VPN

Server

Note

When creating the VPN server, prefix the host name with vpn- so the Salt states pick up the correct defaults.

Client (Linux)

Run the salt-minion-setup script (to add the server to the KB VPN) (should be in the ~/Private/scripts/src folder):

  • The salt-minion-setup script creates the private and public keys on the client and displays the public key on the screen.

  • These need to be added to the sites/vpn-my.sls pillar file on the Salt master.

  • Apply the states.

  • Restart the interface (wg-quick down wg0 && wg-quick up wg0).

Tip

Don’t forget to setup the Wireguard - Configuration

Client (Windows)

Download and install Wireguard https://www.wireguard.com/install/

Log in as an administrator and Create a new connection (Add empty tunnel) This will create an ini file with a public and private key.

Copy the Public key to your Salt master and configure the pillar for your VPN server e.g:

cd /srv/pillar
vim sites/vpn-my.sls

Add the IP address to the dns, zones and vpn sections e.g:

server_meta:
  dns:
    zones:
      - name: db.my.vpn
        entries:
          - { name: '',              type: A,    value: 10.10.3.1 }
          - { name: my-test-laptop,  type: A,    value: 10.10.3.101 }

  vpn:
    peers:
      my-test-laptop:
        PublicKey: <public key of your windows workstation>
        AllowedIPs: 10.10.3.101/32

Apply the salt state…

Back to the Wireguard Windows client…

Add the following to the connection (adjusting to match your network):

Address = 10.10.3.<Free node number>/32
DNS = 10.10.3.1

[Peer]
PublicKey = <public key of your VPN server>
AllowedIPs = 10.10.3.0/24
Endpoint = vpn-my.hatherleigh.info:51820
PersistentKeepalive = 25
_images/2021-03-18-vpn-edit.png

Save and Activate

_images/2021-03-18-vpn-detail.png

Troubleshooting

Connection issues

The PublicKey in the Peer section of the configuration is the public key of the server, not the workstation:

[Peer]
PublicKey = abc123...

Unstable connection

Check to make sure you are not using the configuration in two (or more) places!

Malcolm says:

Yes the vpn configuration file specifies the IP address - so two vpn connections using the same config will constantly break each other