惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
P
Privacy International News Feed
C
Cyber Attacks, Cyber Crime and Cyber Security
腾讯CDC
T
Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
大猫的无限游戏
大猫的无限游戏
Apple Machine Learning Research
Apple Machine Learning Research
美团技术团队
Cisco Talos Blog
Cisco Talos Blog
C
Cisco Blogs
A
Arctic Wolf
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
L
LINUX DO - 热门话题
爱范儿
爱范儿
GbyAI
GbyAI
The Register - Security
The Register - Security
AWS News Blog
AWS News Blog
MyScale Blog
MyScale Blog
T
Tenable Blog
Hugging Face - Blog
Hugging Face - Blog
A
About on SuperTechFans
Cyberwarzone
Cyberwarzone
量子位
Microsoft Azure Blog
Microsoft Azure Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
The Cloudflare Blog
B
Blog RSS Feed
小众软件
小众软件
D
Docker
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
P
Privacy & Cybersecurity Law Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
AI
AI
SecWiki News
SecWiki News
酷 壳 – CoolShell
酷 壳 – CoolShell
S
Secure Thoughts
N
News | PayPal Newsroom
The Hacker News
The Hacker News
MongoDB | Blog
MongoDB | Blog
Martin Fowler
Martin Fowler
博客园 - 司徒正美
L
Lohrmann on Cybersecurity
Cloudbric
Cloudbric

IT Notes - vpn

IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes IT Notes
IT Notes
Stefano Marinelli · 2024-07-15 · via IT Notes - vpn

Introduction

In today's interconnected world, system administrators often face the challenge of managing services across multiple Virtual Private Servers (VPS). This article describes an advanced networking setup that allows you to bridge networks between two VPS instances using Wireguard and VXLAN on FreeBSD. This configuration is particularly useful when you need to distribute services across different providers or when you want to leverage the strengths of multiple hosting environments.

Background

At BSD Cafe, we utilize various VPS instances to provide our services. The two main ones are:

  • A publicly accessible VPS that hosts the reverse proxy and all firewall rules for packet routing.
  • A larger VPS on a physical host I own, which is not directly exposed to the internet and doesn't have a public IP address.

Most of the jails hosting BSD Cafe services are distributed between these two VPS instances. Occasionally, I need to move services between them for performance reasons or to manage updates efficiently.

To facilitate this flexibility, I've always maintained a bridge on each VPS. Initially, I used Zerotier to establish a connection between these bridges, allowing them to communicate as if they were part of a single, large network.

The New Setup: Wireguard and VXLAN

While the Zerotier setup worked, I decided to switch to a more streamlined solution using Wireguard and VXLAN. Here's why:

  • Performance: Wireguard offers excellent performance with low overhead.
  • Simplicity: The configuration is straightforward and easy to maintain.
  • Security: Wireguard provides strong, modern cryptography.

I had already prepared a Wireguard connection between the two servers from the beginning. Since only one of the servers is publicly accessible, I set up one to only accept connections and the other to connect directly to the public IP of the first, with a 20-second keepalive (which is generally not necessary due to the high traffic between the jails).

To complete the setup, I added two VXLAN interfaces on the VPS instances, added these interfaces to the local bridges, and immediately, packets started flowing between the networks.

Step-by-Step Implementation

Follow these instructions to create a bridge between two different networks using Wireguard and VXLAN on FreeBSD. While I use this setup to connect jails at BSD Cafe, you can use it for various purposes, such as bridging different VM (bhyve) instances across providers.

Prerequisites

Wireguard is now an integral part of FreeBSD, so you no longer need to compile a module or use the Go version. However, we'll use the "wireguard-tools" scripts as they provide the useful "wg-quick" command.

Start by installing the wireguard-tools package on both servers:

pkg install wireguard-tools

Configuration

Server 1 (Public IP)

  • Generate the Wireguard keys:
wg genkey | tee /dev/stderr | wg pubkey | grep --label PUBLIC -H .

This command will output a private key and a public key. Note down the public key as you'll need it to configure the client.

Let's also add a PSK; it's optional but will increase the security of the entire setup.

wg genpsk
  • Create a new file /usr/local/etc/wireguard/wg0.conf:
[Interface]
## Default port is 51820 - feel free to change it
PrivateKey = <the private key from the previous command>
ListenPort = 43671
Address = 10.77.0.1/24

PostUp = /sbin/ifconfig vxlan create vxlanid 42 vxlanlocal 10.77.0.1 vxlanremote 10.77.0.2 inet 10.77.1.1/24
PostUp = /sbin/ifconfig bridge0 addm vxlan0 up
PostDown = /sbin/ifconfig vxlan0 destroy

[Peer]
PublicKey = <the other peer's public key>
#If publicly exposed, you can specify the peer ip address/port
#Endpoint = <public_ip>:<port>
AllowedIPs = 10.77.0.2/32
PresharedKey = <the PSK from the previous command>
  • Modify /etc/rc.conf and add:
wireguard_interfaces="wg0"
wireguard_enable="YES"
  • Start Wireguard and the VXLAN endpoint:
wg-quick up wg0

Server 2 (Behind NAT)

  • Generate the Wireguard keys as before.

  • Create /usr/local/etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <the private key from the previous command>
Address = 10.77.0.2/24

PostUp = /sbin/ifconfig vxlan create vxlanid 42 vxlanlocal 10.77.0.2 vxlanremote 10.77.0.1 inet 10.77.1.2/24
PostUp = /sbin/ifconfig bridge0 addm vxlan0 up
PostDown = /sbin/ifconfig vxlan0 destroy

[Peer]
PublicKey = <the other peer's public key>
Endpoint = <public_ip>:<port>
AllowedIPs = 10.77.0.1/32
PresharedKey = <the PSK from the previous command>
PersistentKeepalive = 20
  • Modify /etc/rc.conf as before.

  • Start Wireguard and the VXLAN endpoint:

wg-quick up wg0

Verifying the Connection

To check if the connection is established, run the wg command on either host. This will show you the connection status, the last handshake, and the data transferred.

You can also try pinging the other host's Wireguard and VXLan interface IP address (in this example, 10.77.0.1 or 10.77.0.2 and 10.77.1.1 or 10.77.1.2).

Conclusion

This setup allows the two VXLAN interfaces, inserted into the local bridge, to enable packet transit through Wireguard. This facilitates free passage between the two hosts, effectively creating a single, unified network across your VPS instances.

This configuration is particularly useful for: - Distributing services across different providers - Leveraging both public-facing and private VPS instances - Creating flexible, scalable network architectures

By using Wireguard and VXLAN, you get the benefits of strong encryption, high performance, and the ability to create complex network topologies across physically separate servers.

Remember to always keep your systems updated and regularly review your network configuration to ensure it meets your evolving needs and security requirements.