====== Wireguard Debian / Server ====== related git: https://git.picalike.corpex-kunden.de/incubator/swiss-army-knife/-/tree/master/wireguard\\ Based on\\ https://www.hostafrica.co.za/blog/linux/install-wireguard-vpn-debian-9/#install-wg-server_debian-9 but our migration plan differs in some very important aspects! Useful commands:\\ hostname --long **WARNING**: most of the netcup servers are up for too long, the current kernel is x.x.x-16 but installed is -19 but the wireguard module is built for the running → restart, no wireguard module. ====== Pre- and Post Steps ====== [PRE]\\ remove the instance from the load balancer\\ curl "http://localhost:9000/disable" … wait until no queries in log/sim_api.log\\ … at the end of the process\\ [POST]\\ docker restart frontend_instance1 ====== Debian 9 to 10 for Wireguard ====== All steps must be performed as root: su - [password] - upgrade current os apt-get update apt-get upgrade - backup of sources, then change sources to enable upgrade from stretch to buster and append backport cp -vi /etc/apt/sources.list /etc/apt/sources.list.stretch cat /etc/apt/sources.list.stretch | sed 's/stretch/buster/g' > /etc/apt/sources.list echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' >> /etc/apt/sources.list - upgrade OS 9→10 apt-get update apt-get upgrade - follow steps in Debian 10 ===== Debian 10 ===== All steps must be performed as root: su - [password] to check if the update worked apt-cache search wireguard should list tools and wireguard and dkms The required packages are available in 'buster-backports' # first two lines not required if coming from debian 9 echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list apt-get update --allow-releaseinfo-change apt-get install wireguard wireguard-tools modprobe wireguard lsmod | grep wireguard modprobe is used to load the module if it was not yet loaded. ===== Automatic Server Setup ===== cd /root mkdir .wg wg genkey | tee privatekey | wg pubkey > publickey chmod o-rw privatekey config.conf ===== Swap OpenVPN to Wireguard ===== finally after receiving the key from corpex perform the following: kill wg-quick up /root/.wg/config.conf test connection to corpex: ssh picalike@dev01.picalike.corpex-kunden.de ===== Checklist ===== After restart check * all docker contains * node_exporter * services ===== Last Steps: Frontends ===== To actually migrate a server, remove the instance from the load balance, kill vpn, fill in IP and start wireguard and restart container:\\ curl "http://localhost:9000/disable" kill wg-quick up /root/.wg/config.conf # check corpex connection ssh picalike@dev01.picalike.corpex-kunden.de docker restart frontend_instance1 v5_image_picker_container tail -f log/sim_api.log Finally, SIM requests should arrive replied with status code 200. ====== References ====== https://madgerm.de/wireguard-auf-debian-10-einrichten