安全协议>> vault-plugin-secrets-wireguard>> 返回
项目作者: gitirabassi

项目描述 :
Vault's plugin for managing server and dynamic client configurations
高级语言: Go
项目地址: git://github.com/gitirabassi/vault-plugin-secrets-wireguard.git
创建时间: 2020-05-01T09:25:27Z
项目社区:https://github.com/gitirabassi/vault-plugin-secrets-wireguard
开源协议:Mozilla Public License 2.0
下载


Vault-secret-plugin-wireguard

NOTA BENE: this is still WIP, basic functionalities are still not fully implemented

Paths

  • GET/POST/DELETE /config
    • cidr —> 10.20.0.0/24
  • GET/POST/DELETE /servers/:server_name
    • port —> defaults to 51820
    • public_endpoint —>
    • post_up_script
    • post_down_script
    • private_webhook_address —> defaults to public_endpoint in case it’s not specified
    • allowed_ips —> list of subnets to route traffic trhu this server can be ["0.0.0.0/0"] or ["10.0.0.0/24","192.68.0.0/24"]
  • GET/POST/DELETE /roles/:role_name
    • servers —> list of servers to connect to ["default", "aws-europe", "gcp-testing"] —> must exist :server_name
    • dns
    • client_persistent_keepalive —> defaults to 25 seconds
    • client_subnet_mask —> defaults to 32
  • GET /creds/:role_name
    • conf —> complete wireguard configuration to be used with wg-quick for a client
  • GET /server-creds/:server_name
    • conf —> complete wireguard configuration to be used with wg-quick for a client
    • webhook_secret —> webhook secret that vault will use to POST updates to wireguard servers

Apply policy

  1. vault policy write wireguard_client_develper contrib/client.hcl

Client User Experience

  1. export VAULT_ADDR=https://vault.example.com
  2. vault status
  3. vault login -method=oidc
  4. vault read -field=conf wireguard/crets/default |clipcopy

Terraform deployment

IMPORTANT: this cannot be applied all at once as it will breack. there is a order:

  • First create Vault server without TLS
  • Configure DNS such that will resolve your domain to the host
  • enable TLS
  • Create Wireguard server disabling agent
  • Configure vault with right servers and configurations

2 main changes need to happen to this example:

  • ssh key: if you use github to distribute your public ssh key, please add your account name instead of someone in the github link
  • change the vault_address and module.dns.domain to match your domain

The modules are opinionated:

  • both Vault and Wireguard server create and live in their own VPC
  • these VPCs are dedidcated to running them, and them only.
  • You shuould enable Aws Ec2 Transit Gateways or VPC to connect the Wireguard Server with your VPC.
  • THis way you’ll get much more control of what goes where and you may have different VPCs connect to the Wireguard VPC

A video recording on how to do all this will come very soon

  1. provider "aws" {
  2.   region = "eu-central-1"
  3. }
  5. data "http" "ssh_key" {
  6.   url = "https://github.com/someone.keys"
  7. }
  9. resource "aws_key_pair" "main" {
  10.   key_name   = "wireguard_infra_key"
  11.   public_key = data.http.ssh_key.body
  12. }
  14. variable vault_address {
  15.   default = "vault.example.com"
  16. }
  18. module "dns" {
  19.   source = "github.com/gitirabassi/vault-plugin-secrets-wireguard//terraform/route53"
  20.   domain = "example.com"
  21.   a_records = {
  22.     "vault"   = module.vault-server.public_ip
  23.     "first-wireguard-server" = module.wireguard-server.public_ip
  24.   }
  25. }
  27. module "vault-server" {
  28.   source        = "github.com/gitirabassi/vault-plugin-secrets-wireguard//terraform/vault-server"
  29.   name          = "vault-server"
  30.   vpc_cidr      = "10.210.0.0/16"
  31.   vault_address = var.vault_address
  32.   instance_type = "t3.small"
  33.   region        = "eu-central-1"
  34.   ssh_key_name  = aws_key_pair.main.key_name
  35.   enable_ssh    = false
  36.   auto_tls      = true
  37. }
  39. module "wireguard-server" {
  40.   source              = "github.com/gitirabassi/vault-plugin-secrets-wireguard//terraform/wg-server"
  41.   name                = "wireguard-server"
  42.   vpc_cidr            = "10.220.0.0/16"
  43.   vault_address       = "https://${var.vault_address}"
  44.   vault_role_name     = "wireguard-server"
  45.   webhook_source_cidr = "${module.vault-server.public_ip}/32"
  46.   instance_type       = "t3.small"
  47.   ssh_key_name        = aws_key_pair.main.key_name
  48.   enable_ssh          = true
  49.   disable_agent       = true
  50. }
  52. provider "vault" {
  53.   address = "https://${var.vault_address}"
  54. }
  56. module "vault-configuration" {
  57.   source             = "github.com/gitirabassi/vault-plugin-secrets-wireguard//terraform/vault-config"
  58.   backend_mount_path = "wireguard"
  59.   wireguard_cidr     = "172.16.0.0/16"
  60.   servers = {
  61.     "wireguard-server" = {
  62.       address  = module.wireguard-server.public_ip
  63.       port     = module.wireguard-server.public_port
  64.       role_arn = module.wireguard-server.role_arn
  65.       vpc_id   = module.wireguard-server.vpc_id
  66.       region   = "eu-central-1"
  67.     },
  68.   }
  69. }

Webhook

The webook is a trick to not make the wireguard poll every X secods but to reload it’s configuration only when a user gets added or deleted

To simulate the hook that Vault will send to the wg-server-agent curl can be used

  1. curl -XPOST -H 'Content-Type: application/json' -d '{"token":"example-super-secret-token"}' http://dev.aws.example.com:51821/webhook

Future features

  • rotate server keys (find a ways to use multiple keys to make migration smoother)