mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2024-12-23 01:24:36 +07:00
Code Issues Packages Projects Releases Wiki Activity
master
khuedoan-homelab/docs/getting-started/vpn-setup.md
Khue Doan 8c77fb834b docs(wireguard): update setup instruction
2024-11-25 01:34:15 +07:00

182 lines
4.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# VPN setup
You can choose between [Tailscale](https://tailscale.com),
[Wireguard](https://www.wireguard.com), or use both like me. I primarily use
WireGuard but keep Tailscale as a backup for when the WireGuard server is down.
## Tailscale (requires third-party account)
Get an [auth key](https://tailscale.com/kb/1085/auth-keys) from [Tailscale admin console](https://login.tailscale.com/admin/authkeys):
- Description: homelab
- Reusable: optionally set this to true
Add it to `external/terraform.tfvars` as an extra secret:
```hcl
extra_secrets = {
tailscale-auth-key = "tskey-auth-myauthkeyhere"
}
```
You may want to back up the `external/terraform.tfvars` file to a secure location.
Apply the secret:
```sh
make external
```
Finally, [enable subnet routes](https://tailscale.com/kb/1019/subnets#step-3-enable-subnet-routes-from-the-admin-console) for `homelab-router`
from the [admin console](https://login.tailscale.com/admin/machines).
You can now connect to your homelab via Tailscale and [invite user to your Tailscale network](https://tailscale.com/kb/1371/invite-users).
## Wireguard (requires port-forwarding)
### Prerequisites
Find your public IP address using:
```sh
curl -4 ifconfig.me
```
If you dont have a static IP address, use dynamic DNS and replace the IP with
your domain name.
Next, configure port forwarding in your router for the WireGuard service.
!!! example
Each router is different, here's mine for reference:
- Protocol: `UDP`
- Start Port: `51820`
- End Port: `51820`
- Local IP Address: `192.168.1.226` (find it with `kubectl get service -n wireguard wireguard`)
- Start Port Local: `51820`
- End Port Local: `51820`
Generate a key pair for the server:
```sh
wg genkey | tee /dev/tty | wg pubkey
```
This will generate a private key and a public key, in that order. Add the
private key to `external/terraform.tfvars` as an extra secret:
```hcl
extra_secrets = {
wireguard-private-key = "privatekeyhere"
}
```
You may want to back up the `external/terraform.tfvars` file to a secure location.
Apply the secret:
```sh
make external
```
I use `172.16.0.0/12` as the private IP range for WireGuard, but you can choose
any private IP address range you prefer in `./apps/wireguard/values.yaml`. I
also recommend removing my peers and adding your own.
### Add a new device to the server
!!! info
Each device requires its own configuration.
Generate a new key pair for the device. You can generate it for the user, or
they can generate it themselves if they prefer to keep the private key
confidential:
```sh
wg genkey | tee /dev/tty | wg pubkey
```
This will generate a private key and a public key, in that order. The private
key must be saved in a secure password manager, and save the public key for the
next step.
Update the list of peers in `./apps/wireguard/values.yaml`, make sure you
replace all of my peers with yours.
!!! example
Example configuration for my phone:
```ini
[Peer]
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
AllowedIPs = 172.16.0.12/32
```
- The public key is the one generated in the previous step.
- `172.16.0.12/32` is the device's private IP address, manually selected from
the `172.16.0.0/12` range mentioned above.
### Add the Wireguard config to the device
Create a new configuration file for the device:
```ini
[Interface]
Address = <CLIENT PRIVATE IP>/32
PrivateKey = <CLIENT PRIVATE KEY>
[Peer]
PublicKey = <SERVER PUBLIC KEY>
Endpoint = <SERVER PUBLIC IP>:51820
AllowedIPs = <SERVER PRIVATE IP>/32, <LOAD BALANCER IP RANGE>
```
Replace placeholders with actual values and save as `wg0.conf`.
!!! example
Example configuration for my phone:
```ini
[Interface]
Address = 172.16.0.12/32
PrivateKey = <REDACTED>
[Peer]
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU
Endpoint = <HOME IP>:51820
AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
```
The client can now import this configuration and connect to your WireGuard
mesh. Make sure you clean up the `wg0.conf` file after importing it to the
client.
=== "Mobile"
Generate a QR code from the configuration file:
```sh
qrencode -t ansiutf8 -r wg0.conf
```
Then scan the QR code using the official WireGuard app.
=== "Linux"
Import the WireGuard configuration using NetworkManager:
```sh
nmcli connection import type wireguard file wg0.conf
```
Activate the connection:
```sh
nmcli connection up wg0
```
Reference in New Issue View Git Blame Copy Permalink