Skip to main content

Creazione configurazione VPN utente

Download and setup the gitlab repo

go to the linuxfirewall repo: https://gitlab.eagleprojects.cloud/devsecops/linuxfirewall/-/tree/main?ref_type=heads clone and add an empty .env file. check if there are all the needed packages for the scripts inner the folder script. (for a simple examplanation of the rclone command check the guide rclone-command-explained) pull the image locally from the compose file and then podman-compose up -d the service

Start the first script and get the setup infos

Then start with start_script. open in the browser the FastAPI docs -> localhost:11811/docs Make a fast check if the user that need the new configuration is already created or not by searching it in the result of the endpoint /peers get the next free private ip: 10.250.0.133 with the endpoint /next_ip (we will need this to the new peer creation).

Create the peer (by username)

then create the peer through the endpoint /servers/{server_interface}/peers/ You could take an example of another user already created to fill up the new peer.

here it is an example:

{
    "username": "ncognome",
    "allowed_ips": "192.168.3.0/24, 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, 192.168.14.0/24, 192.168.42.0/24, 192.168.45.0/24, 192.168.46.0/24", # here we want to put the VLAN where the user could access.
    "private_ip": "10.250.0.133/32", # we will use a /32 cause we want just one host to be used. 
    "endpoint": "vpn.eagleprojects.cloud:51820",
    "group": "ncognomecapogruppo",
    "persistent_keepalive": 15,
}

Remember to fill the server_interface field. In our case (majority of cases) we just use the wg0 (wg0 is the default first wireguard interface [LAN] we only have this one so it will be always wg0)

Download the wg0 conf

After the creation of the users we want to download all the peers owned by the server interface wg0 by going to the endpoint /servers/{server_interface}/persist. It will generate a file named wg0.conf and we will need to upload it directly in the MinIO S3 bucket through the script upload_script.sh

Download the configurations of the users

We need to download another two files, the configurations of the users we created before. We need these configurations because we have to pass them to each appropriate user (their own config). And they have to use the configuration we passed to apply it through their own wireguard. We cannot just go to the endpoint /peers/{peer_username}/persist to download the user configuration, but we have to specify the username (of course) and we need to fill the custom_allowed_ips field too. Just insert as custom_allowed_ips the ip: 192.168.0.0/16.

Why? Because we want that his pc redirect all the calls to this ip. Even if it hasn't the real access to all the VLANs we want this IP to get all the addresses calls. Then, will be the firewall the true filter to each ip request and permit or not the access to the desidered VLAN or host.

Firewallo sync

After downloaded the configurations just go to the firewallo and like during the lunch or before get off work run the script upload_vpn.sh

What we have to do with the users configurations?

Send the configurations to Alessio and the procedure is completed.

Back to top