switching public/private

2024-11-15 08:33:57 -07:00 · 2024-11-15 08:33:57 -07:00 · 27be196d17
commit 27be196d17
parent 09c1f39a62
10 changed files with 1 additions and 1 deletions
--- a/diy-tunnel/private/README.md
+++ b/diy-tunnel/private/README.md
@ -1 +0,0 @@
-`wg0.conf` should be deployed to `/etc/wireguard/wg0.conf` on the public facing (VPS) server.
--- a/diy-tunnel/private/docker-container/README.md
+++ b/diy-tunnel/private/docker-container/README.md
@ -0,0 +1 @@
+Another nice option is instead of installing wireguard on the bare machine, we can fire it up within our existing `docker-compose.yml` and easily expose services from a set of docker containers.
--- a/diy-tunnel/private/docker-container/docker-compose.yml
+++ b/diy-tunnel/private/docker-container/docker-compose.yml
@ -0,0 +1,27 @@
+services:
+
+  wireguard:
+    image: lscr.io/linuxserver/wireguard:latest
+    hostname: THEPRIVATESERVER
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - TZ=America/Edmonton
+    volumes:
+      - ./wg0.conf:/config/wg_confs/wg0.conf
+    restart: always
+    sysctls:
+      - net.ipv4.ip_forward=1
+
+  caddy:
+    image: caddy:latest
+    restart: always
+    # this is the special sauce.  This attaches this container to the
+    # network context of the wireguard container.  Essentially this means
+    # that Caddy is listening on 10.0.0.2 now.
+    # If you have other containers exposing additional ports, do the same to them.
+    network_mode: service:wireguard
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile    # Mount Caddyfile for configuration
+      - ./webroot:/srv/www                  # Mount local www directory to container
+      - ./data/caddy:/data/caddy            # Persistent storage for certificates
--- a/diy-tunnel/private/docker-container/wg0.conf
+++ b/diy-tunnel/private/docker-container/wg0.conf
@ -0,0 +1,13 @@
+[Interface]
+Address = 10.0.0.2/24         # Private IP for the home server in the VPN network
+PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER ####
+Table = 123
+
+PreUp = ip rule add from 10.0.0.2 table 123 priority 1
+PostDown = ip rule del from 10.0.0.2 table 123 priority 1
+
+[Peer]
+PublicKey = #### PUBLIC KEY OF PUBLIC SERVER ####
+AllowedIPs = 0.0.0.0/0
+Endpoint = 999.999.999.999:51820
+PersistentKeepalive = 25 
--- a/diy-tunnel/private/docker-on-host/README.md
+++ b/diy-tunnel/private/docker-on-host/README.md
@ -0,0 +1,3 @@
+Copy `wg0.conf` to `/etc/wireguard/wg0.config`
+
+This example is for wireguard running on the private server and forwarding traffic to local services AND docker services. 
