poor-mans-vpn icon indicating copy to clipboard operation
poor-mans-vpn copied to clipboard

Published 20 hours ago verified publisher icon amritb

Stop regenerating keys on every run

Open MatthewJohn opened this issue 3 years ago • 3 comments

You mention about keys being regenerated on every run - was this intentional? If you run the playbook again to reconfigure the system, is it desirable to regenerate keys?

Feel free to use the space to just say that you wanted it to do it this way :D

NOTE: I haven't tested this change as I don't have ansible, a system to test against/time right this second to spin up a docker container to run against, sorry :/

Also, this repo got posted on HN :) https://news.ycombinator.com/item?id=29913515

MatthewJohn avatar Jan 13 '22 06:01 MatthewJohn

Thanks for the HN link - I had no idea!

Didn't really put much thought into it. I just use it occasionally and every time I use a fresh server. I will try out your changes once I have some time :)

amritb avatar Jan 13 '22 11:01 amritb

I tried a slightly different solution with a Cloudserver on Hetzner for a VPN to USA, but I got also struggled with the keys. As I understand it right Wireguard always generates a unique/new key on a different host!?

Scriptname = ubuntu-2gb-ash-1.sh as the cloudserver would be named via https://console.hetzner.cloud/projects/YOUR_PROJECT_NUMBER/servers/create using defaults (ssh-pubkey already uploaded here) for a new US-VPN-wireguard-server:

#!/bin/bash
# shellcheck disable=SC2029
# ---
CLOUDSERVER=$(echo "${0##*/}"|cut -d"_" -f2|cut -d"." -f1)
echo "$CLOUDSERVER"
# ---
# change IP for hostname in ~/.ssh/config:
vim ~/.ssh/config +/$CLOUDSERVER
# ---
pass show Hetzner/"$CLOUDSERVER" &>/dev/null || pass generate -n Hetzner/"$CLOUDSERVER"/root-"$(date +%Y%d%d)" 20
ssh -p 22 -t "$CLOUDSERVER" "passwd"
# ---
# ssh hardening:
scp -P 22 ./ssh_config "$CLOUDSERVER":/root/.ssh/config
scp -P 22 ./sshd_config "$CLOUDSERVER":/etc/ssh/sshd_config
rm -f /tmp/control-*root*
ssh -p 22 "$CLOUDSERVER" "systemctl restart sshd"
# ---
echo "install some software:"
ssh "$CLOUDSERVER" "DEBIAN_FRONTEND=noninteractive apt-get update && apt upgrade -y"
ssh "$CLOUDSERVER" "DEBIAN_FRONTEND=noninteractive apt-get install -y \
	docker-compose \
	docker.io \
	fail2ban"
# ---
echo "copy some stuff for this host:"
scp -r "$CLOUDSERVER/dev" "$CLOUDSERVER":
# ---
echo " start wireguard"
read
ssh -t "$CLOUDSERVER" "cd ~/dev/docker-wireguard && docker-compose up -d && ./docker-wireguard-update.sh && ./docker-wireguard-show-peer-config.sh"

Files to be copied:

🦎🖥  ✔ ~/dev/hetzner [master|✔]
13:47 $ tree ubuntu-2gb-ash-1
ubuntu-2gb-ash-1
└── dev
    └── docker-wireguard
        ├── docker-compose.yml
        ├── docker-wireguard-show-peer-config.sh
        ├── docker-wireguard-update.sh
        └── etc-wireguard
            ├── coredns
            │   └── Corefile
            ├── custom-cont-init.d
            ├── custom-services.d
            ├── peer_iphonethomas
            │   ├── peer_iphonethomas.conf
            │   ├── peer_iphonethomas.png
            │   ├── privatekey-peer_iphonethomas
            │   └── publickey-peer_iphonethomas
            ├── server
            │   ├── privatekey-server
            │   └── publickey-server
            ├── templates
            │   ├── peer.conf
            │   └── server.conf
            └── wg0.conf

thomasmerz avatar Jan 13 '22 12:01 thomasmerz

@amritb

Thanks for the HN link - I had no idea!

I also became aware of your project via HN 😄

thomasmerz avatar Jan 13 '22 12:01 thomasmerz