setup wireguard vpn

.gitignore

@@ -0,0 +1 @@
+.terraform/

bin/add-peers

@@ -0,0 +1,8 @@
+#!/bin/bash
+# https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
+
+set -eo pipefail
+
+server=$(terraform output --json | jq -r '."server_ip".value' )
+rsync -vr --rsync-path="sudo rsync" peers.conf leorog@${server}:/etc/wireguard/peers.conf
+ssh leorog@${server} -t "sudo wg addconf wg0 /etc/wireguard/peers.conf; sudo wg"

bin/genkeys

@@ -0,0 +1,5 @@
+#!/bin/bash
+private=`wg genkey`
+public=`wg pubkey <<< $private`
+echo "PublicKey: $public"
+echo "PrivateKey: $private"

bin/remove-peer

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -eo pipefail
+
+server=$(terraform output --json | jq -r '."server_ip".value' )
+ssh leorog@${server} -t "sudo wg set wg0 peer $1 remove"

ec2.tf

@@ -0,0 +1,69 @@
+provider "aws" {
+  version = "~> 2.9"
+}
+
+terraform {
+  backend "s3" {
+    bucket = "myvpn-tfstate"
+    key    = "terraform.tfstate"
+    region = "us-east-1"
+  }
+}
+
+resource "aws_instance" "wg_server" {
+  ami                     = "ami-07ebfd5b3428b6f4d"
+  instance_type           = "t2.nano"
+  user_data               = file("wg-server.yml")
+  vpc_security_group_ids  = [aws_security_group.wg_server.id]
+
+  tags                    = {
+    Name                  = "VPN"
+  }
+}
+
+resource "aws_security_group" "wg_server" {
+  name          = "wg-server sg"
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 53
+    to_port     = 53
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 53
+    to_port     = 53
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 5555
+    to_port     = 5555
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+output server_ip {
+  value = aws_instance.wg_server.public_ip
+}
+
+output server_dns {
+  value = aws_instance.wg_server.public_dns
+}

peers.conf

@@ -0,0 +1,3 @@
+[Peer]
+PublicKey = <client public key>
+AllowedIPs = 10.2.0.2/32

readme.md

@@ -0,0 +1,8 @@
+- run terraform
+- gen client keypair `bin/genkeys`
+- get server public-key `ssh leorog@<ip> -t "sudo wg"`
+- update client config with server ip, public key and client private key [wg0-client.conf](wg0-client.conf)
+- add client public-key to server peer list [peers.conf](peers.conf#L2)
+- update server peer list `bin/add-peers`
+- connect `sudo wg-quick up wg0-client.conf` 
+- check if its working `curl https://ifconfig.me/`

wg-server.yml

@@ -0,0 +1,71 @@
+#cloud-config
+
+disable_root: true
+package_update: true
+
+apt:
+  sources:
+    wireguard-ppa:
+      source: "ppa:wireguard/wireguard"
+
+users:
+  - name: leorog
+    shell: /bin/bash
+    sudo: "ALL=(ALL) NOPASSWD:ALL"
+    ssh_authorized_keys:
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbSkzTyWtwpKBYExQ5Bdx+3kHWusJWcoHLbSfxnjCA8Z2+kmES2Mg0UpLNJZIzy0hb2vlbfbbAHHDfhXW+JT61RIhNWa1gL06+rBCK+jsiQyQcZGL7oEiFpsiaCjoXUN+ZvDGd3mrMHgokzgN/b5ddlXqwKXw10XbFfjItUwb0xx2jNyLf6R4gqoFUNcrYJJzXxz0pjQGG3K7GsMP0iT4RJDXfIQxb6ypVJ8Jf36BFVRfxYUah4suV08Lg8VKbAJ3MTX0tIDCX0UhXc6zHDeAfjYQb2dOrx6+OtTbgAAVwDdMaZ+5MDZQ6f5YqMLxTHJWr37flUI9DWZdV++HKiNKl leorog@leorog-pc"
+
+packages:
+  - wireguard
+  - unbound
+
+write_files:
+  - path: /etc/wireguard/wg0.conf
+    content: |
+      [Interface]
+      Address = 10.2.0.1/24
+      SaveConfig = true
+      ListenPort = 5555
+      PostUp = wg set %i private-key /etc/wireguard/wg0.key
+      PostUp = iptables -A FORWARD -i %i -j ACCEPT
+      PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+      PostDown = iptables -D FORWARD -i %i -j ACCEPT
+      PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+  - path: /etc/unbound/unbound.conf
+    content: |
+      server:
+        num-threads: 4
+        verbosity: 1
+        root-hints: "/var/lib/unbound/root.hints"
+        auto-trust-anchor-file: "/var/lib/unbound/root.key"
+        interface: 10.2.0.1
+        max-udp-size: 3072
+        access-control: 0.0.0.0/0        refuse
+        access-control: 127.0.0.1        allow
+        access-control: 10.2.0.0/24      allow
+        private-address: 10.2.0.0/24
+        hide-identity: yes
+        hide-version: yes
+        harden-glue: yes
+        harden-dnssec-stripped: yes
+        harden-referral-path: yes
+        unwanted-reply-threshold: 10000000
+        val-log-level: 1
+        cache-min-ttl: 1800 
+        cache-max-ttl: 14400
+        prefetch: yes
+        prefetch-key: yes
+        do-ip6: no
+
+bootcmd:
+  - sysctl -w net.ipv4.ip_forward=1
+
+runcmd:
+  - curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
+  - wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
+  - chmod -v 600 /etc/wireguard/wg0.conf /etc/wireguard/wg0.key /etc/wireguard/wg0.pub
+  - chown -R unbound:unbound /var/lib/unbound
+  - systemctl enable unbound
+  - systemctl enable wg-quick@wg0
+  - systemctl start --no-block unbound
+  - systemctl start --no-block wg-quick@wg0

wg0-client.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = 10.2.0.2/32
+PrivateKey = <client private key>
+DNS = 10.2.0.1
+
+[Peer]
+PublicKey = <server public key>
+Endpoint = <server ip>:5555
+AllowedIPs = 0.0.0.0/0
+PersistentKeepalive = 21