We rent VPS to build the so called "Internet Gateways". They serve as gateways to the Internet from the perspective of The Liberated Edge. A single Internet Gateway can serve the needs of several Edges. One Edge can be accessed outside-in through a number of Internet Gateways.
Internet Gateways can be implemented in many ways. In order to function well they always need to ensure the following capabilities:
Our pragmatic approach is to build out Internet Gateways on top of Linux VPS that run Wireguard virtual private network (VPN) server nodes.
In reality most of the Linux distributions out there already bundle Wireguard as part of their Linux kernels. With some distributions additional utility packages may need to be installed as well in order to support Wireguard VPN tunnels. These are all open source and free of charge. Thus - once set up - Internet Gateways can be quite affordable for home usage.
Once the VPS for the Internet Gateway has booted, you will need to connect to its console from the Administrative panel of your VPS provider. The procedure is slightly different with all VPS providers. Chances are high that it is described in some way by the aforementioned infrastructure provider.
The notion of variables will be used across this guide to represent data that can vary across the different instances of Internet Gateway.
| Name | Source | Description |
|---|---|---|
| <INTERNET_GATEWAY_IP_ADDRESS> | VPS Admin panel | IP address of the Internet Gateway (Linux VPS) |
| <WG_SERVER_PRIVATE_KEY> | Generated | The private key of the server on the Edge for securing the Wireguard tunnel |
| <WG_SERVER_PUBLIC_KEY> | Generated | The public key of the server on the Edge for securing the Wireguard tunnel |
| <WG_INTERNET_GATEWAY_PUBLIC_KEY> | Generated | The public key of the Internet Gateway for securing the Wireguard tunnel |
Look for the credentials of the
rootuser. Find a way to start the VPS console.
Log in as "root" user through the VPS console.
apt update && apt upgrade
visudo
Add the following new line: mycelium ALL=(ALL) ALL
adduser mycelium
usermod -a -G sudo mycelium
passwd mycelium
In VPS console as root
vi /etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
eth0:
mtu: 1280
...
reboot
After the reboot the MTU for the network interface should be changed as reported by the command below.
ip a
In VPS Console as root
apt update && apt install openssh-server
Make sure that /etc/ssh/sshd_config contains the following configuration values. This will harden the SSH daemon. Thus, password authentication will be disabled for all system users.
vi /etc/ssh/sshd_config
PermitRootLogin prohibit-password
PasswordAuthentication no
systemctl enable sshd
systemctl start sshd
From an administrative device on the Edge, e.g. your Archlinux laptop.
sudo pacman -Syyuu openssh
On Ubuntu/Debian run
sudo apt update && sudo apt install openssh-client
Run
ssh-keygenonly if you don't have a SSH key pair yet.
ssh-keygen
ssh-copy-id mycelium@<INTERNET_GATEWAY_IP_ADDRESS>
Mycelium's password on the Internet Gateway will be needed.
You should be able to establish SSH sessions from this account on the Edge device to the Internet Gateway.
ssh mycelium@<INTERNET_GATEWAY_IP_ADDRESS>
From an administrative device on the Edge, e.g. your Archlinux laptop.
ssh mycelium@<INTERNET_GATEWAY_IP_ADDRESS>
sudo apt update && sudo apt install wireguard
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
In this way only the root user will be able to access the Wireguard private key.
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
sudo su -
Create /etc/wireguard/wg0.conf and add the following content
# Server configuration in /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <WG_SERVER_PRIVATE_KEY> # The value stored in private.key.
Address = 10.6.6.1/24 # IP address of the server in the VPN network
ListenPort = 65973 # Wireguard peers connect to this port
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
From a server on the Edge, i.e. one of your own server hosts, e.g. Archlinux server machine.
sudo pacman -Syuu wireguard-tools
On Ubuntu/Debian run
sudo apt update && sudo apt install wireguard.
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
In this way only the root user will be able to access the Wireguard private key.
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
sudo su -
Create /etc/wireguard/wg0.conf on the server on the Edge and add the following content.
# Client
[Interface]
PrivateKey = <WG_INTERNET_GATEWAY_PUBLIC_KEY>
Address = 10.6.6.2/24 # IP address of the peer in the VPN network
MTU = 1280
# Server
[Peer]
PublicKey = <WG_SERVER_PUBLIC_KEY>
AllowedIPs = 0.0.0.0/0 # Traffic for all addresses routhed through the tunnel
Endpoint = <INTERNET_GATEWAY_IP_ADDRESS>:65973 # Public IP address and port
of the VPN server (ListenPort in the server configuration).
PersistentKeepalive = 25
echo net.ipv4.ip_forward=1 > /etc/sysctl.conf
Enable forwarding for ipv4
echo net.ipv6.conf.all.forwarding=1 >> /etc/sysctl.conf
Forwarding - ipv6
sysctl -p
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
From now on the steps will be performed on the server on the Edge.
ssh mycelium@<INTERNET_GATEWAY_IP_ADDRESS>
sudo su -
Append the following content to the end of /etc/wireguard/wg0.conf.
# Configurations for the peers. You need to add a [Peer] section for each VPN client.
[Peer]
PublicKey = <WG_INTERNET_GATEWAY_PUBLIC_KEY> # public.key value.
AllowedIPs = 10.6.6.2/32 # Internal IP address of the VPN client.
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
Eventually the content of the file /etc/wireguard/wg0.conf on the server on the Edge could be similar to the example below.
# Server configuration in /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <WG_SERVER_PRIVATE_KEY> # The value stored in private.key.
Address = 10.6.6.1/24 # Internal IP address of the VPN server.
ListenPort = 65973 # Wireguard peers connect to this port
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Configurations for the peers. You need to add a [Peer] section for each VPN client.
[Peer]
PublicKey = <WG_INTERNET_GATEWAY_PUBLIC_KEY> # public.key value.
AllowedIPs = 10.6.6.2/32 # Internal IP address of the VPN client.
Whenever you add more servers to the Edge, you will have to register them in this file as peers and restart the respective
wg-quick@wg0systemd service.
You need to be logged in as a root user with the Internet Gateway, e.g. via SSH session or the VPS console of your hosting provider.
The Uncomplicated Firewall (UFW) is installed by default on Ubuntu VPS.
apt update && apt install ufw
vi /etc/default/ufw
Make sure that the following IPv6 is enabled.
IPV6=yes
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 65973 # Wireguard port
ufw enable
You need to be logged in as a root user with the Internet Gateway, e.g. via SSH session or the VPS console of your hosting provider.
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
We need to allow ports 80 and 443 for Caddy 2 and Let's Encrypt to function correctly.
ufw allow 80
ufw allow 443
apt update && apt install caddy
systemctl enable caddy
systemctl start caddy
systemctl status caddy
The systemd service should be up and running.
You need to be logged in as a root user with the Internet Gateway, e.g. via SSH session or the VPS console of your hosting provider.
apt update && apt install socat
You need to be logged in as a root user with the Internet Gateway, e.g. via SSH session or the VPS console of your hosting provider.
apt update && apt install fail2ban
Modify /etc/fail2ban/jail.conf and search for the lines below and update their values as suggested. If you don't find some of the properties, feel free to add it accordingly.
vi /etc/fail2ban/jail.conf
# "bantime" is the number of seconds that a host is banned.
bantime = 24h
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
[sshd]
enabled = true
bantime = 24h
systemctl enable fail2ban.service
systemctl start fail2ban.service