It was super fun. Keep it as your own memorandum.
I don't like changing SSHD ports, setting Fail2Ban, or kneading AWS security groups on AWS, so I tried using the recently popular WireGuard
.
This was really easy.
A network diagram of a rough image of accessing AWS from my house with WireGuard.
Here, we use a micro instance of Amazon Linux 2.
$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Create one AWS security group and assign it to your WireGuard EC2 instance. I will work with SSH access for a while. When WireGuard becomes available, delete the SSH item.
type | protocol | Port range | Source | Explanation |
---|---|---|---|---|
SSH | TCP | 22 | 0.0.0.0/0 | |
Custom UDP rules | UDP | 51820 | 0.0.0.0/0 | wireguard-port |
First, get no-ip
and create a DDNS domain.
After getting the DDNS domain, install noip
with yum
and set the user and password with noip2 -C
.
https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/dynamic-dns.html
$ yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ yum install -y noip
$ /usr/sbin/noip2 -C
$ systemctl enable noip
Use the repository for RHEL7 on the official website. https://www.wireguard.com/install/
$ curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ yum install wireguard-dkms wireguard-tools
Just in case, restart it once.
$ reboot
Enable forwarding.
$ cat /etc/sysctl.conf | grep -v ^#
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
$ sysctl -w net.ipv4.ip_forward=1
$ sysctl -w net.ipv6.conf.all.forwarding=1
Since the configuration file under / etc
is kneaded, put etckeeper
in it.
$ yum install etckeeter
$ etckeeper init
Initialized empty Git repository in /etc/.git/
Create private key for server
$ wg genkey | tee /etc/wireguard/server.key
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
$ chmod 600 /etc/wireguard/server.key
Create public key for server
$ cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
$ chmod 600 /etc/wireguard/server.pub
Creating a private key for the client
$ wg genkey | tee /etc/wireguard/client.key
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Create public key for client
$ cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
First, check the NIC with the ip addr
command.
Remember that the NIC is eth0
.
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:9a:51:f1:23:ca brd ff:ff:ff:ff:ff:ff
inet 172.31.45.164/20 brd 172.31.47.255 scope global dynamic eth0
valid_lft 2382sec preferred_lft 2382sec
inet6 fe80::49a:51ff:fef1:23ca/64 scope link
valid_lft forever preferred_lft forever
Create /etc/wireguard/wg0.conf
.
$ cat /etc/wireguard/wg0.conf
[Interface]
# server-private-key
PrivateKey = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
Address = 192.168.90.1
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# clients-public-key
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 192.168.90.0/24
The meaning of the setting items is like this.
[Interace]
PrivateKey: Private key for the server
Address: Specify the IP address of the WireGuard server
ListenPort: Specify the WireGuard port
PostUp: Add a rule with the iptables command for IP masquerading Specify the NIC you checked earlier
PostDown: Set to delete the iptables rule set in PostUp when stopped
[Peer]
PublicKey: Public key for client
AllowedIPs: Network addresses used by WireGuard
After completing the settings, start WireGuard + automatically start.
$ systemctl enable --now wg-quick@wg0
I want to resolve this FQDN of AWS ip-172-31-47-99.ap-northeast-1.compute.internal
, so install unbound
.
$ yum install unbound
Remember the AWS nameserver IP.
$ cat /etc/resolv.conf | grep ^namese
nameserver 172.31.0.2
Make /etc/unbound/unbound.conf
look like this.
$ cat /etc/unbound/unbound.conf | grep -v ^$
server:
interface: 0.0.0.0
interface-automatic: yes
do-ip4: yes
do-ip6: no
access-control: 0.0.0.0/0 allow
access-control: 127.0.0.1 allow
#verbosity: 5
verbosity: 1
private-domain: "shikumis.com"
remote-control:
control-enable: yes
# control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
# unbound server certificate file.
server-cert-file: "/etc/unbound/unbound_server.pem"
# unbound-control key file.
control-key-file: "/etc/unbound/unbound_control.key"
# unbound-control certificate file.
control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones
include: /etc/unbound/conf.d/*.conf
forward-zone:
name: "."
forward-addr: 172.31.0.2
Start unbound + start automatically.
$ systemctl enable --now unbound
Download and install the Windows installer from here. https://www.wireguard.com/install/
Launch the WireGuard client and make the following settings in "Add tunnel"-> "Add empty tunnel" at the bottom left.
[Interface]
# client-private-key
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 192.168.90.10/32
DNS = 192.168.90.1
[Peer]
# server-public-key
PublicKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AllowedIPs = 192.168.90.1/32, 172.31.16.0/20, 172.31.32.0/20, 172.31.0.0/20
Endpoint = hoge.example.jp:51820
PersistentKeepalive = 25
The meaning of the setting items is like this.
Click "Activate" in the GUI to connect.
Check name resolution and routing at the command prompt.
>nslookup ip-172-31-47-99.ap-northeast-1.compute.internal
server: UnKnown
Address: 192.168.90.1
Unauthorized answer:
name: ip-172-31-47-99.ap-northeast-1.compute.internal
Address: 172.31.47.99
>route print -4 | findstr /i 172.31
172.31.0.0 255.255.240.0 on link 192.168.80.11 5
172.31.15.255 255.255.255.255 on link 192.168.80.11 261
172.31.16.0 255.255.240.0 on link 192.168.80.11 5
172.31.31.255 255.255.255.255 on link 192.168.80.11 261
172.31.32.0 255.255.240.0 on link 192.168.80.11 5
172.31.47.255 255.255.255.255 on link 192.168.80.11 261