Setting Up Jumphost with Wireguard

The note contains step by step to setup VPN machine with Wireguard as jumphost for connecting to services within private network in Cloud.

Configuration

 -------------        -------------        -------------   
|             |      |             |      |             |  
|   MacOS     | -->  |   Wireguard |  --> |   Nginx     |  
|             |      |    VM       |      |    VM       |  
 -------------        -------------        -------------

MacOS: Local network
Wireguard VM: VPC payment-vpc subnet payment-private-us-central1-public
Nginx VM: VPC payment-vpc subnet payment-private-us-central1

Notes

Setting up new GCP Project
Setting up new custom VPC with 2 subnets:
1. payment-private-us-central1-public . CIDR: 10.1.2.0/24
2. payment-private-us-central1. CIDR: 10.1.1.0/24
Setting up following firewall rules:
1. payment-private-allow-http allows tcp:80 with http-server network tags
2. payment-allow-user-vpn allows udp:51820 with wireguard network tags
3. payment-private-allow-ssh allows tcp:22
4. payment-private-allow-custom allows all ports between subnets
Setting up NAT Gateway for private

Create 1 Nginx VM without public IP address.

sudo apt update
sudo apt install nginx
curl localhost

Create 1 VPN VM and install wireguard with public IP address. Follow this blog to configure wireguard on the jumphost

sudo apt update
sudo apt install wireguard
sudo su
cd /etc/wireguard
wg genkey > jumphost.key
wg pubkey < jumphost.key > jumphost.pub

Create jumphost configuration

# local settings for the jumphost
[Interface]
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE=
Address = 10.0.0.1/24
ListenPort = 51820
PreUp = sysctl -w net.ipv4.conf.all.forwarding=1

Run jumphost as systemd service

sudo systemctl start wg-quick@wg0.service
sudo systemctl enable wg-quick@wg0.service

Check wireguard

sudo wg

Testing access to nginx vm from jumphost box
```
curl <nginx_private_ip_address>
```

Install and configure wireguard client in macos.

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.11 #client wireguard ip address

# remote settings for the jumphost
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <WIREGUARD_VM_PUBLIC_IP_ADDRESS>:51820
AllowedIPs = 10.1.1.0/24, 10.1.2.0/24, 10.0.0.1/32

10.1.1.0/24 and 10.1.2.0/24 are CIDR from the subnets in payment vpc.
10.0.0.1/32 should be the wireguard server ip address in wg0 interface

Configure peer in jumphost

[Interface]
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE=
Address = 10.0.0.1/24
ListenPort = 51820
PreUp = sysctl -w net.ipv4.conf.all.forwarding=1

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.11/32 # CLIENT WIREGUARD IP ADDRESS

CLIENT_WIREGUARD_IP_ADDRESS is not the same as gcp vm private ip address. Look like this is ip address assigned to the virtual network interface.

Start VPN client on the macos

Testing ssh to jumpbox by using its private ip address

ssh -i ~/.ssh/google_compute_engine imre.nagi@<wireguard_private_ip>

Setting up traffic forwarding

sudo nano /etc/sysctl.conf

uncomment net.ipv4.ip_forward=1

sudo sysctl -p

Find the network interface that can route the traffic to internal subnet

ip route list default

# default via 10.x.x.x dev ens4 proto dhcp src 10.y.y.y metric 100
# ens4 is the network interface name

Update wg0.conf

PreUp = sysctl -w net.ipv4.conf.all.forwarding=1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE

systemctl restart wg-quick@wg0.service

Test access to nginx webserver by using its ip address from macos

ssh -i ~/.ssh/google_compute_engine imre.nagi@<nginx_private_ip>

Open Questions

How to dynamically configure peer in both server and client? We need to assign the wireguard ip address to each client, how to do this dynamically?