Skip to content

- wireguard-pi

WireGuard Setup -- public-risk infrastructuur (Uitgebreid)

Overzicht

Deze handleiding documenteert hoe WireGuard is ingericht:

  • Server: Ubuntu 24.04 (Hetzner / public-risk)
  • Client: macOS
  • Meerdere Raspberry Pi peers
  • Intern VPN-netwerk: 10.8.0.0/24

Doel:

  • Veilige SSH-toegang
  • Interne services bereikbaar maken via VPN
  • Geen open SSH naar de wereld
  • Multi-node infrastructuur

1. Architectuur

VPN subnet: 10.8.0.0/24

Device VPN IP Rol

Server 10.8.0.1 Gateway / Hub Mac 10.8.0.2 Beheerclient pi31 10.8.0.31 Sensor node pi41 10.8.0.41 Camera node pi51 10.8.0.51 Heater node

Server fungeert als hub. Alle peers praten via de server.

2. Server Configuratie

Bestand: /etc/wireguard/wg0.conf

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = nft add rule inet filter input udp dport 51820 accept
PostDown = nft delete rule inet filter input udp dport 51820 accept

macOS peer

[Peer]
PublicKey = <MAC_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32

Raspberry Pi peers

pi31

[Peer]
PublicKey = <PI31_PUBLIC_KEY>
AllowedIPs = 10.8.0.31/32

pi41

[Peer]
PublicKey = <PI41_PUBLIC_KEY>
AllowedIPs = 10.8.0.41/32

pi51

[Peer]
PublicKey = <PI51_PUBLIC_KEY>
AllowedIPs = 10.8.0.51/32

Na toevoegen van peers:

sudo systemctl restart wg-quick@wg0

3. Raspberry Pi Client Config

Op iedere Pi:

sudo apt install wireguard
wg genkey | tee private.key | wg pubkey > public.key

Voorbeeld: /etc/wireguard/wg0.conf op pi31

[Interface]
PrivateKey = <PI31_PRIVATE_KEY>
Address = 10.8.0.31/24

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_PUBLIC_IP>:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25

Activeren:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

4. SSH Alleen via VPN

Voorbeeld nftables:

ip saddr 10.8.0.0/24 tcp dport 22 accept
tcp dport 22 drop

5. macOS SSH Config

\~/.ssh/config

Host vpn
    HostName 10.8.0.1
    User pi

Host pi31
    HostName 10.8.0.31
    User pi

Host pi41
    HostName 10.8.0.41
    User pi

Host pi51
    HostName 10.8.0.51
    User pi

6. Nieuwe Peer Toevoegen Workflow

  1. Genereer key op nieuwe peer
  2. Voeg public key toe aan server wg0.conf
  3. Restart wg-quick
  4. Start peer service

Controle:

sudo wg

7. Security Notes

  • Private keys nooit committen
  • /etc/wireguard → 700
  • keys → 600
  • UDP 51820 enige publieke poort
  • SSH alleen via VPN subnet

Einde document