lombra-early-notes/infra_tests/wireguard_and_nginx_test.md

# Wireguard and Nginx

The purpose of this test is to check if we can restrict access to a service provided through NGINX to only be accessible for clients connecting through a Wireguard VPN.

This would allow for having internal webpages that can only be reached by users that have access through the VPN. These provides some cool stuff:
- An additional layer of security on top of application/service credentials.
- Perfect protection against sniffing between our member devices and all our services.
- The possibility to fully unplug any user at will by simply removing his keys from the Wireguard VPN config.

From what I've understood from this Mattermost docs () this should also allow us to pipe all Mattermost related traffic through the VPN.

## Test plan

- [X] Get a VPS in ~~1984.hosting~~
- [X] Install Ubuntu Server
- [X] Install Wireguard
  - https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04
- [ ] Install client and check that VPN is working fine
- [ ] Deploy silly webpage with containerized Nginx and open access in the same VPS
- [ ] Validate that Nginx is reachable through clearnet without VPN
- [ ] Modify Nginx config to only listen to requests coming from the VPS localhost
- [ ] Validate that Nginx is not reachable through clearnet without VPN
- [ ] Validate that Nginx is reachable through clearnet without VPN

## Test logs

- I've created an account in 1984 with my counterweightoperator@protonmail.com email.
- I've set up a tiny VPS 
  - Ubuntu Server 22.04.1
  - counter ganzua as the SSH key, no password
  - fuuuug, 1984 only takes onchain payments and doesn't have a credit based system. If I only want a small VPS for a bit, I need to at least buy it for a month with an onchain transaction. This is very suboptimal.
- I'm going to create an account in njal.la to check if their panel and payment options are better.
  - nja.la also does not accept lightning network payments, but at least has a wallet that can be toppped up big time in a single shot, completely unrelated to any server purchase.
  - The nasty bit is that nja.la server offering is rather limited and the prices are not competitive at all (~x3 more expensive than 1984).
- Now I'm wondering if the guys at fort.pw might be a better option. The only issue is they are shady as fuck. But so are we, ain't we?
- Well, scrap all the previous stuff. I'm just going to try with my battle-tested, comfy and nice fiat VPS provider. Let's not make perfect the enemy of good. The purpose of this test is to test the Wireguard and Nginx set up, not a hosting provider. We will have time for that.

- I create a VPS with:
  - Ubuntu Server 22
  - 1vcore, 2gb ram
  - I install wireguard `sudo apt install wireguard`
  - Run `ip link add dev wg0 type wireguard`
Thingies 2024-01-06 23:49:47 +01:00			`# Wireguard and Nginx`

			`The purpose of this test is to check if we can restrict access to a service provided through NGINX to only be accessible for clients connecting through a Wireguard VPN.`

			`This would allow for having internal webpages that can only be reached by users that have access through the VPN. These provides some cool stuff:`
			`- An additional layer of security on top of application/service credentials.`
			`- Perfect protection against sniffing between our member devices and all our services.`
			`- The possibility to fully unplug any user at will by simply removing his keys from the Wireguard VPN config.`

Things 2024-01-13 12:33:15 +01:00			`From what I've understood from this Mattermost docs () this should also allow us to pipe all Mattermost related traffic through the VPN.`

Thingies 2024-01-06 23:49:47 +01:00			`## Test plan`

Things 2024-01-13 12:33:15 +01:00			`- [X] Get a VPS in ~~1984.hosting~~`
			`- [X] Install Ubuntu Server`
			`- [X] Install Wireguard`
Thingies 2024-01-06 23:49:47 +01:00			`- https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04`
			`- [ ] Install client and check that VPN is working fine`
			`- [ ] Deploy silly webpage with containerized Nginx and open access in the same VPS`
			`- [ ] Validate that Nginx is reachable through clearnet without VPN`
			`- [ ] Modify Nginx config to only listen to requests coming from the VPS localhost`
			`- [ ] Validate that Nginx is not reachable through clearnet without VPN`
			`- [ ] Validate that Nginx is reachable through clearnet without VPN`

			`## Test logs`

Things 2024-01-13 12:33:15 +01:00			`- I've created an account in 1984 with my counterweightoperator@protonmail.com email.`
			`- I've set up a tiny VPS`
			`- Ubuntu Server 22.04.1`
			`- counter ganzua as the SSH key, no password`
			`- fuuuug, 1984 only takes onchain payments and doesn't have a credit based system. If I only want a small VPS for a bit, I need to at least buy it for a month with an onchain transaction. This is very suboptimal.`
			`- I'm going to create an account in njal.la to check if their panel and payment options are better.`
			`- nja.la also does not accept lightning network payments, but at least has a wallet that can be toppped up big time in a single shot, completely unrelated to any server purchase.`
			`- The nasty bit is that nja.la server offering is rather limited and the prices are not competitive at all (~x3 more expensive than 1984).`
			`- Now I'm wondering if the guys at fort.pw might be a better option. The only issue is they are shady as fuck. But so are we, ain't we?`
			`- Well, scrap all the previous stuff. I'm just going to try with my battle-tested, comfy and nice fiat VPS provider. Let's not make perfect the enemy of good. The purpose of this test is to test the Wireguard and Nginx set up, not a hosting provider. We will have time for that.`

			`- I create a VPS with:`
			`- Ubuntu Server 22`
			`- 1vcore, 2gb ram`
			- I install wireguard `sudo apt install wireguard`
			- Run `ip link add dev wg0 type wireguard`