more vpn docs

human-script.md

@@ -168,6 +168,9 @@ Follow this to deploy the entire data infra.
       - Protocol: Any
       - Action: Allow
       - Priority: 1000
+- Finally, you need to attach each NSG to the related subnet
+  - Visit the virtual network page and look for the subnets list
+  - For each subnet, select its NSG and attach it
 
 ### 2.3 Private DNS Zone
 
@@ -208,19 +211,102 @@ Follow this to deploy the entire data infra.
     - Use the SSH Key: `superhog-data-<your-env>-general-ssh`
     - Select the option `None` for Public inbound ports.
   - Disk settings
-        - Defaults are pretty much fine. This barely needs any disk.
+    - Defaults are fine. This barely needs any disk.
   - Networking
     - Attach to the virtual network `superhog-data-vnet-<your-env>`
     - Attach to the subnet `jumphost-subnet`
     - Attach the public ip `superhog-data-jumphost-ip-<your-env>`
-CONTINUE HEEEEERE
+    - For setting `NIC network security group` select option `None`
+  - Management settings
+    - Defaults are fine.
+  - Monitoring
+    - Defaults are fine.
+  - Advanced
+    - Defaults are fine.
+  - Add tags:
+    - `team: data`
+    - `environment: <your-env>`
+    - `project: network`
 
 ### 3.2 Configure a VPN Server
 
+- The jumphost we just created is not accessible via SSH from WAN due to the NSG set in the jumphost subnet.
+- To make it so, you should temporarily create a new rule like this in the NSG `superhog-data-nsg-jumphost-<your-env>`.
+  - Name: AllowSSHInboundTemporarily
+  - Source: your IP.
+  - Source port ranges: *
+  - Destination: the addresss range for the `jumphost-subnet`. In this example, `10.69.0.0/29`.
+  - Destination port ranges: 22
+  - Protocol: TCP
+  - Action: Allow
+  - Priority: 110
+- Connect through SSH
+- We will now set up a VPN server and client with Wireguard
+  - Run the following script (requires `sudo`) to install wireguard and configure it
+  - *Note: the IPs chosen for the VPN can absolutely be changed. Just make sure they are consistent across the server and client configurations of the VPN.* 
+
+  ```bash
+  echo "Installing Wireguard."
+  apt update
+  apt install wireguard -y
+  echo "Wireguard installed."
+
+  echo "Creating keys."
+  SERVER_PRIVATE_KEY=$(wg genkey)
+  SERVER_PUBLIC_KEY=$(echo "$SERVER_PRIVATE_KEY" | wg pubkey)
+
+  CLIENT_PRIVATE_KEY=$(wg genkey)
+  CLIENT_PUBLIC_KEY=$(echo "$CLIENT_PRIVATE_KEY" | wg pubkey)
+  echo "Keys created."
+
+  echo "Writing server config file."
+  touch /etc/wireguard/wg0.conf
+  cat > /etc/wireguard/wg0.conf << EOL
+  [Interface]
+  PrivateKey = ${SERVER_PRIVATE_KEY}
+  Address = 192.168.69.1/32
+  ListenPort = 52420
+
+  # IP forwarding
+  PreUp = sysctl -w net.ipv4.ip_forward=1
+  # IP masquerading
+  PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
+  PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
+  PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
+  PostDOwn = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
+
+  [Peer]
+  PublicKey = ${CLIENT_PUBLIC_KEY}
+  AllowedIPs = 192.168.70.1/32
+
+  EOL
+  echo "Server config file written."
+
+  echo "Configuration for client, copy paste in your machine."
+  cat << EOF
+  [Interface]
+  # Jumphost VPN
+  PrivateKey = ${CLIENT_PRIVATE_KEY}
+  Address = 192.168.70.1/32
+  # Uncomment when DNS Server is ready DNS = 192.168.69.1
+
+  [Peer]
+  PublicKey = ${SERVER_PUBLIC_KEY}
+  AllowedIPs = 192.168.69.1/32
+  Endpoint = <fill-public-ip-here>:52420
+
+  EOF
+
+  echo "Finished."
+  ```
+  - CONTINUE HERE, INSTRUCTIONS ON HOW TO RAISE WG DAEMONS AND TEST
+
 ### 3.3 Configure a DNS Server
 
 ### 3.4 Harden the VM
 
+- First, remove the AllowSSHInboundTemporarily rule that you added
+
 ## 4. DWH
 
 ## 5. Airbyte