Dial-in Configuration with WireGuard
One way to manage the configuration on a roaming system is to use a pull-based system like Salt. It is also possible to assemble your own system by fetching a signed tarball over HTTPS, but this creates some series problems
- The configuration master needs to be publicly accessible
- Anyone who compromises the master owns the clients
- It's difficult to test a configuration without committing it first
WireGuard provides some very capable facilities for creating a point-point link to a jumphost. A jumphost doesn't need to hold configuration or root SSH keys, and the proxy feature of SSH allows us to connect without IP forwarding or routing.
With WireGuard, a public key is the peer's identity, and the wg(4) pseudo-device can guarantee that packages from a given interface did in fact arrive over an authenticated channel. Additionally we can require that each peer use a specific internal address
# jumphost/hostname.wg0 wgport 111 wgkey JUMP_HOST_PRIVATE_KEY wgpeer ROAMING_HOST_PUBLIC_KEY wgaip 10.0.0.20/32 inet 10.0.0.1/24
# jumphost1.pln ptp_link: ./rinstall -m 640 -o root:wheel jumphost/hostname.wg0 /etc/hostname.wg0 && sh /etc/netstart wg0
entries can be made for the same
The parameters for the roaming hosts includes an initiation endpoint.
# ptp/hostname.wg0 wgkey ROAMING_HOST_PRIVATE_KEY wgpeer JUMP_HOST_PUBLIC_KEY wgendpoint proxy.eradman.com 111 wgaip 0.0.0.0/0 inet 10.0.0.20/24
To initiate our link, run a simple cron job that runs at a random minute four times hourly
# user_ws_1.pln ptp_link: ./rinstall -m 640 -o root:wheel ptp/hostname.wg0 /etc/hostname.wg0 && sh /etc/netstart wg0
user_cron: crontab - <<-EOF ~/10 * * * * ping -c 1 10.0.0.1 > /dev/null EOF
SSH Proxy Setup
From inside our network we can use standard ssh config to direct some connections to the jump host
# .ssh/config Host 10.0.0.20 ProxyJump 192.168.0.2 ConnectTimeout=5
Now we can run configuration against a remote host using the tunnel endpoint!
eval `ssh-agent` ssh-add rset 10.0.0.20