2024-04-18 20:11:18 +07:00
|
|
|
|
# VPN setup
|
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
You can choose between [Tailscale](https://tailscale.com),
|
|
|
|
|
[Wireguard](https://www.wireguard.com), or use both like me. I primarily use
|
|
|
|
|
WireGuard but keep Tailscale as a backup for when the WireGuard server is down.
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
|
|
|
|
## Tailscale (requires third-party account)
|
|
|
|
|
|
|
|
|
|
Get an [auth key](https://tailscale.com/kb/1085/auth-keys) from [Tailscale admin console](https://login.tailscale.com/admin/authkeys):
|
|
|
|
|
|
|
|
|
|
- Description: homelab
|
|
|
|
|
- Reusable: optionally set this to true
|
|
|
|
|
|
|
|
|
|
Add it to `external/terraform.tfvars` as an extra secret:
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
extra_secrets = {
|
|
|
|
|
tailscale-auth-key = "tskey-auth-myauthkeyhere"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
You may want to back up the `external/terraform.tfvars` file to a secure location.
|
|
|
|
|
|
2024-04-18 20:11:18 +07:00
|
|
|
|
Apply the secret:
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
make external
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Finally, [enable subnet routes](https://tailscale.com/kb/1019/subnets#step-3-enable-subnet-routes-from-the-admin-console) for `homelab-router`
|
|
|
|
|
from the [admin console](https://login.tailscale.com/admin/machines).
|
|
|
|
|
|
|
|
|
|
You can now connect to your homelab via Tailscale and [invite user to your Tailscale network](https://tailscale.com/kb/1371/invite-users).
|
|
|
|
|
|
|
|
|
|
## Wireguard (requires port-forwarding)
|
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
### Prerequisites
|
|
|
|
|
|
|
|
|
|
Find your public IP address using:
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
curl -4 ifconfig.me
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If you don’t have a static IP address, use dynamic DNS and replace the IP with
|
|
|
|
|
your domain name.
|
|
|
|
|
|
|
|
|
|
Next, configure port forwarding in your router for the WireGuard service.
|
|
|
|
|
|
|
|
|
|
!!! example
|
|
|
|
|
|
|
|
|
|
Each router is different, here's mine for reference:
|
|
|
|
|
|
|
|
|
|
- Protocol: `UDP`
|
|
|
|
|
- Start Port: `51820`
|
|
|
|
|
- End Port: `51820`
|
|
|
|
|
- Local IP Address: `192.168.1.226` (find it with `kubectl get service -n wireguard wireguard`)
|
|
|
|
|
- Start Port Local: `51820`
|
|
|
|
|
- End Port Local: `51820`
|
|
|
|
|
|
|
|
|
|
Generate a key pair for the server:
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
wg genkey | tee /dev/tty | wg pubkey
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This will generate a private key and a public key, in that order. Add the
|
|
|
|
|
private key to `external/terraform.tfvars` as an extra secret:
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
```hcl
|
|
|
|
|
extra_secrets = {
|
|
|
|
|
wireguard-private-key = "privatekeyhere"
|
|
|
|
|
}
|
2024-04-18 20:11:18 +07:00
|
|
|
|
```
|
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
You may want to back up the `external/terraform.tfvars` file to a secure location.
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
Apply the secret:
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
```sh
|
|
|
|
|
make external
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
I use `172.16.0.0/12` as the private IP range for WireGuard, but you can choose
|
|
|
|
|
any private IP address range you prefer in `./apps/wireguard/values.yaml`. I
|
|
|
|
|
also recommend removing my peers and adding your own.
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
### Add a new device to the server
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
2024-11-25 01:25:46 +07:00
|
|
|
|
!!! info
|
|
|
|
|
|
|
|
|
|
Each device requires its own configuration.
|
|
|
|
|
|
|
|
|
|
Generate a new key pair for the device. You can generate it for the user, or
|
|
|
|
|
they can generate it themselves if they prefer to keep the private key
|
|
|
|
|
confidential:
|
2024-04-18 20:11:18 +07:00
|
|
|
|
|
|
|
|
|
```sh
|
2024-11-25 01:25:46 +07:00
|
|
|
|
wg genkey | tee /dev/tty | wg pubkey
|
2024-04-18 20:11:18 +07:00
|
|
|
|
```
|
2024-11-25 01:25:46 +07:00
|
|
|
|
|
|
|
|
|
This will generate a private key and a public key, in that order. The private
|
|
|
|
|
key must be saved in a secure password manager, and save the public key for the
|
|
|
|
|
next step.
|
|
|
|
|
|
|
|
|
|
Update the list of peers in `./apps/wireguard/values.yaml`, make sure you
|
|
|
|
|
replace all of my peers with yours.
|
|
|
|
|
|
|
|
|
|
!!! example
|
|
|
|
|
|
|
|
|
|
Example configuration for my phone:
|
|
|
|
|
|
|
|
|
|
```ini
|
|
|
|
|
[Peer]
|
|
|
|
|
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
|
|
|
|
|
AllowedIPs = 172.16.0.12/32
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- The public key is the one generated in the previous step.
|
|
|
|
|
- `172.16.0.12/32` is the device's private IP address, manually selected from
|
|
|
|
|
the `172.16.0.0/12` range mentioned above.
|
|
|
|
|
|
|
|
|
|
### Add the Wireguard config to the device
|
|
|
|
|
|
|
|
|
|
Create a new configuration file for the device:
|
|
|
|
|
|
|
|
|
|
```ini
|
|
|
|
|
[Interface]
|
|
|
|
|
Address = <CLIENT PRIVATE IP>/32
|
|
|
|
|
PrivateKey = <CLIENT PRIVATE KEY>
|
|
|
|
|
|
|
|
|
|
[Peer]
|
|
|
|
|
PublicKey = <SERVER PUBLIC KEY>
|
|
|
|
|
Endpoint = <SERVER PUBLIC IP>:51820
|
|
|
|
|
AllowedIPs = <SERVER PRIVATE IP>/32, <LOAD BALANCER IP RANGE>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Replace placeholders with actual values and save as `wg0.conf`.
|
|
|
|
|
|
|
|
|
|
!!! example
|
|
|
|
|
|
|
|
|
|
Example configuration for my phone:
|
|
|
|
|
|
|
|
|
|
```ini
|
|
|
|
|
[Interface]
|
|
|
|
|
Address = 172.16.0.12/32
|
|
|
|
|
PrivateKey = <REDACTED>
|
|
|
|
|
|
|
|
|
|
[Peer]
|
|
|
|
|
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU
|
|
|
|
|
Endpoint = <HOME IP>:51820
|
|
|
|
|
AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The client can now import this configuration and connect to your WireGuard
|
|
|
|
|
mesh. Make sure you clean up the `wg0.conf` file after importing it to the
|
|
|
|
|
client.
|
|
|
|
|
|
|
|
|
|
=== "Mobile"
|
|
|
|
|
|
|
|
|
|
Generate a QR code from the configuration file:
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
qrencode -t ansiutf8 -r wg0.conf
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Then scan the QR code using the official WireGuard app.
|
|
|
|
|
|
|
|
|
|
=== "Linux"
|
|
|
|
|
|
|
|
|
|
Import the WireGuard configuration using NetworkManager:
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
nmcli connection import type wireguard file wg0.conf
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Activate the connection:
|
|
|
|
|
|
|
|
|
|
```sh
|
|
|
|
|
nmcli connection up wg0
|
|
|
|
|
```
|