related git: https://git.picalike.corpex-kunden.de/incubator/swiss-army-knife/-/tree/master/wireguard
Based on
https://www.hostafrica.co.za/blog/linux/install-wireguard-vpn-debian-9/#install-wg-server_debian-9
but our migration plan differs in some very important aspects!
Useful commands:
hostname --long
WARNING: most of the netcup servers are up for too long, the current kernel is x.x.x-16 but installed is -19 but the wireguard module is built for the running → restart, no wireguard module.
[PRE]
remove the instance from the load balancer
curl "http://localhost:9000/disable"
… wait until no queries in log/sim_api.log
… at the end of the process
[POST]
docker restart frontend_instance1
All steps must be performed as root:
su - [password]
- upgrade current os
apt-get update apt-get upgrade
- backup of sources, then change sources to enable upgrade from stretch to buster and append backport
cp -vi /etc/apt/sources.list /etc/apt/sources.list.stretch cat /etc/apt/sources.list.stretch | sed 's/stretch/buster/g' > /etc/apt/sources.list echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' >> /etc/apt/sources.list
- upgrade OS 9→10
apt-get update apt-get upgrade
- follow steps in Debian 10
All steps must be performed as root:
su - [password]
to check if the update worked
apt-cache search wireguard
should list tools and wireguard and dkms
The required packages are available in 'buster-backports'
# first two lines not required if coming from debian 9 echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list apt-get update --allow-releaseinfo-change apt-get install wireguard wireguard-tools modprobe wireguard lsmod | grep wireguard
modprobe is used to load the module if it was not yet loaded.
cd /root mkdir .wg wg genkey | tee privatekey | wg pubkey > publickey <copy config and insert privatekey> chmod o-rw privatekey config.conf
finally after receiving the key from corpex perform the following:
kill <OPENVPN PID>
wg-quick up /root/.wg/config.conf
test connection to corpex:
ssh picalike@dev01.picalike.corpex-kunden.de
After restart check
To actually migrate a server, remove the instance from the load balance, kill vpn, fill in IP and start wireguard and restart container:
curl "http://localhost:9000/disable"
kill <OPENVPN PID> wg-quick up /root/.wg/config.conf # check corpex connection ssh picalike@dev01.picalike.corpex-kunden.de
docker restart frontend_instance1 v5_image_picker_container tail -f log/sim_api.log
Finally, SIM requests should arrive replied with status code 200.