vpn

WireGuard

Server

sudo apt install -y wireguard
 
cd /etc/wireguard
umask 077;
wg genkey | tee privatekey | wg pubkey > publickey
 
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.6.1/24
ListenPort = 1194
PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE     
 
[Peer]
PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28=
AllowedIPs = 192.168.6.2/32
 
sudo ufw allow 1194/udp
sudo ufw status
 
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
 
# watch connections
watch -n1 wg

Client

Create anyconnect VPN connection on command line with nmcli

Create connection

VPN_GATEWAY=vpn1.example.com
VPN_USER=foo
VPN_ROUTES=192.168.11.0/24
 
nmcli connection add \
    connection.id vpn1 \
    connection.type vpn \
    connection.permissions "user:${USER}" \
    ipv4.routes "${VPN_ROUTES}" \
    ipv4.ignore-auto-routes yes \
    vpn.service-type org.freedesktop.NetworkManager.openconnect \
    vpn.data "
        protocol = anyconnect,
        authtype = cert,
        gateway = ${VPN_GATEWAY},
        cacert = ${HOME}/vpn1/ca.pem,
        usercert = ${HOME}/vpn1/certificate.pem,
        userkey = ${HOME}/vpn1/priv.pem,
        cookie-flags = 2
    " \
    vpn.secrets "
        form:main:group_list=CLIENTGROUP,
        form:main:username=${VPN_USER},
        save_passwords=yes
    "

Start connection and enter password once

nmcli connection up vpn1

Debug

#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702
journalctl -fxe -t NetworkManager
 
cat /etc/NetworkManager/system-connections/vpn1.nmconnection 
nmcli con show vpn1

Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html

LXD: Create WireGuard container

Create container

CONTAINER=wireguard
 
# Add ubuntu-minimal repository
lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/
 
# Create LXD container
#lxc launch ubuntu-minimal:lts ${CONTAINER}
lxc launch ubuntu-minimal:22.04 ${CONTAINER}
 
# update APT packages
lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt update && apt -y dist-upgrade && apt -y autoremove"
 
# Install WireGuard
lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt install -y wireguard iptables iputils-ping"

Configure UDP 4000 port forward to wireguard container

lxc config device add ${CONTAINER} udp51820 proxy listen=udp:0.0.0.0:51820 connect=udp:127.0.0.1:51820

Configure WireGuard

Side2Side VPN connection between OpenStack VPN and AVM Fritz!Box

FRITZBOX_WAN_IP=111.1.2.3  # curl ipinfo.io/ip
FRITZBOX_CIDR=192.168.178.0/24
OS_USER=foo
PROJECT_ID=xxxxxxxxxxxxxx
PSK='PASS1234'   # apg -m 32 -a1
 
openstack vpn ike policy create ${OS_USER}-ike-aes256-sha512 \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
openstack vpn ipsec policy create ${OS_USER}-ipsec-aes256-sha512 \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
# openstack router list
# ROUTER_ID=$(openstack router list -c ID -f value)
openstack vpn service create ${OS_USER}-vpn-service1 \
  --router ${ROUTER_ID} \
  -c external_v4_ip \
  -f value
 
# openstack subnet list
# SUBNET_ID=$(openstack subnet list -c ID -f value --name ${OS_USER}-subnet)
openstack vpn endpoint group create ${OS_USER}-vpn-endpoint-local \
  --type subnet \
  --value ${SUBNET_ID}
 
openstack vpn endpoint group create ${OS_USER}-vpn-endpoint-peer \
  --type cidr \
  --value ${FRITZBOX_CIDR}
 
openstack vpn ipsec site connection create ${OS_USER}-vpn-conn1 \
  --vpnservice ${OS_USER}-vpn-service1 \
  --ikepolicy ${OS_USER}-ike-aes256-sha512 \
  --ipsecpolicy ${OS_USER}-ipsec-aes256-sha512 \
  --peer-address ${FRITZBOX_WAN_IP} \
  --peer-id ${FRITZBOX_WAN_IP} \
  --psk ${PSK} \
  --local-endpoint-group ${OS_USER}-vpn-endpoint-local \
  --peer-endpoint-group ${OS_USER}-vpn-endpoint-peer
 

OpenStack Debug VPN connection

Find the VPN server and the relevant router UUID

# get VPN connection ID
openstack vpn ipsec site connection list | grep foo
openstack vpn ipsec site connection list --long | grep <project_id>
 
VPN_CONNECTION_ID=142dc25f-13bb-4fda-b093-edf13df98ed8
openstack vpn ipsec site connection show ${VPN_CONNECTION_ID}
 
VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -c 'VPN Service' -f value)
openstack vpn service show ${VPN_SERVICE_ID}
 
# get router ID
ROUTER_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c Router -f value)
echo "ROUTER_ID=${ROUTER_ID}"

Find the ctl Node where the active router is running

ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway -f value -c id --router ${ROUTER_ID})
CONTROL_NODE=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value)
echo "CONTROL_NODE: ${CONTROL_NODE}"
 
echo "ssh ${CONTROL_NODE} sudo ip netns exec qrouter-${ROUTER_ID} ip a s"

Connect to that ctl node and "jump" in its neutron-l3-agent docker container

OpenStack: VPNaaS (VPN)

# show VPN objects
openstack vpn ipsec site connection list
openstack vpn endpoint group list
openstack vpn service list
openstack vpn ipsec policy list
openstack vpn ike policy list
 
# show IP
openstack vpn service list --long
openstack vpn service list -c ID -f value | xargs -i openstack vpn service show {}
openstack vpn ipsec site connection list -c ID -f value | xargs -L1 openstack vpn ipsec site connection show

Check VPN peer address