Is there any way to do a reverse tunnel?
BeatLink opened this issue · 7 comments
Hey, awesome project, im trying it out on my home server now.
One problem i'm facing is that wg-initramfs runs as a client instead of a server. Meaning that it reaches out to a known endpoint to form the tunnel to the initramfs environment. However, with my current situation (using my laptop to remotely access the server to decrypt it) it seems as though it would need the reverse solution, where my laptop is the client and the home server is the server.
There might be a misunderstanding on how you have configured your wireguard services.
I have a remote encrypted ZFS dataset backup that effectively is doing this (it connects to the public wireguard VPN server endpoint, and another wireguard client then connects through the public wireguard VPN server to that remote machine to push data; no knowledge of the actual remote public IP needed).
I'd highly recommend to get wireguard setup the way you intend for it to work first, then add in the additional complexities of initramfs / dropbear components after you've verified it's working the way you want. You should not be limited on the wireguard configuration; but if there is something missing, please let me know so it can get patched.
Some great documentation outside of the wireguard whitepapers is here: https://github.com/pirate/wireguard-docs
Closing bug as it seems to be out of scope of an actual bug to fix. Please re-open with more details if it is not.
Essentially, I want to use the initramfs wireguard instance as its own endpoint that other devices would connect to, bypassing the public wireguard server completely
I don't believe this to be an actual bug with wireguard-initramfs.
Please read through additional resources on the wireguard site: https://www.wireguard.com/#learning-more or through the docs linked above: https://github.com/pirate/wireguard-docs. Comments below.
Essentially, I want to use the initramfs wireguard instance as its own endpoint that other devices would connect to, bypassing the public wireguard server completely
-
When you say
public wireguard server
, there is no such thing unless you are talking about the demo server to test connections; or other wireguard enpoints, such as VPN providers. -
When you say
own endpoint that other devices would connect to, bypassing the public wireguard server completely
; I understand this to mean that you want your machine to act as a server endpoint, allowing your other wireguard clients to connect. See simple-client-to-server doc, linked above. This requires that the machine's wireguard endpoint is exposed publically if you want clients to reach it from outside your private network. -
Setting up wireguard on that system as a normal networking service seems like it fits your use case? (e.g. if you setup wireguard as a server and enable that network to start after the standard network devices).
-
Configuration of wireguard networks is beyond the scope of wireguard-initramfs. The case that you've presented doesn't seem to be an actual issue with wireguard-initramfs.
I already configured my home server to act as a server endpoint. It is already exposed publicly via port forwarding on my home router and a DDNS server. What i want is for the wireguard-initramfs to also act as a server endpoint, that way my laptop can connect directly to it for LUKS decryption
In other words, wireguard-initramfs as configured now, acts as a client instead of a server endpoint. I wish for it to be a server endpoint instead
If I have a fully encrypted raspberry pi server behind a home network
the current method to decrypt it would be to use dropbear from another device on the local network
Can wiregurad-initramfs be used to connect to the dropbear session out of the home network?
I believe this is @BeatLink question
For a device behind a NAT then it would make sense for the current client setup which the device running wireguard-initramfs connects to a peer with a server endpoint.
My case was for the device running wireguard-initramfs already being a server endpoint with a static public IP address.
Incidentally, I've reworked the files here into a script that does just that. I'll throw it up my GitLab if anyone wants it.