The Setup Part 1: Skyhook
Now that I’ve got my “this is my first blog post, what now?” post out of the way, I guess I need one of those “this is my sweet tech setup” posts.
There’s so many things to write about when it comes to the stack the blog is running on and I might as well start off strong, right? So here it is, my new blog series like a real-life blog!
The Network Setup
Since 2015 I’ve run most of my public-facing stuff from a VPS with Digital Ocean (which has been pretty excellent). I have some old hardware laying around at home that serves things internally and I never felt like having my home network serve as a public touchpoint.
BUT! I read one day about the niftiest thing - the skyhook. It gave me an idea - it would be easy to use my own network “skyhook” to lower packets in flight gently to my home LAN without having to worry about DDoS or whether or not I’ve done my due diligence at the firewall. Right now I’ve got it blocking all incoming and it’s dead simple to manage. If I start trying to port forward and all the rest it would be more complicated. As an added perk I could maybe save a little cash on my Digital Ocean bill.
Here’s what I wanted:
- My current VPS to continue as the public gateway at https://yaysh.net, including terminating TLS (and downsize the specs after work was done)
- Tunnel securely back home so I could allow the web server to hand off traffic to an insecure backend without overly complicating the firewall rules
So how do you make a network cable long enough to reach all the way to the cloud? The answer is a VPN.
Secret tunnels
I run OpenVPN already for myself and a few others as an endpoint for when I head to a coffee shop or a hotel (wrap your traffic up folks). I like it for what it can do but for this I just didn’t want to spin up yet another CA, all the glue for coming up with client configs, and have to worry about misconfiguration, secure cipher suites, cert revocation, etc.
At work we use SELinux-labeled IPSec/IKEv2 tunnels with RHEL’s Libreswan, and boy, if I never have to touch another IPSec-aware tunnel ever again, I would die happy.
I didn’t really feel all that jazzed about going with what I knew. So I decided it was time to try out Wireguard that I keep hearing about - especially since it was just released in the mainline Linux kernel 5.6.
Wireguard was a breeze to set up. I should write up a blog post about turning it on (read
in Part 2). Goodbye easy-rsa and goodbye
system_u:object_r:ipsec_spd_t:s0-s0:c0.c1023. My Wireguard point-to-point tunnel is
humming along nicely, complete with soothing Muzak. One peer is my hosted VPS and the
other is my almost 10-year old Inspiron laptop running Alpine 3.12.
Netfilter and chill
All that was left was to set some nftables rules to allow http traffic on my shiny new Wireguard interface, wg0, from my home server:
table inet filter {
chain input {
iifname wg0 tcp dport http accept
}
}
I used slightly more specific rules on my VPS endpoint to only allow new connections to be forwarded down the skyhook and only allow established/related connections to be forwarded back. Right now it’s only serving static content, like this blog, and there shouldn’t be any persistent connections down the tunnel (at least not for now).
define wan_iface = ens3
define wan_ip = <PUBLIC IP ADDRESS>
define wg_iface = wg0
define wg_subnet = 10.0.0.0/24
table inet filter {
chain forward {
iifname $wan_iface oifname $wg_iface ip daddr $wg_subnet ct state new accept
iifname $wg_iface oifname $wan_iface ip daddr $wan_ip ct state {established, related} accept
}
}
FIN
The last thing to do was set my VPS running Nginx to hand off traffic to the Wireguard interface, where my simple webserver is listening at the other end.
server {
listen 443 ssl http2;
server_name randconfig.com;
ssl_certificate /path/to/cert;
ssl_certificate_key /path/to/key;
location / {
proxy_pass http://$wg0_ip;
}
}
And we’re in business! At least if you’re reading what I’m writing right now it’s working. I wrote up the (short) Wireguard set up in PART 2 of this fabulous series.
Jared
100 days: Day 2