|
|
|
# WG Tunnel for Tor-Conjure Integration
|
|
|
|
|
|
|
|
This document contains notes about the infrastructure put in place to support the Tor integration
|
|
|
|
with the refraction networking deployment. We use wireguard to ensure that the data between
|
|
|
|
the refraction station and the actual bridge is encrypted. This document provides the steps used
|
|
|
|
to set up that system for future reference.
|
|
|
|
|
|
|
|
**TLDR** things to look at if something breaks:
|
|
|
|
- wireguard config and addresses
|
|
|
|
- wireguard enabled and running (enabled in systemd to run at startup)
|
|
|
|
- ufw rules
|
|
|
|
- destination ports
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
Wireguard is used to ensure that the traffic between the refraction stations and the Bridge host
|
|
|
|
is encrypted and secure. We forward traffic destined to the bridge hosts address specifically
|
|
|
|
over wireguard, all other covert traffic is unaffected.
|
|
|
|
|
|
|
|
For now our wireguard configuration only forwards one specific port (8888) to prevent wireguard
|
|
|
|
from tunneling itself since the address we want to tunnel is the address we want to send the
|
|
|
|
wireguard traffic itself to. We can add more ports or transition to using a port range if more /
|
|
|
|
different ports are needed. See the [wg-quick man page](https://man7.org/linux/man-pages/man8/wg-quick.8.html) for more information on the `PostUp` and
|
|
|
|
`PreDown` directives used for limiting port access.
|
|
|
|
|
|
|
|
On the Bridge host, the PT port is not globally accessible — it must be accessed over
|
|
|
|
Wireguard. The Wireguard port is globally accessible, but it requires peers to have access to a
|
|
|
|
pre-shared key known to the wireguard station.
|
|
|
|
|
|
|
|
## Template Wireguard Configs
|
|
|
|
|
|
|
|
Client:
|
|
|
|
```conf
|
|
|
|
[Interface]
|
|
|
|
Address = 10.0.1.2/32
|
|
|
|
ListenPort = 52606
|
|
|
|
# PrivateKey = kOr2b6gJPJ/fQsmJbC4fEWLCsmxEpmLEGBxCi0V07Fw=
|
|
|
|
PrivateKey = [CLIENT PRIVATE KEY]
|
|
|
|
Table = 1234
|
|
|
|
PostUp = ip rule add ipproto tcp dport 8888 table 1234
|
|
|
|
PreDown = ip rule delete ipproto tcp dport 8888 table 1234
|
|
|
|
[Peer]
|
|
|
|
# PublicKey = JvqswlhvWJlv++z8qkOQgQyfn0+bgPaj1IPWDYZG9hQ=
|
|
|
|
PublicKey = [SERVER PUBLIC KEY]
|
|
|
|
AllowedIPs = [BRIDGE IP]/32
|
|
|
|
Endpoint = [BRIDGE IP]:[BRIDGE WIREGUARD PORT]
|
|
|
|
```
|
|
|
|
Server:
|
|
|
|
```conf
|
|
|
|
[Interface]
|
|
|
|
Address = 10.0.1.1/24
|
|
|
|
ListenPort = [BRIDGE WIREGUARD PORT]
|
|
|
|
# PrivateKey = UABVGdzAe+RFoyjw4eVjMpZw2pxb2BQMvMTmgg046lw=
|
|
|
|
PrivateKey = [STATION PRIVATE KEY]
|
|
|
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat
|
|
|
|
-A POSTROUTING -o [INTERFACE TO FORWARD TO] -j MASQUERADE
|
|
|
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat
|
|
|
|
-D POSTROUTING -o [INTERFACE TO FORWARD TO] -j MASQUERADE
|
|
|
|
[Peer]
|
|
|
|
# PublicKey = RVoU9/NTrWMi00wA7YE2bgkFllrhc+ssPNDPryc5CVI=
|
|
|
|
PrivateKey = [PEER PUBLIC KEY]
|
|
|
|
AllowedIPs = 10.0.1.2/32
|
|
|
|
```
|
|
|
|
|
|
|
|
## Wireguard Setup
|
|
|
|
|
|
|
|
### Generating Keys
|
|
|
|
|
|
|
|
1. Generate public and private keys on both client and server
|
|
|
|
- `wg genkey | tee privatekey | wg pubkey > publickey`
|
|
|
|
2. replace [`{SERVER|CLIENT} {PUBLIC|PRIVATE} KEY`] with proper values
|
|
|
|
- (must be key value NOT path to key)
|
|
|
|
|
|
|
|
### Server
|
|
|
|
|
|
|
|
1. Install wireguard
|
|
|
|
2. pick a port for the server
|
|
|
|
- e.g. 51820 on the server
|
|
|
|
- replace [`BRIDGE WIREGUARD PORT`] in server config
|
|
|
|
3. replace [`INTERFACE TO FORWARD TO`] with the name of the management interface used for ingress on the server.
