Differences
This shows you the differences between two versions of the page.
|
isc:labs:10 [2024/12/08 20:19] florin.stancu |
isc:labs:10 [2024/12/11 10:20] (current) radu.mantu [[20p] 0. Setup & EasyRSA certificate generation] |
||
|---|---|---|---|
| Line 44: | Line 44: | ||
| <solution -hidden> | <solution -hidden> | ||
| + | <code bash> | ||
| ./easyrsa gen-req Server | ./easyrsa gen-req Server | ||
| ./easyrsa sign-req server Server | ./easyrsa sign-req server Server | ||
| ./easyrsa gen-req Client | ./easyrsa gen-req Client | ||
| ./easyrsa sign-req client Client | ./easyrsa sign-req client Client | ||
| + | </code> | ||
| </solution> | </solution> | ||
| Line 108: | Line 110: | ||
| ==== [40p] 2. WireGuard ==== | ==== [40p] 2. WireGuard ==== | ||
| - | TODO | + | Wireguard is one of the latest open-source VPN technology, increasingly popular for its low complexity, straight-forward , security and performance due to its use of some modern cryptographic primitives (ChaCha20+Poly1305 for symmetric encryption, Curve25519 for ECDH, BLAKE2s for hashing). |
| + | |||
| + | Authentication is done by simply exchanging public keys. Let's go! | ||
| + | |||
| + | 1. Both pairs should generate a private and public key pair and share the public counterpart. This is best done using the ''wg'' CLI utility: <code bash> | ||
| + | wg genkey | tee wg-priv.key | wg pubkey | tee wg-pub.key | ||
| + | # Q: what does `tee` do? (`man` it!) | ||
| + | </code> | ||
| + | |||
| + | Only the public key is displayed on console (both are stored as files for backup!). Share it with your colleague! | ||
| + | |||
| + | 2. Time to create our configuration file. Create a ''.conf'' file inside ''/etc/wireguard/'' (your choice of naming, though ''wg-isc'' sounds quite okay). | ||
| + | |||
| + | Use the following code template and fill the variables (also remove/replace the ''<..>'' placeholders!): <code> | ||
| + | [Interface] | ||
| + | PrivateKey = <paste-your-private-key> | ||
| + | ListenPort = 55820 | ||
| + | |||
| + | [Peer] | ||
| + | PublicKey = <paste-your-colleagues's-pub-key> | ||
| + | Endpoint = <colleague-VM-IP>:55820 | ||
| + | AllowedIPs = <your-tunnel-subnet>/<mask> | ||
| + | </code> | ||
| + | |||
| + | Use a private space as the tunnel subnet address, e.g., ''10.12.34.252/30''. | ||
| + | |||
| + | 3. We'll create the wireguard interfaces the ''iproute2'' way (i.e., using the ''ip'' Linux utility): <code> | ||
| + | ip link add wg-isc type wireguard | ||
| + | wg setconf wg-isc /etc/wireguard/wg-isc.conf # or whatever you named your config | ||
| + | ip address add <your-address>/<mask> dev wg-isc | ||
| + | </code> | ||
| + | |||
| + | 4. Connectivity test! <code> | ||
| + | ping <colleague-private-tunnel-ip> | ||
| + | sudo wg # show wireguard statistics | ||
| + | </code> | ||
| + | |||
| + | <note tip> | ||
| + | **Note:** there are even simpler ways of configuring Wireguard, like [[https://www.man7.org/linux/man-pages/man8/wg-quick.8.html|wg-quick]] (automates interface creation & IP address/routes configuration using a similar .conf file) and [[https://github.com/wg-easy/wg-easy|wg-easy]] (Web GUI for Wireguard) -- but we wanted to demonstrate its purest form (: | ||
| + | </note> | ||
