- Install wireguard and create Wireguard keys. Official docs are here:
https://www.wireguard.com/quickstart/
wg genkey | tee wireguard-$USER-privatekey | wg pubkey > wireguard-$USER-publickey
Send Wireguard pubic key to the wireguard admin. Once the key is installed on the wireguard server you will receive an IP address which will be your system IP in the Wireguard mesh network.
There are at least three different ways to setup the wireguard VPN: wg-quick, NetworkManager or manually.
The wg-quick helper script from the wireguard project is the recommended way to get started.
Create the /etc/wireguard/wg0.conf file with the following and replace 192.168.2.X with the IP you were assigned:
[Interface] PrivateKey = <private key here> Address = 192.168.2.X/24 [Peer] PublicKey = iEtvCuJpaSlj8ghumrp0CA4Y8yqIy8YZrvJD4AcW22U= EndPoint = 3.21.212.159:53 AllowedIPs = 192.168.2.0/8
Then create and run the service:
sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0
To terminate the connection:
sudo systemctl stop wg-quick@wg0
Here is a link with some screen captures of the process:
https://www.ivpn.net/setup/wg-linux-netman.html
Server public key: iEtvCuJpaSlj8ghumrp0CA4Y8yqIy8YZrvJD4AcW22U= Allowed IPs 0.0.0.0/0 Endpoint address: 3.21.212.159:53 The IP of your host in the mesh is 192.168.2.X
In the IPv4 section there is a Routes button. Click this and then select “Use only for resources on this connection”
Replace 192.168.2.X with the IP you were assigned:
sudo ip link add dev wg0 type wireguard sudo ip address add dev wg0 192.168.2.X/24 sudo ip address add dev wg0 192.168.2.X peer 192.168.2.1 sudo wg set wg0 private-key /path/to/private-key peer iEtvCuJpaSlj8ghumrp0CA4Y8yqIy8YZrvJD4AcW22U= allowed-ips 0.0.0.0/0 endpoint 3.21.212.159:53 wg showconf wg0 > /etc/wireguard/wg0.conf
In order to run the service, run:
sudo wg-quick up wg0
In order to stop the service, run:
sudo wg-quick down wg0
First verify that Wireguard is running:
sudo wg show
It is important that only AWS traffic from your machine is routed through the VPN. Otherwise we will be charged for all egress traffic from AWS. The easiest way to check is to verify that traffic traceroute to google.com is the same with the VPN enabled and disabled:
mtr google.com
Please ensure that you do not see any hosts with aws in the traceroute. If it does, please do not use the VPN until we can figure out how to reconfigure it.
Please send your public ssh key to the wireguard admin. Once installed you will be able to ssh to the wireguard server.
ssh ubuntu@192.168.2.1
This VM is reserved for wireguard and no suitable for working. It will be used as a bridge to other servers within AWS. Please add the following to your $HOME/.ssh/config to be able to tunnel directly to the AWS instances:
# Tunnel to private subnet over VPN server Host 10.0.101.* User ubuntu ProxyCommand ssh -W %h:%p ubuntu@192.168.2.1
Putting the instances in a private subnet requires a NAT gateway and those are very expensive. At the time of writing, the cost is $0.045/hr plus $0.045 per GB of traffic:
https://aws.amazon.com/vpc/pricing/
An instance in a public subnet with a public IP does not have to pay for the NAT gateway nor the bandwidth used.
The typical way to give people access to EC2 instances is to create an instance in the default public subnet and enable SSH port 22 in the security group and give people access. This works but has some drawbacks:
- Port 22 is open on the instance and restricting access to specific IPs can be difficult especially now when everyone is working from home.
- The temptation to open more ports on the security group will be high. Of course ssh should be used to tunnel ports safely but everyone needs to know how to make use of it.
Using the Wireguard VPN has several benefits:
- None of the public IPs has any open ports. Even the Wireguard port is not discovered by a port scan.
- It serves as an entrance point to enable access to private subnets. This way there is a single way to access all subnets. This requires the security groups be setup properly and possibly VPC peering as well, but the user workflow stays the same.