Configure sentry wireguard server

Reconfigure Traefik to enable WireGuard server

Run this on the Raspberry Pi

sentry make traefik config

(stdout)

? Traefik:
> Config
  Install (make install)
  Admin
  Exit (ESC)

? Traefik Configuration:
^ Entrypoints (including dashboard)
  TLS certificates and authorities
  Middleware (including sentry auth)
> Advanced Routing (Layer 7 / Layer 4 / WireGuard)
  Error page template
  Logging level
  Access logs

? Traefik routes
  Configure layer 7 TLS proxy
  Configure layer 4 TCP/UDP proxy
> Configure wireguard VPN

? Should this Traefik instance connect to a wireguard VPN?
  No, Traefik should use the host network directly.
> Yes, and this Traefik instance should start the wireguard server.
  Yes, but this Traefik instance needs credentials to connect to an outside VPN.

? Should Traefik bind itself exclusively to the VPN interface?
> No, Traefik should work on all interfaces (including the VPN).
  Yes, Traefik should only listen on the VPN interface.

TRAEFIK_VPN_HOST: Enter the public Traefik VPN hostname (e.g., vpn.example.com)

: sentry.example.com

TRAEFIK_VPN_SUBNET: Enter the Traefik VPN private subnet (no mask) (e.g., 10.13.16.0)

: 10.13.16.0

TRAEFIK_VPN_ADDRESS: Enter the Traefik VPN private IP address (e.g., 10.13.16.1)

: 10.13.16.1

TRAEFIK_VPN_PORT: Enter the Traefik VPN TCP port number (e.g., 51820)

: 51820

Enter the Traefik VPN peers list

: pi

You may enter up 253 peer names, separated by commas, with no spaces, e.g., pi,pi2,phone1,toaster,garage. Each client name should be a single word of letters and/or numbers.

Press ESC two times to back out to the main menu.

Tip

You may also add additional clients at a later time, however you should not remove or change the order of the existing clients, so it is only safe to append to this list. If you need to remove a client, you should destroy all the clients and recreate them.

Run this if you need to reset all the client keys

## Resets all WireGuard keys:
sentry make traefik destroy service=wireguard
sentry make traefik install

Reconfigure Traefik to add a Layer 7 route to the Raspberry Pi

Run this on your Raspberry Pi

sentry route set --layer7 whoami.pi.example.com 10.13.16.2 443 --proxy-protocol true

Tip

You may also create the route interactively through the Traefik config menu.

Find the wireguard peer config

You can check the wireguard service is now started:

Run this on the Raspberry Pi

sentry make traefik show-wireguard-peers

(stdout)

## /config/peer_pi/peer_pi.conf
[Interface]
Address = 10.13.16.2
PrivateKey = 2E1vQHCS5JuaoRrt21GO0bYVrafOhplrGNFqoFBivEY=
ListenPort = 51820
DNS = 10.13.16.1

[Peer]
PublicKey = AZiNh/5sk71QTy6Rk0ygzIUsSGAX8/s3EeGN6lT9oj0=
PresharedKey = tEIW8FuxR6I+Qu79bORatbD+JgNPeigNvc9V18f7to8=
Endpoint = sentry.example.com:51820
AllowedIPs = 10.13.16.0/24

Copy the output you see into a tempory buffer / notepad, you will need to copy this information in the next chapter.