Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!

VPNWireguard

Wireguard VPN between Azure and OCI hosts

Wireguard test between Azure and Oracle OCI hosts

REF: https://www.wireguard.com/

Azure VM setup

Ubuntu 18.04.5 LTS

root@wireguard-az:~# dig +short myip.opendns.com @resolver1.opendns.com
*IPAddress*
root@wireguard-az:~# apt install wireguard

root@wireguard-az:~# wg version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/

root@wireguard-az:~# umask 077
root@wireguard-az:~# wg genkey > privatekey
root@wireguard-az:~# wg pubkey < privatekey > publickey
root@wireguard-az:~# ip link add wg0 type wireguard
root@wireguard-az:~# ip addr add 10.0.0.1/24 dev wg0
root@wireguard-az:~# wg set wg0 private-key ./privatekey
root@wireguard-az:~# ip link set wg0 up

root@wireguard-az:~# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:3a:5d:89:a7 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.4/24 brd 10.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:3aff:fe5d:89a7/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0:  mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

root@wireguard-az:~# wg show
interface: wg0
  public key: *redacted*
  private key: (hidden)
  listening port: 43971

root@wireguard-az:~# wg set wg0 peer *redacted* allowed-ips 10.0.0.2/32 endpoint *IPAddress*:40181

root@wireguard-az:~# wg show
interface: wg0
  public key: *redacted*
  private key: (hidden)
  listening port: 43971

peer: *redacted*
  endpoint: *IPAddress*:40181
  allowed ips: 10.0.0.2/32
  transfer: 0 B received, 3.32 KiB sent

NOTE: iptables on this server don't need adjustment it is open already

root@wireguard-az:~# ping 10.0.0.2 -c 1
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=10 ttl=64 time=31.7 ms

NOTE: open Azure Security Rule for port we are running on
310 wg 43971 Any IPAddress/32 Any

Oracle OCI

Ubuntu 20.04.1 LTS

root@usph-vmli-do01:~# dig +short myip.opendns.com @resolver1.opendns.com
*IPAddress*
root@usph-vmli-do01:~# apt install wireguard

root@usph-vmli-do01:~# wg version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/
  • open Security Rule for port we are running on
    No IPAddress/32 TCP All 40181 TCP traffic for ports: 40181
root@usph-vmli-do01:~# umask 077
root@usph-vmli-do01:~# wg genkey > privatekey
root@usph-vmli-do01:~# wg pubkey < privatekey > publickey
root@usph-vmli-do01:~# ip link add wg0 type wireguard
root@usph-vmli-do01:~# ip addr add 10.0.0.2/24 dev wg0
root@usph-vmli-do01:~# wg set wg0 private-key ./privatekey
root@usph-vmli-do01:~# ip link set wg0 up

root@usph-vmli-do01:~# ip addr
2: ens3:  mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:00:17:02:8f:09 brd ff:ff:ff:ff:ff:ff
    inet 10.3.1.8/24 brd 10.3.1.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::200:17ff:fe02:8f09/64 scope link 
       valid_lft forever preferred_lft forever
...
20: wg0:  mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever

root@usph-vmli-do01:~# wg show
interface: wg0
  public key: *redacted*
  private key: (hidden)
  listening port: 40181

root@usph-vmli-do01:~# wg set wg0 peer *redacted* allowed-ips 10.0.0.1/32 endpoint *IPAddress*:43971

root@usph-vmli-do01:~# wg show
interface: wg0
  public key: *redacted*
  private key: (hidden)
  listening port: 40181

peer: *redacted*
  endpoint: *IPAddress*:43971
  allowed ips: 10.0.0.1/32

NOTE: iptables need adjustment port is not open

root@usph-vmli-do01:~# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW,ESTABLISHED
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
8    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
9    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
...

root@usph-vmli-do01:~# iptables -I INPUT 5 -p tcp -m tcp --dport 40181 -m state --state NEW,ESTABLISHED -j ACCEPT

root@usph-vmli-do01:~# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:40181 state NEW,ESTABLISHED
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt state NEW,ESTABLISHED
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
9    ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
10   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

root@usph-vmli-do01:~# ping 10.0.0.1 -c 1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=31.9 ms

ubuntu@usph-vmli-do01:~/.ssh$ ssh ubuntu@10.0.0.1
...
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1031-azure x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Oct 28 17:35:39 UTC 2020
...

Permanent steps

For routing/NAT of hosts behind these, creating /etc/wireguard/ config files, systemd starting etc read more here: https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-ubuntu-20-04/

admin

Bio Info for Riaan