A basic setup for a jump host which I have copied from my command history, this assumes wireguard is running on your server side network. This example is running an AWS ubuntu linux instance.
First install wireguard client and edit config:
sudo apt-get update
sudo apt-get install wireguard
cd /etc/wireguard/
umask 077
wg genkey > privatekey
wg pubkey < privatekey > publickey
config; change privatekey value to what was generated earlier and add pre-shared key. Change Allowed IPs to be the range of IPs connecting via the VPN.
/etc/wireguard/wg0.conf
vi wg0.conf
[Interface]
PrivateKey = somekey
Address = 10.7.0.13/24
[Peer]
PublicKey = kCjlPxD12n0xZf1Pa/KlCMgLii7LjjMEPcprBgQbqls=
PresharedKey = enterkey
AllowedIPs = 192.168.0.0/24
Endpoint = yourendpint:51820
PersistentKeepalive = 25
Edit sysctl.conf
/etc/sysctl.conf
vi /etc/sysctl.conf
net.ipv4.ip_forward=1
command to apply changes:
sysctl -p
install uncomplicated firewall and allow your wg port on udp, then can start up wireguard tunnel.
sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow 51820/udp
sudo wg-quick up wg0
If you have a domain name and need this jump VM to make sure its bound to it, we need to install ddclient or similar. I use namecheap for the used domain so it is configured for that, ‘jump’ is the subdomain.
sudo apt install ddclient
vi /etc/ddclient.conf
#FOR NAMECHEAP:
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
use=web, web=dynamicdns.park-your-domain.com/getip
protocol=namecheap
server=dynamicdns.park-your-domain.com
login=domain.lol
password='from advanced dns'
jump
You would hope to disable password connection entirely and only allow keys, and on the public cloud or hypervisor/network layer not allow any connection except for your known IP range if possible. We can install fail2ban which will ban bots that try to connect to low hanging fruit and ban these at IP level.
Below will install with default configuration.
sudo apt update
sudo apt install fail2ban
systemctl status fail2ban.service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban