Passa al contenuto principale

Virtual Private LAN

We have seen WireGuard before, but now we will use it in some specific cases.

1. Install WireGuard

ds pull wireguard
ds init wireguard @wg1
cd /var/ds/wg1/
nano settings.sh

Before running ds make let's make sure that we have these settings:

ROUTED_NETWORKS="10.100.100.1,192.168.100.0/24"
#DNS_SERVERS="94.140.14.14 94.140.15.15"
ALLOW_INTERNET_ACCESS=no
CLIENT_TO_CLIENT=yes
KEEPALIVE_PERIOD=25

We want to build a vitual LAN for the network 192.168.100.0/24, that's why we comment out DNS_SERVERS and don't allow internet access through the wireguard connection. On the other hand, we allow CLIENT_TO_CLIENT communication, and set a KEEPALIVE_PERIOD so that wireguard connections of clients don't expire.

2. Secure access of the server

In this usecase we want to use the VPN in order to access the server securely from our local computer (laptop).

  1. Let's create first two WireGuard client configurations, one for the server and one for the laptop:

    cd /var/ds/wg1/
    ds client
    ds client add server 192.168.100.1
    ds client add laptop 192.168.100.2

    ds client ls
    ls clients/
    nano clients/server.conf
    nano clients/laptop.conf

  2. The server configuration will be installed on the VPS itself:

    # install wireguard on the server
    apt install wireguard

    # get the configuratin file
    ls /etc/wireguard/
    cp clients/server.conf /etc/wireguard/
    cd /etc/wireguard/
    mv server.conf wg1.conf

    # test it
    wg-quick up ./wg1.conf
    ip addr
    ping 10.100.100.1
    wg-quick down ./wg1.conf

    # make the VPN connection permanent
    systemctl enable wg-quick@wg1
    systemctl start wg-quick@wg1
    systemctl status wg-quick@wg1

    ip addr
    ping 10.100.100.1

  3. Let's copy the configuration clients/laptop.conf to the local machine, to the path /etc/wireguard/wg1.conf, and setup the VPN connection:

    ### ==> These commands are executed on the local machine

    apt install wireguard
    nano /etc/wireguard/wg1.conf

    wg-quick up /etc/wireguard/wg1.conf
    ip addr
    ping 10.100.100.1

  4. If this VPN really works, we should be able to ping the IP 192.168.100.1 from the laptop, and we should be able to ping the IP 192.168.100.2 from the VPS. However, we have a firewall in the VPS and we should make sure that the connections from the interface wg1 are accepted:

    ### ==> These commands are executed on the VPS

    firewall-cmd --zone=trusted --list-all
    firewall-cmd --zone=trusted --add-interface=wg1 --permanent
    firewall-cmd --reload
    firewall-cmd --zone=trusted --list-all

    Because we are adding the interface wg1 to the zone trusted, the connections comming from this interface will be handled by the rules of the zone trusted, which is a permissive zone and accepts everything.

    Now we can try to ping from the laptop to the IP 192.168.100.1, and it should work.

  5. After testing that the VPN connection works, we can try to ssh to the IP 192.168.100.1:

    ### ==> Run these commands on the laptop

    cat << EOF >> ~/.ssh/config
    Host mycloud-vpn
        HostName 192.168.100.1
        User root
        Port 21234
        IdentityFile ~/.ssh/mycloud.key
    EOF

    This SSH configuration is very similar to the configuration that we use to access the VPS, except that instead of the public IP of the VPS we are using the IP 192.168.100.1. The User, Port, and IdentityFile are the same.

  6. After testing that we can login through the VPN connection, we can close the SSH port 21234 on the firewall of the server:

    firewall-cmd --zone=public --list-all
    firewall-cmd --zone=public --remove-port=21234/tcp
    firewall-cmd --zone=public --list-all

    We should still be able to ssh to the server through the VPN connection, because the interface wg1 is in the zone trusted and all the connections coming from it will be accepted.

3. Access a local machine from Guacamole

In this usecase we want to access from https://vclab.user1.fa.al a RaspberryPi at home, which does not have a public IP. The same way we could also access some other computer that does not have a public IP.

  1. Let's create first a WireGuard configuration for the RaspberryPi:

    ds client add raspi 192.168.100.3
    ls clients/
    nano clients/raspi.conf

  2. Install WireGuard on the RaspberryPi:

    apt install wireguard
    note

    For a RaspberryPi, we should also install raspberrypi-kernel-headers and reboot:

    apt install raspberrypi-kernel-headers
    reboot

  3. Copy the WG config file to the RPi and setup the WG connection:

    ### ==> These commands should be executed on the local machine (RPi)

    ### copy/paste the content of the WG config file
    cd /etc/wireguard/
    nano wg1.conf

    ### test it
    wg-quick up wg1
    ip addr
    ping 10.100.100.1
    ping 192.168.100.2

    ### make this WG connection permanent, by starting it automaticelly
    wg-quick down wg1
    ip addr
    systemctl enable wg-quick@wg1
    systemctl start wg-quick@wg1
    systemctl status wg-quick@wg1
    ip addr

  4. Let us check that we can access RPi from the Guacamole container:

    ### ==> Run these commands on the server

    cd /var/ds/vclab.user1.fs.al/

    ds shell
    apt install iputils-ping traceroute
    ping 192.168.100.3
    traceroute 192.168.100.3
    exit

  5. Now let's add an SSH connection to RPi:

    ds guac conn add 192.168.100.3 ssh
    ds guac conn ls

    Let's also test it from the Guacamole web interface.

    note

    It is also possible to add an RDP connection like this:

    ds guac conn add 192.168.100.3 rdp

    However it works only with X11 display server. In this case we need to install on RaspberryPi xrdp and xorgxrdp:

    apt install xrdp xorgxrdp

    The problem is that recent RPi OS (as well as recent Linux desktops) use Wayland instead of X11.

4. Publish a local website through revproxy

In this senario we will install a website on a local machine (for example on a RPi without a public IP), and we will access it through the revproxy container that is installed on our server.

  1. Let's make sure that we have a basic website on our RPi:

    apt install apache2
    echo "Hi from RasPi!" > /var/www/html/index.html
    lynx http://localhost

  2. Let's check that we can access the RPi from the revproxy container:

    cd /var/ds/revproxy/

    ds shell
    apt install iputils-ping traceroute
    ping 192.168.100.3
    traceroute 192.168.100.3
    exit

  3. Let's setup a domain configuration for accessing the RPi website:

    ls domains/
    ds domains-add raspi.user1.fs.al
    ds get-ssl-cert raspi.user1.fs.al
    ls domains/
    sed -i domains/raspi.user1.fs.al.conf \
        -e 's#proxy_pass .*#proxy_pass http://192.168.100.3#'
    nano domains/raspi.user1.fs.al.conf
    ds reload

  4. Try to open in browser: https://raspi.user1.fs.al

note

The same way we can also install in a local machine (without a public IP) a Wordpress site, a NextCloud site, etc. and publish it to the internet with the help of our VPS, the revproxy container, and the WireGuard VPN. It might be useful sometimes.