Using Wireguard show how VPS hardware can be used as an extension to your homelab. I am not interested in exposing services to the internet from the VPS. It is not intended to be a way for a user to VPN into the homelab from the internet.
- Refer to the diagram at: https://i.imgur.com/n5elXC4.png
- Server = a host inside your homelab (assume it is NOT a router already).
- VPS = external cloud host.
- Assume Ubuntu 18.04 LTS for all hosts involved.
- Should be able to scale this easily. So if I had numerous VPSs, I could link them (mesh?)
- I don't know much about OpenVPN, but that may be more suited to the goal. You tell me.
- I'm not responsible for trashing your network. I'm a noob.
- May be sections missing and the order might not flow. Did this as I went along.
For both Server and VPS:
sudo apt-get install software-properties-common # to make add-apt-repository work
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard
For VPS:
sudo apt-get install ufw resolvconf # resolvconf as wg-quick uses that; couldn't make it work with openresolv
Next WG config - read the WG documentation on how to generate the Private/public keys.
ens18 = Server's network interface, yours may be different
A.B.C.D = VPS public IP or hostname
10.10.0.0/24 = tunnel peer-to-peer address scheme
# Server
[Interface]
Address = 10.10.0.2/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
PrivateKey = <private key>
[Peer]
PublicKey = <public key>
Endpoint = A.B.C.D:51820
AllowedIPs = 10.10.0.1/24
PersistentKeepalive = 25
# VPS
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
DNS = 192.168.0.100
PrivateKey = <private key>
[Peer]
PublicKey = <public key>
AllowedIPs = 10.10.0.0/24, 192.168.0.0/24
PersistentKeepalive = 25
Firewall to harden VPS: read UFW documentation on how to operate/start it. Be careful not to lock yourself out of port 22 (ssh).
I don't have any firewall (like ufw) on the Server as it's behind the router firewall already on the intranet, although maybe I should?
# VPS
sudo ufw allow ssh
sudo ufw allow 51820/udp
# i couldn't get VPS to serve 8080 traffic without this
sudo ufw allow in on wg0 to any port 8080
Routing: the Server needs to have routing/port forwarding enabled (IF you want masquerading)?
# Server
# edit /etc/sysctl.conf make sure you have this somewhere
net.ipv4.ip_forward=1
# For forwarding traffic Server :80 -> VPS :8080
iptables -A PREROUTING -t nat -i ens18 -p tcp --dport 80 -j DNAT --to 10.10.0.1:8080
iptables -A FORWARD -p tcp -d 10.10.0.1 --dport 8080 -j ACCEPT
Assuming you've started WG on both Server and VPN, you should be able to at least ping each other.
# "ip addr" should show the wg0 interface present on both Server and VPS
$ ping 10.10.0.1 or ping 10.10.0.2 # refer to diagram
DNS resolution should work from both VPS and Server.
$ ping www.google.com # i think the VPS uses the vendor's gateway maybe
$ ping 192.168.0.1 or ping 192.168.0.100 # from the VPS especially
$ ping myrouter or ping mydnsserver # by hostname also works
On the VPN we can open a simple http server using python. We'll use port 8080. The idea being that i can run services on the VPS but have them appear to be localised.
# VPS
$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
From the Server you should be able to do this
# Server
$ curl http://10.10.0.1:8080 # works
From say the desktop machine (on DHCP) I can do this
# some other machine in the intranet
$ curl http://192.168.0.3 # works
That only works because of the iptables rules above (masquerading?).
Conclusion: learnt a lot, still don't know a lot, probably an easier way.