VPN

Server

Note

When creating the VPN server, prefix the host name with vpn- so the Salt states pick up the correct defaults.

Client (Linux)

Run the salt-minion-setup script (to add the server to the KB VPN) (should be in the ~/Private/scripts/src folder):

  • The salt-minion-setup script creates the private and public keys on the client and displays the public key on the screen.

  • These need to be added to the sites/vpn-my.sls pillar file on the Salt master.

  • Apply the states.

  • Restart the interface (wg-quick down wg0 && wg-quick up wg0).

Tip

Don’t forget to setup the Wireguard - Configuration

Client (Windows)

Download and install Wireguard https://www.wireguard.com/install/

Log in as an administrator and Create a new connection (Add empty tunnel) This will create an ini file with a public and private key.

Copy the Public key to your Salt master and configure the pillar for your VPN server e.g:

cd /srv/pillar
vim sites/vpn-my.sls

Add the IP address to the dns, zones and vpn sections e.g:

server_meta:
  dns:
    zones:
      - name: db.my.vpn
        entries:
          - { name: '',              type: A,    value: 10.10.3.1 }
          - { name: my-test-laptop,  type: A,    value: 10.10.3.101 }

  vpn:
    peers:
      my-test-laptop:
        PublicKey: <public key of your windows workstation>
        AllowedIPs: 10.10.3.101/32

Apply the salt state…

Back to the Wireguard Windows client…

Add the following to the connection (adjusting to match your network):

Address = 10.10.3.<Free node number>/32
DNS = 10.10.3.1

[Peer]
PublicKey = <public key of your VPN server>
AllowedIPs = 10.10.3.0/24
Endpoint = vpn-my.hatherleigh.info:51820
PersistentKeepalive = 25
_images/2021-03-18-vpn-edit.png

Save and Activate

_images/2021-03-18-vpn-detail.png

Troubleshooting

Connection issues

The PublicKey in the Peer section of the configuration is the public key of the server, not the workstation:

[Peer]
PublicKey = abc123...

DNS

Restart the laptop or:

sudo -i
wg-quick down wg0 && wg-quick up wg0

Tip

Does sudo wg show display more than VPN tunnel? MD is running 22.04 and name resolution has changed since 20.04 (systemd-resolve no longer exists - it’s been replaced with resolvectl) (perhaps there are other changes under the hood that helps with having multiple tunnels).

Unstable connection

Check to make sure you are not using the configuration in two (or more) places!

Malcolm says:

Yes the vpn configuration file specifies the IP address - so two vpn connections using the same config will constantly break each other