rset(1) : Formulas

Accessing Mobile Clients with WireGuard

One way to manage the configuration on a roaming system is to use a pull-based system like Salt. It is also possible to assemble your own system by fetching a signed tarball over HTTPS, but this creates some series problems

  1. The configuration master needs to be publicly accessible
  2. Anyone who compromises the master owns the clients
  3. It's difficult to test a configuration without committing it first

WireGuard provides some very capable facilities for creating a point-point link to a jumphost. A jumphost doesn't need to hold configuration or root SSH keys, and the proxy feature of SSH allows us to connect without IP forwarding or routing.

Call-home Tunneling

With WireGuard, a public key is the peer's identity, and the wg(4) pseudo-device can guarantee that packages from a given interface did in fact arrive over an authenticated channel. Additionally we can require that each peer use a specific internal address

# jumphost/hostname.wg0
wgport 111 wgkey JUMP_HOST_PRIVATE_KEY
wgpeer ROAMING_HOST_PUBLIC_KEY wgaip 10.0.0.20/32
inet 10.0.0.1/24
# jumphost1.pln
ptp_link:
    ./rinstall -m 640 -o root:wheel jumphost/hostname.wg0 /etc/hostname.wg0 && sh /etc/netstart wg0

Additional wgpeer entries can be made for the same wg interface.

The parameters for the roaming hosts includes an initiation endpoint.

# ptp/hostname.wg0
wgkey ROAMING_HOST_PRIVATE_KEY
wgpeer JUMP_HOST_PUBLIC_KEY wgendpoint proxy.eradman.com 111 wgaip 0.0.0.0/0
inet 10.0.0.20/24

To initiate our link, run a simple cron job that runs at a random minute four times hourly

# user_ws_1.pln
ptp_link:
    ./rinstall -m 640 -o root:wheel ptp/hostname.wg0 /etc/hostname.wg0 && sh /etc/netstart wg0
user_cron:
    crontab - <<-EOF
    ~/10 * * * *  ping -c 1 10.0.0.1 > /dev/null
    EOF

SSH Proxy Setup

From inside our network we can use standard ssh config to direct some connections to the jump host

# .ssh/config
Host 10.0.0.20
    ProxyJump 192.168.0.2
    ConnectTimeout=5

Now we can run configuration against a remote host using the tunnel endpoint!

eval `ssh-agent`
ssh-add
rset 10.0.0.20