|
|
|
|
4. copy config to an unused wg interface id (X ∈ {0,1,2…}) in /etc/wireguard/wg<X>.conf
|
|
|
|
5. enable the interface with `wg-quick up wg<X>`
|
|
|
|
6. Allow ingress traffic through ufw
|
|
|
|
- To the wireguard interface:
|
|
|
|
```
|
|
|
|
sudo ufw allow 51820/udp
|
|
|
|
```
|
|
|
|
- From the wireguard interface to the listening pluggable transport service:
|
|
|
|
```
|
|
|
|
sudo ufw allow in on wg0 proto tcp to any port 8888
|
|
|
|
```
|
|
|
|
|
|
|
|
### Client
|
|
|
|
1. Install wireguard
|
|
|
|
2. Replace [`BRIDGE IP`] with the public address of the server
|
|
|
|
3. Replace [`BRIDGE WIREGUARD PORT`] with the port chosen above
|
|
|
|
4. Copy config to an unused wg interface id (X ∈ {0,1,2…}) in /etc/wireguard/wg<X>.conf
|
|
|
|
5. Enable the interface with `wg-quick up wg<X>`
|
|
|
|
|
|
|
|
|
|
|
|
### Testing the connection:
|
|
|
|
1. Listen on the pluggable transport port on the server
|
|
|
|
- `nc -l 8888`
|
|
|
|
2. connect from the peer. You should be able to send and receive
|
|
|
|
- `nc 1.2.3.4 8888`
|
|
|
|
3. If it doesn’t work you can debug by capturing traffic on:
|
|
|
|
- client wireguard interface
|
|
|
|
```
|
|
|
|
tcpdump -i wg<X> -nnS
|
|
|
|
```
|
|
|
|
- server wireguard interface
|
|
|
|
```
|
|
|
|
tcpdump -i wg<Y> -nnS
|
|
|
|
```
|
|
|
|
- client management interface
|
|
|
|
```
|
|
|
|
tcpdump -i [iface] -nnS and host [server_ip]
|
|
|
|
```
|
|
|
|
- client management interface
|
|
|
|
```
|
|
|
|
tcpdump -i [iface] -nnS and host [client_ip]
|
|
|
|
```
|
|
|
|
|
|
|
|
## Adding New Peers
|
|
|
|
|
|
|
|
We use the server as a centralizing point for securing connections from any station in the
|
|
|
|
deployment. In order to do so we just need to select different IP addresses, generate a new keypair, and add the [`Peer`] block to the server per new host. Alternatively we can re-use keys and simply extend the list of `AllowedIPs` on the server.
|
|
|
|
|
|
|
|
Client:
|
|
|
|
```conf
|
|
|
|
[Interface]
|
|
|
|
Address = 10.0.1.3/32
|
|
|
|
ListenPort = 52606
|
|
|
|
# PrivateKey = iNBYRt4hYJRupLLgJwPDRIqpyHCmYoFVZ35Rkh6DpFU=
|
|
|
|
PrivateKey = [CLIENT PRIVATE KEY]
|
|
|
|
Table = 1234
|
|
|
|
PostUp = ip rule add ipproto tcp dport 8888 table 1234
|
|
|
|
PreDown = ip rule delete ipproto tcp dport 8888 table 1234
|
|
|
|
[Peer]
|
|
|
|
# PublicKey = JvqswlhvWJlv++z8qkOQgQyfn0+bgPaj1IPWDYZG9hQ=
|
|
|
|
PublicKey = [SERVER PUBLIC KEY]
|
|
|
|
AllowedIPs = [BRIDGE IP]/32
|
|
|
|
Endpoint = [BRIDGE IP]:[BRIDGE WIREGUARD PORT]
|
|
|
|
```
|
|
|
|
Server:
|
|
|
|
```conf
|
|
|
|
[Interface]
|
|
|
|
Address = 10.0.1.1/24
|
|
|
|
ListenPort = [BRIDGE WIREGUARD PORT]
|
|
|
|
# PrivateKey = UABVGdzAe+RFoyjw4eVjMpZw2pxb2BQMvMTmgg046lw=
|
|
|
|
PrivateKey = [STATION PRIVATE KEY]
|
|
|
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING
|
|
|
|
-o [INTERFACE TO FORWARD TO] -j MASQUERADE
|
|
|
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D
|
|
|
|
POSTROUTING -o [INTERFACE TO FORWARD TO] -j MASQUERADE
|
|
|
|
[Peer]
|
|
|
|
# PublicKey = RVoU9/NTrWMi00wA7YE2bgkFllrhc+ssPNDPryc5CVI=
|
|
|
|
PrivateKey = [PEER PUBLIC KEY]
|
|
|
|
AllowedIPs = 10.0.1.2/32
|
|
|
|
[Peer]
|
|
|
|
# PublicKey = yPo0TkgwXUBawQm8JF2EvbjxSor9qbxoihwp5R7lQHc=
|
|
|
|
PrivateKey = [PEER PUBLIC KEY]
|
|
|
|
AllowedIPs = 10.0.1.3/32, 10.0.1.4/32
|
|
|
|
``` |
|
|
|
\ No newline at end of file |