VPN
***

Server
======

.. note:: When creating the VPN server, prefix the host name with ``vpn-`` so
          the Salt states pick up the correct defaults.

Client (Linux)
==============

Run the ``salt-minion-setup`` script (to add the server to the KB VPN)
(should be in the ``~/Private/scripts/src`` folder):

- The ``salt-minion-setup`` script creates the private and public keys on the
  client and displays the public key on the screen.
- These need to be added to the ``sites/vpn-my.sls`` pillar file on the Salt
  master.
- Apply the states.
- Restart the interface (``wg-quick down wg0 && wg-quick up wg0``).

.. tip:: Don't forget to setup the :ref:`firewall_wireguard`

Client (Windows)
================

Download and install Wireguard
https://www.wireguard.com/install/

Log in as an administrator and *Create a new connection* (*Add empty tunnel*)
This will create an ini file with a public and private key.

Copy the *Public key* to your Salt master and configure the pillar for your
VPN server e.g::

  cd /srv/pillar
  vim sites/vpn-my.sls

Add the IP address to the ``dns``, ``zones`` and ``vpn`` sections e.g:

.. code-block:: yaml

  server_meta:
    dns:
      zones:
        - name: db.my.vpn
          entries:
            - { name: '',              type: A,    value: 10.10.3.1 }
            - { name: my-test-laptop,  type: A,    value: 10.10.3.101 }

    vpn:
      peers:
        my-test-laptop:
          PublicKey: <public key of your windows workstation>
          AllowedIPs: 10.10.3.101/32

Apply the salt state...

Back to the Wireguard Windows client...

Add the following to the connection (adjusting to match your network)::

  Address = 10.10.3.<Free node number>/32
  DNS = 10.10.3.1

  [Peer]
  PublicKey = <public key of your VPN server>
  AllowedIPs = 10.10.3.0/24
  Endpoint = vpn-my.hatherleigh.info:51820
  PersistentKeepalive = 25

.. image:: ./misc/2021-03-18-vpn-edit.png

*Save* and *Activate*

.. image:: ./misc/2021-03-18-vpn-detail.png

Troubleshooting
===============

Connection issues
-----------------

The ``PublicKey`` in the ``Peer`` section of the configuration is the public
key of the *server*, not the workstation::

  [Peer]
  PublicKey = abc123...

DNS
---

Restart the laptop or::

  sudo -i
  wg-quick down wg0 && wg-quick up wg0

.. tip:: Does ``sudo wg show`` display more than VPN tunnel?
         MD is running 22.04 and name resolution has changed since 20.04
         (``systemd-resolve`` no longer exists - it's been replaced with
         ``resolvectl``) (perhaps there are other changes under the hood
         that helps with having multiple tunnels).

Unstable connection
-------------------

Check to make sure you are not using the configuration in two (or more) places!

Malcolm says:

  Yes the vpn configuration file specifies the IP address - so two vpn
  connections using the same config will constantly break each other