Wireguard VPN between Azure and OCI hosts
Wireguard test between Azure and Oracle OCI hosts
REF: https://www.wireguard.com/
Azure VM setup
Ubuntu 18.04.5 LTS
root@wireguard-az:~# dig +short myip.opendns.com @resolver1.opendns.com
*IPAddress*- follow https://outsidersrepublic.com/tech/getting-started-wireguard-ubuntu-aws/ for quick setup ie no routing etc
root@wireguard-az:~# apt install wireguard
root@wireguard-az:~# wg version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/
root@wireguard-az:~# umask 077
root@wireguard-az:~# wg genkey > privatekey
root@wireguard-az:~# wg pubkey < privatekey > publickey
root@wireguard-az:~# ip link add wg0 type wireguard
root@wireguard-az:~# ip addr add 10.0.0.1/24 dev wg0
root@wireguard-az:~# wg set wg0 private-key ./privatekey
root@wireguard-az:~# ip link set wg0 up
root@wireguard-az:~# ip addr
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0d:3a:5d:89:a7 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.4/24 brd 10.1.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20d:3aff:fe5d:89a7/64 scope link
valid_lft forever preferred_lft forever
3: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
root@wireguard-az:~# wg show
interface: wg0
public key: *redacted*
private key: (hidden)
listening port: 43971
root@wireguard-az:~# wg set wg0 peer *redacted* allowed-ips 10.0.0.2/32 endpoint *IPAddress*:40181
root@wireguard-az:~# wg show
interface: wg0
public key: *redacted*
private key: (hidden)
listening port: 43971
peer: *redacted*
endpoint: *IPAddress*:40181
allowed ips: 10.0.0.2/32
transfer: 0 B received, 3.32 KiB sent NOTE: iptables on this server don't need adjustment it is open already
root@wireguard-az:~# ping 10.0.0.2 -c 1
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=10 ttl=64 time=31.7 msNOTE: open Azure Security Rule for port we are running on
310 wg 43971 Any IPAddress/32 Any
Oracle OCI
Ubuntu 20.04.1 LTS
root@usph-vmli-do01:~# dig +short myip.opendns.com @resolver1.opendns.com
*IPAddress*- followed https://outsidersrepublic.com/tech/getting-started-wireguard-ubuntu-aws/ for quick setup ie no routing etc
root@usph-vmli-do01:~# apt install wireguard
root@usph-vmli-do01:~# wg version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/- open Security Rule for port we are running on
No IPAddress/32 TCP All 40181 TCP traffic for ports: 40181
root@usph-vmli-do01:~# umask 077
root@usph-vmli-do01:~# wg genkey > privatekey
root@usph-vmli-do01:~# wg pubkey < privatekey > publickey
root@usph-vmli-do01:~# ip link add wg0 type wireguard
root@usph-vmli-do01:~# ip addr add 10.0.0.2/24 dev wg0
root@usph-vmli-do01:~# wg set wg0 private-key ./privatekey
root@usph-vmli-do01:~# ip link set wg0 up
root@usph-vmli-do01:~# ip addr
2: ens3: mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:00:17:02:8f:09 brd ff:ff:ff:ff:ff:ff
inet 10.3.1.8/24 brd 10.3.1.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::200:17ff:fe02:8f09/64 scope link
valid_lft forever preferred_lft forever
...
20: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.2/24 scope global wg0
valid_lft forever preferred_lft forever
root@usph-vmli-do01:~# wg show
interface: wg0
public key: *redacted*
private key: (hidden)
listening port: 40181
root@usph-vmli-do01:~# wg set wg0 peer *redacted* allowed-ips 10.0.0.1/32 endpoint *IPAddress*:43971
root@usph-vmli-do01:~# wg show
interface: wg0
public key: *redacted*
private key: (hidden)
listening port: 40181
peer: *redacted*
endpoint: *IPAddress*:43971
allowed ips: 10.0.0.1/32 NOTE: iptables need adjustment port is not open
root@usph-vmli-do01:~# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT udp -- anywhere anywhere udp spt:ntp
5 ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW,ESTABLISHED
6 ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
7 ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
9 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
...
root@usph-vmli-do01:~# iptables -I INPUT 5 -p tcp -m tcp --dport 40181 -m state --state NEW,ESTABLISHED -j ACCEPT
root@usph-vmli-do01:~# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT udp -- anywhere anywhere udp spt:ntp
5 ACCEPT tcp -- anywhere anywhere tcp dpt:40181 state NEW,ESTABLISHED
6 ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt state NEW,ESTABLISHED
7 ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
8 ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
9 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
10 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
root@usph-vmli-do01:~# ping 10.0.0.1 -c 1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=31.9 ms
ubuntu@usph-vmli-do01:~/.ssh$ ssh ubuntu@10.0.0.1
...
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1031-azure x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Oct 28 17:35:39 UTC 2020
...Permanent steps
For routing/NAT of hosts behind these, creating /etc/wireguard/ config files, systemd starting etc read more here: https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-ubuntu-20-04/