--- a/diy-tunnel/private/docker-on-host/wg0.conf
+++ b/diy-tunnel/private/docker-on-host/wg0.conf
@ -0,0 +1,46 @@
+[Interface]
+Address = 10.0.0.2/24         # Private IP for the home server in the VPN network
+PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER #####
+Table = 123
+
+# Enable IP forwarding
+PreUp = sysctl -w net.ipv4.ip_forward=1
+
+# loose reverse path forwarding validation
+PostUp = sysctl -w net.ipv4.conf.wg0.rp_filter=2
+
+# Mark new connections coming in through wg0
+PreUp = iptables -t mangle -A PREROUTING -i wg0 -m state --state NEW -j CONNMARK --set-mark 1
+PostDown = iptables -t mangle -D PREROUTING -i wg0 -m state --state NEW -j CONNMARK --set-mark 1
+
+# Mark return packets to go out through WireGuard via policy routing
+PreUp = iptables -t mangle -A PREROUTING ! -i wg0 -m connmark --mark 1 -j MARK --set-mark 1
+PostDown = iptables -t mangle -D PREROUTING ! -i wg0 -m connmark --mark 1 -j MARK --set-mark 1
+
+# Push marked connections back through wg0
+PreUp = ip rule add fwmark 1 table 123 priority 456
+PostDown = ip rule del fwmark 1 table 123 priority 456
+
+# Route traffic to public IP to self to avoid it hitting the network
+PreUp = iptables -t nat -A OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
+PostDown = iptables -t nat -D OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
+
+# ==== Firewall ===============================
+
+# Allow our expected traffic
+PreUp = iptables -A INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
+PostDown = iptables -D INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
+
+# And pings
+PreUp = iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+PostDown = iptables -D INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+
+# Block the rest
+PreUp = iptables -A INPUT -i wg0 -j DROP
+PostDown = iptables -D INPUT -i wg0 -j DROP
+
+[Peer]
+PublicKey = #### PUBLIC KEY OF PUBLIC SERVER #####
+AllowedIPs = 0.0.0.0/0
+Endpoint = 999.999.999.999:51820
+PersistentKeepalive = 25 
--- a/diy-tunnel/private/simple/README.md
+++ b/diy-tunnel/private/simple/README.md
@ -0,0 +1,3 @@
+Copy `wg0.conf` to `/etc/wireguard/wg0.config`
+
+This example works well for forwarding traffic to services running directly on the private server.  If your services are running in Docker things get much more complicated because of how Docker handle networking.  For that, see the `/public/docker-on-host` example.
--- a/diy-tunnel/private/simple/wg0.conf
+++ b/diy-tunnel/private/simple/wg0.conf
@ -0,0 +1,35 @@
+[Interface]
+Address = 10.0.0.2/24         # Private IP for the home server in the VPN network
+PrivateKey = #### PRIVATE KEY OF PRIVATE SERVER #####
+Table = 123
+
+# Enable IP forwarding
+PreUp = sysctl -w net.ipv4.ip_forward=1
+
+# Return traffic through wireguard
+PreUp = ip rule add from 10.0.0.2 table 123 priority 1
+PostDown = ip rule del from 10.0.0.2 table 123 priority 1
+
+# Route traffic to public IP to self to avoid it hitting the network
+PreUp = iptables -t nat -A OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
+PostDown = iptables -t nat -D OUTPUT -d 999.999.999.999 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1
+
+# ==== Firewall ===============================
+
+# Allow our expected traffic
+PreUp = iptables -A INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
+PostDown = iptables -D INPUT -i wg0 -p tcp -m multiport --dports 80,443 -j ACCEPT
+
+# And pings
+PreUp = iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+PostDown = iptables -D INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+
+# Block the rest
+PreUp = iptables -A INPUT -i wg0 -j DROP
+PostDown = iptables -D INPUT -i wg0 -j DROP
+
+[Peer]
+PublicKey = #### PUBLIC KEY OF PUBLIC SERVER #####
+AllowedIPs = 0.0.0.0/0
+Endpoint = 999.999.999.999:51820
+PersistentKeepalive = 25 
--- a/diy-tunnel/private/wg0.conf
+++ b/diy-tunnel/private/wg0.conf
@ -1,15 +0,0 @@
-[Interface]
-Address = 10.0.0.1/24         # Private IP for the VPS in the VPN network
-ListenPort = 51820            # Default WireGuard port
-PrivateKey = ###PRIVATE KEY FOR PUBLIC SERVER####
-
-# packet forwarding
-PreUp = sysctl -w net.ipv4.ip_forward=1
-
-# port forwarding (HTTP, HTTPS) - update port list as required 
-PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.0.0.2
-PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.0.0.2
-
-[Peer]
-PublicKey = ###PUBLIC KEY FOR PRIVATE SERVER####
-AllowedIPs = 10.0.0.2/32      # IP of the home server in VPN
				`@ -1 +0,0 @@`
				`wg0.conf` should be deployed to `/etc/wireguard/wg0.conf` on the public facing (VPS) server.
				`@ -0,0 +1 @@`
				Another nice option is instead of installing wireguard on the bare machine, we can fire it up within our existing `docker-compose.yml` and easily expose services from a set of docker containers.