Configure WireGuard for Laboratory

Posted at 2024-01-13 making network

Here we use WireGuard to access laboratory network through Internet.¹

Three key concepts are ip, key pair and AllowedIPs. By design, to identify and encrypt each peers, each peer comes with a virtual network interface address and a public key with secret key.² WireGuard will drop any traffic routed to the interface that has a destination address outside of the AllowedIPs configured for the interface’s peers, and will also drop any traffic coming into the host through the interface that has a source address outside of those same AllowedIPs.³

In practice, our core router(192.168.24.1/24) is nested in institute network(10.x.76.x). Laboratory servers connect to laboratory network. Office workstations connect to institute network. WireGuard build a tunnel endpoint at core router.

There are two conditions:

Workstation only connects to institute network, but not laboratory network.
Laptop only connects to public Internet, but neither institute network nor laboratory network.

The responded strategies:

Workstation <--> core router wireguard <--> laboratory & institute network
Laptop <--> cloud server wireguard <--> core router wireguard <--> laboratory & institute network

Here are network topology and wireguard configures:

Peer	Wireguard ip addr	Physical interface addr
Cloud server with public ip	192.168.200.254	120.x.x.x
Core router in lab & institute	192.168.200.1	192.168.24.1, 10.x.76.42
Laptop out lab	192.168.200.2	x.x.x.x
Workstation in institute	192.168.200.3	10.x.76.43

``````````````````````````````````````````````````Internet````````````````````````````````````````````````````
`-----------------------------------------------                                                               `
`-   Institute network: 10.x.76.x              -                                  '''''''''''''''''''''''''''' `
`-                                             -                                  ' Home network, etc        ' `
`-   ........................................  -      .......................     '                          ' `
`-   . Workstation     ip: 192.168.200.3    .  -      . Cloud Server        .     '   .....................  ' `
`-   ........................................  -      . ip: 192.168.200.254 .     '   . Laptop            .  ' `
`-   . Peer: core router  Peer: cloud server.  -      .......................     '   . ip:192.168.200.2  .  ' `
`-   . Allowed IPs:       Allowed IPs:      .  -      . Peer: core router   .     '   . ...................  ' `
`-   . 192.168.200.1/24,  192.168.200.254/32.  -      . Allowed IPs:        .     '   . Peer: cloud server.  ' `
`-   . 192.168.24.1/24    Endpoint:         <=========> 192.168.200.1/32,   .     '     Allowed IPs:         ' `
`-   . Endpoint:          120.x.x.x.        .  -      . 192.168.24.1/24,    .     '   . 192.168.200.1/24, .  ' `
`-   . 10.x.76.42                           .  -      . 10.x.76.1/24        .     '   . 192.168.24.1/24,  .  ' `
`-   .........^..............................  -      .                     <=========> 10.x.76.1/24      .  ' `
`-            =                                -      . Peer laptop         .     '   . Endpoint:         .  ' `
`-            =                                -      . Allowed IPs:        .     '   . 120.x.x.x         .  ' `
`-       .....v...............                 -      . 192.168.200.2/32    .     '   .....................  ' `
`-       . Core Router       .                 -      .                     .     '                          ' `
`-       . ip: 192.168.200.1 .<======================>  Peer: workstation   .     '                          ' `
`-       . ...................                 -      . Allowed IPs:        .     '''''''''''''''''''''''''''' `
`-   ++++. Peer: cloud server.++++++++++++++   -      . 192.168.200.3/32    .                                  `
`-   +   . Allowed IPs:      .             +   -      . (enable ipv4 refoward).                                  `
`-   +   . 192.168.200.254/24.  .......... +   -      .......................                                  `
`-   +   . Endpoint:         .  .Server 1. +   -                                                               `
`-   +   . 120.x.x.x.        .  .......... +   -                                                               `
`-   +   .                   .  . Others . +   -                                                               `
`-   +   . Peer: Workstation .  .......... +   -                                                               `
`-   +   . Allowed IPs:      .             +   -                                                               `
`-   +   . 192.168.200.3/24  .             +   -                                                               `
`-   +   . Endpoint:         .             +   -                                                               `
`-   +   . 10.x.76.43        .             +   -                                                               `
`-   +   .....................             +   -                                                               `
`-   +                                     +   -                                                               `
`-   +  Laboratory Network: 192.168.200.x  +   -                                                               `
`-   +++++++++++++++++++++++++++++++++++++++   -                                                 Internet      `
`-----------------------------------------------                                                               `
````````````````````````````````````````````````````Internet````````````````````````````````````````````````````

At the middle peers, core router and cloud server, are required to enable ipv4 forward. But I no idea to tune OpenWrt's firewall at core router.⁴ I just enable all traffic in firewall now.

Reference

Previous post: 瓶口内外| Cork & Cap Next post: Build a storage cave for our story

Squirrel Hole

江心一庐

Reference