Picalike Dokuwiki Archive

User Tools

Site Tools

Trace: wireguard
wireguard

Table of Contents

Wireguard Debian / Server

related git: https://git.picalike.corpex-kunden.de/incubator/swiss-army-knife/-/tree/master/wireguard

Based on
https://www.hostafrica.co.za/blog/linux/install-wireguard-vpn-debian-9/#install-wg-server_debian-9

but our migration plan differs in some very important aspects!

Useful commands:

hostname --long

WARNING: most of the netcup servers are up for too long, the current kernel is x.x.x-16 but installed is -19 but the wireguard module is built for the running → restart, no wireguard module.

Pre- and Post Steps

[PRE]
remove the instance from the load balancer

curl "http://localhost:9000/disable"

… wait until no queries in log/sim_api.log
… at the end of the process

[POST]

docker restart frontend_instance1

Debian 9 to 10 for Wireguard

All steps must be performed as root: 

su -
[password]

- upgrade current os 

apt-get update
apt-get upgrade

- backup of sources, then change sources to enable upgrade from stretch to buster and append backport 

cp -vi /etc/apt/sources.list /etc/apt/sources.list.stretch
cat /etc/apt/sources.list.stretch | sed 's/stretch/buster/g' > /etc/apt/sources.list
echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' >> /etc/apt/sources.list

- upgrade OS 9→10 

apt-get update
apt-get upgrade

- follow steps in Debian 10

Debian 10

All steps must be performed as root: 

su -
[password]

to check if the update worked 

apt-cache search wireguard

should list tools and wireguard and dkms

The required packages are available in 'buster-backports' 

# first two lines not required if coming from debian 9 
echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list
apt-get update --allow-releaseinfo-change
apt-get install wireguard wireguard-tools
modprobe wireguard
lsmod | grep wireguard

modprobe is used to load the module if it was not yet loaded.

Automatic Server Setup

cd /root
mkdir .wg
wg genkey | tee privatekey | wg pubkey > publickey
<copy config and insert privatekey>
chmod o-rw privatekey config.conf

Swap OpenVPN to Wireguard

finally after receiving the key from corpex perform the following: 

kill <OPENVPN PID>
wg-quick up /root/.wg/config.conf

test connection to corpex: 

ssh picalike@dev01.picalike.corpex-kunden.de

Checklist

After restart check

  • all docker contains
  • node_exporter
  • services

Last Steps: Frontends

To actually migrate a server, remove the instance from the load balance, kill vpn, fill in IP and start wireguard and restart container:

curl "http://localhost:9000/disable"
kill <OPENVPN PID>
wg-quick up /root/.wg/config.conf
# check corpex connection
ssh picalike@dev01.picalike.corpex-kunden.de
docker restart frontend_instance1 v5_image_picker_container
tail -f log/sim_api.log

Finally, SIM requests should arrive replied with status code 200.

References

https://madgerm.de/wireguard-auf-debian-10-einrichten

wireguard.txt · Last modified: 2024/04/11 14:23 by 127.0.0.1