From 71f740777b7ccaf4221090eb22f64d5ce5769401 Mon Sep 17 00:00:00 2001 From: Jamil Bou Kheir Date: Sun, 3 May 2020 16:10:53 -0700 Subject: [PATCH] sample configs --- Vagrantfile | 27 +++++++++++++++++++++------ provision_deps.sh | 18 ++++++++++++++++-- sample_conf/wg-client.conf | 21 +++++++++++++++++++++ sample_conf/wg-server.conf | 21 +++++++++++++++++++++ 4 files changed, 79 insertions(+), 8 deletions(-) create mode 100644 sample_conf/wg-client.conf create mode 100644 sample_conf/wg-server.conf diff --git a/Vagrantfile b/Vagrantfile index 63b65de04..dd99c0ef3 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,12 +1,27 @@ # -*- mode: ruby -*- # vi: set ft=ruby : -Vagrant.configure("2") do |config| - config.vm.box = "hashicorp/bionic64" +Vagrant.configure('2') do |config| + config.vm.box = 'ubuntu/bionic64' - config.vm.provider "virtualbox" do |vb| - vb.memory = "1024" + config.vm.provider 'virtualbox' do |vb| + vb.cpus = 4 + vb.memory = '2048' end - config.vm.provision "shell", path: "provision_deps.sh", privileged: true - config.vm.provision "shell", path: "provision_runtimes.sh", privileged: false + # WireGuard + config.vm.network 'forwarded_port', guest: 51820, host: 51820, protocol: 'udp' + + # App + config.vm.network 'forwarded_port', guest: 4000, host: 4000, protocol: 'tcp' + + # Postgres, by default, this listens to 127.0.0.1 within the VM only. If you'd + # like to be able to access Postgres from the host, uncomment this line and configure + # it to listen to 0.0.0.0 within the VM. + # config.vm.network 'forwarded_port', guest: 5432, host: 5432, protocol: 'tcp' + + config.vm.provision 'shell', path: 'provision_deps.sh', privileged: true + config.vm.provision 'shell', path: 'provision_configs.sh', privileged: true + + # Copy WireGuard config into place + config.vm.provision 'file', source: 'sample_conf/wg-server.conf', destination: '/etc/wireguard/wgdev.conf' end diff --git a/provision_deps.sh b/provision_deps.sh index d4669ea87..1fb292e4b 100644 --- a/provision_deps.sh +++ b/provision_deps.sh @@ -57,7 +57,21 @@ apt-get install -y --no-install-recommends \ unzip \ xz-utils \ zlib1g-dev \ + linux-image-generic-hwe-18.04-edge \ + linux-headers-generic-hwe-18.04-edge \ git \ libwxgtk3.0-dev \ - wireguard wireguard-tools wireguard-dkms \ - nftables + nftables \ + curl \ + ca-certificates \ + gnupg + +# Install WireGuard +apt install wireguard wireguard-tools wireguard-dkms + +# Install Postgres +curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - +sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' +apt-get update +apt-get install -y --no-install-recommends \ + postgresql-12 diff --git a/sample_conf/wg-client.conf b/sample_conf/wg-client.conf new file mode 100644 index 000000000..57ff4a0c1 --- /dev/null +++ b/sample_conf/wg-client.conf @@ -0,0 +1,21 @@ +# CLIENT, place this in the client's config +[Interface] +# Generate with "wg genkey" +PrivateKey = UBwwUjHGJzFM6dt4d20ADvTNHlIcZgFfiBgSxtTpmnI= + +# Same network as server above +Address = 192.168.10.2/32 + +# Set this to a reachable DNS server through the tunnel +# Important: Set this properly to avoid leaking +DNS = 1.1.1.1 + +[Peer] +# Server's public key +PublicKey = MW7uvigH6bTAZf6UuuJ5wttYGU4R04RP5K/sLCJN2F8= + +# The IPs you want to route through the tunnel +AllowedIPs = 0.0.0.0/0, ::/0 + +# IP address and port of the server -- localhost if using Vagrant +Endpoint = 127.0.0.1:51820 diff --git a/sample_conf/wg-server.conf b/sample_conf/wg-server.conf new file mode 100644 index 000000000..b5ce2716b --- /dev/null +++ b/sample_conf/wg-server.conf @@ -0,0 +1,21 @@ +# SERVER -- place this in /etc/wireguard/wg0.conf or similar +[Interface] +# Generate with "wg genkey" +PrivateKey = 8N/cWwL0awtz/fhjexGKFXMvweAdQohTG6rWCJfh9Ek= + +# This should be an unused address / network +Address = 192.168.10.1/24 + +# UDP port to listen on +ListenPort = 51820 + +# These are for NAT'ing the traffic in and out of the server properly +PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +# PubKey of client you want to allow to connect +PublicKey = oflqThjCEPOP/mpkfn+T+hLpKmMdmcMF2PkJmD9ILxk= + +# Private IP the client has configured (same network as the Address above) +AllowedIPs = 192.168.10.2/32