + + host1/ + private.key + public.key + client.conf + +The tool is called wggen(1) [1], and it ends up effectively: + + 1) Creating a directory for NAME + 2) Generating a wg(8) key using openssl(1): + + openssl rand -base64 32 > private.key + + 3) Creating a temporary wg endpoint to get the public key using + the grep/cut hack in wg(8)'s EXAMPLES + 4) tail(1)-ing the host file to get the next available IP + 5) Using all the above to generate the client.conf + 6) Adding the wgpeer line to /etc/hostname.wg0 and restarting the + prod endpoint with sh /etc/netstart + +I'll leave the exact details as an exercise for the reader to go look +at the git repo :) + +Needless to say, this was a lot of fun to write! + +[1]: https://git.garbash.com/alex/config/file/usr/local/bin/wggen.html