41 lines
1.6 KiB
Markdown
41 lines
1.6 KiB
Markdown
|
# Add a new device to the Data VPN
|
||
|
|
|
||
|
|
## Create a new key pair
|
||
|
|
|
||
|
|
You can create private keys on a bash terminal with `wg genkey`
|
||
|
|
To get the related pubkey, you can run `wg pubkey <pasted-private-key-here>`
|
||
|
|
|
||
|
|
## Add entry in the jumphost config file
|
||
|
|
|
||
|
|
In the jumphost server, modify `/etc/wireguard/wg0.conf` and add a new entry for the peer following this structure:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
[Peer]
|
||
|
|
# Probably leave a comment to inform who this is for
|
||
|
|
PublicKey = <copy-paste-public-key-here>
|
||
|
|
AllowedIPs = 192.168.70.XXX/32 # Replace XXX with the an available value
|
||
|
|
```
|
||
|
|
|
||
|
|
Make sure to not generate IP collisions: each `Peer` entry should have a unique `AllowedIPs` value that no other entry is using.
|
||
|
|
|
||
|
|
Finally, restart the server so that changes take effect with: `sudo systemctl restart wg-quick@wg0.service`
|
||
|
|
|
||
|
|
You can verify that Wireguard is running properly again with: `sudo systemctl status wg-quick@wg0.service`
|
||
|
|
|
||
|
|
## Provide user with their private configuration and keys
|
||
|
|
|
||
|
|
Next, provide the user with this block of configuration so they can create an entry in their local Wireguard client:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
[Interface]
|
||
|
|
PrivateKey = <copy-paste-private-key-here>
|
||
|
|
Address = 192.168.70.1/32
|
||
|
|
DNS = 192.168.69.1
|
||
|
|
|
||
|
|
[Peer]
|
||
|
|
PublicKey = bKr79c5XbzudWeUjiwXcxsy1mrrEnrO4xSrNAUZv2GE= # Jumphost public key goes here. This is a valid value as I'm writing this guide, but it might change in the future!
|
||
|
|
AllowedIPs = 192.168.69.1/32, 10.69.0.0/24, 52.146.133.0/24
|
||
|
|
Endpoint = 172.166.88.95:52420
|
||
|
|
```
|
||
|
|
|
||
|
|
Besides this config snippet, also provide the public and private keys to the user and instruct them to keep them stored in their password manager.
|