VPN with SSH and WireGuard

# VPN with SSH and WireGuard Unless you are using a totally self configured linux distro, such as arch linux, it is very likely that your distro has NetworkManager preinstalled and running; this holds for Fedora, RHEL, CentOS, Debian, and Ubuntu. NetworkManager is almost as capable as the iproute2 suite, and it makes WiFi, Bluetooth, and VPN management effortless. Furthermore, NetworkManager persists settings, which frees users from crafting systemd unit files or the like. If one is not using OpenStack neutron or doing pentests, allowing NetworkManager to manage networking on one's behalf seems rather reasonable. Installation on Fedora: ``` dnf install wireguard-tools ``` Installation on CentOS 8: ``` dnf install elrepo-release epel-release dnf install kmod-wireguard wireguard-tools ``` Generate keypair: ``` wg genkey | tee private.key | wg pubkey > public.key ``` Create file *config* with content: ``` [Interface] PrivateKey = <private_key> Address = <my_ip>/<mask> SaveConfig = true [Peer] PublicKey = AllowedIPs = <subnet> Endpoint = <server_ip>:<port> PersistentKeepalive = 15 ``` Activate and make persistent with NetworkManger: ``` nmcli c delete <con-name> nmcli c import type wireguard file <config> nmcli c modify <con-name> connection.zone <zone> firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i <wg-device> -o <wg-device> -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i <wg-device> -o <lan-device> -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg-dev-main -o eno1np0 -j ACCEPT ``` Update WireGuard config, e.g., adding peers: (**this does not persist**) ``` wg addconf <wg-device> <(wg-quick strip <wg-config>) ``` Generate QR code for mobile devices: ``` qrencode -t ansiutf8 < <client-conf> ``` ## crostini Install TunSafe: ``` git clone --depth 1 https://github.com/TunSafe/TunSafe.git TunSafe/build_linux.sh install TunSafe/tunsafe /usr/local/bin/wg tunsafe start -d <wg-config> ``` From the crosh shell do: ``` vmc start termina lxc config device add penguin tun unix-char path=/dev/net/tun lxc config device set penguin tun mode 0666 ``` In penguin: ``` tunsafe start -d <wg-config> ``` ## MAC installation Install the client from apple appstore and import the text config (via copy and paste). ![](https://i.imgur.com/yqloDGg.png) ![](https://i.imgur.com/R1bfdQe.png) ## Custom git A repo is actually a directory containing the git tree. Create a directory on the server and initialize it bare. ``` mkdir /path/to/repo.git git init --bare /path/to/repo.git ``` On the client: ``` git remote add origin <ssh_host>:/path/to/repo.git git push origin master git clone <ssh_host>:/path/to/repo.git ``` ## Flatpak on ChromeOS with the Fedora repo Open crostini and run: ``` apt install flatpak flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo flatpak remote-add fedora oci+https://registry.fedoraproject.org ``` ## Windows 10 with libvirt Download Win10 ISO [here](https://www.microsoft.com/en-us/software-download/windows10ISO). ``` virt-install \ --name a.elk.k8s \ --vcpus 2 \ --memory 4096 \ --boot hd,network,useserial=on,menu=on \ --noreboot \ --disk pool=k8s,size=30,sparse=false,cache=none,io=native,bus=virtio \ --network type=direct,source=eno1np0,source_mode=bridge,model=virtio \ --graphics none \ --noautoconsole \ --os-variant fedora31 ```