Your IP: 18.227.102.20

MATTHEW MCGOVERN

Setup jump host with VPN client

Setting up a jump host VPN client to access your network.

A basic setup for a jump host which I have copied from my command history, this assumes wireguard is running on your server side network.  This example is running an AWS ubuntu linux instance. 

First install wireguard client and edit config:

				
					sudo apt-get update

sudo apt-get install wireguard

cd /etc/wireguard/

umask 077

wg genkey > privatekey

wg pubkey < privatekey > publickey

config; change privatekey value to what was generated earlier and add pre-shared key. Change Allowed IPs to be the range of IPs connecting via the VPN.

/etc/wireguard/wg0.conf

				
					

vi wg0.conf


				
			
				
					[Interface]
PrivateKey = somekey 
Address = 10.7.0.13/24

[Peer]
PublicKey = kCjlPxD12n0xZf1Pa/KlCMgLii7LjjMEPcprBgQbqls=
PresharedKey = enterkey
AllowedIPs = 192.168.0.0/24
Endpoint = yourendpint:51820
PersistentKeepalive = 25

Edit sysctl.conf 

/etc/sysctl.conf

				
					
 vi /etc/sysctl.conf

				
			
				
					net.ipv4.ip_forward=1

command to apply changes:

				
					 sysctl -p

install uncomplicated firewall and allow your wg port on udp, then can start up wireguard tunnel.

				
					


sudo apt install ufw
sudo ufw allow ssh
sudo ufw allow 51820/udp
				
			
				
					
sudo wg-quick up wg0

If you have a domain name and need this jump VM to make sure its bound to it, we need to install ddclient or similar. I use namecheap for the used domain so it is configured for that, ‘jump’ is the subdomain. 

				
					sudo apt install ddclient
				
			
				
					vi /etc/ddclient.conf
				
			
				
					

#FOR NAMECHEAP:
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
use=web, web=dynamicdns.park-your-domain.com/getip
protocol=namecheap
server=dynamicdns.park-your-domain.com
login=domain.lol
password='from advanced dns'
jump

You would hope to disable password connection entirely and only allow keys, and on the public cloud or hypervisor/network layer not allow any connection except for your known IP range if possible. We can install fail2ban which will ban bots that try to connect to low hanging fruit and ban these at IP level. 

Below will install with default configuration.

				
					sudo apt update
sudo apt install fail2ban
systemctl status fail2ban.service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

See further information below 🙂

https://www.wireguard.com/

https://ddclient.net/

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04

 

More To Explore