Configure sentry wireguard server
Reconfigure Traefik to enable WireGuard server
Run this on the Raspberry Pi
sentry make traefik config
(stdout)
? Traefik: > Config Install (make install) Admin Exit (ESC) ? Traefik Configuration: ^ Entrypoints (including dashboard) TLS certificates and authorities Middleware (including sentry auth) > Advanced Routing (Layer 7 / Layer 4 / WireGuard) Error page template Logging level Access logs ? Traefik routes Configure layer 7 TLS proxy Configure layer 4 TCP/UDP proxy > Configure wireguard VPN ? Should this Traefik instance connect to a wireguard VPN? No, Traefik should use the host network directly. > Yes, and this Traefik instance should start the wireguard server. Yes, but this Traefik instance needs credentials to connect to an outside VPN. ? Should Traefik bind itself exclusively to the VPN interface? > No, Traefik should work on all interfaces (including the VPN). Yes, Traefik should only listen on the VPN interface. TRAEFIK_VPN_HOST: Enter the public Traefik VPN hostname (e.g., vpn.example.com) : sentry.example.com TRAEFIK_VPN_SUBNET: Enter the Traefik VPN private subnet (no mask) (e.g., 10.13.16.0) : 10.13.16.0 TRAEFIK_VPN_ADDRESS: Enter the Traefik VPN private IP address (e.g., 10.13.16.1) : 10.13.16.1 TRAEFIK_VPN_PORT: Enter the Traefik VPN TCP port number (e.g., 51820) : 51820 Enter the Traefik VPN peers list : pi
You may enter up 253 peer names, separated by commas, with no spaces,
e.g., pi,pi2,phone1,toaster,garage. Each client name should be a
single word of letters and/or numbers.
Press ESC two times to back out to the main menu.
Tip
You may also add additional clients at a later time, however you should not remove or change the order of the existing clients, so it is only safe to append to this list. If you need to remove a client, you should destroy all the clients and recreate them.
Run this if you need to reset all the client keys
## Resets all WireGuard keys:
sentry make traefik destroy service=wireguard
sentry make traefik install
Reconfigure Traefik to add a Layer 7 route to the Raspberry Pi
(stdout)
? Traefik: > Config Install (make install) Admin Exit (ESC) ? Traefik Configuration: ^ Entrypoints (including dashboard) TLS certificates and authorities Middleware (including sentry auth) > Advanced Routing (Layer 7 / Layer 4 / WireGuard) Error page template Logging level Access logs ? Traefik routes > Configure layer 7 TLS proxy Configure layer 4 TCP/UDP proxy Configure wireguard VPN > Do you want to enable the layer 7 TLS proxy? Yes ? Layer 7 TLS Proxy: List layer 7 ingress routes > Add new layer 7 ingress route Remove layer 7 ingress routes Disable layer 7 TLS Proxy Enter the public domain (SNI) for the route: : whoami.pi.example.com Enter the destination IP address to forward to: : 10.13.16.2 Enter the destination TCP port to forward to: : 443 ## ## See https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt > Do you want to enable Proxy Protocol for this route? Yes ## Layer 7 TLS Proxy is ENABLED. ## Configured Layer 7 Routes: Entrypoint Destination_address Destination_port Proxy_protocol ---------- ------------------- ---------------- -------------- whoami.pi.example.com 10.13.16.2 443 2
Press ESC multiple times to back out to the main menu. On the main
menu, select Install, to re-install Traefik:
(stdout)
? Traefik: Config > Install (make install) Admin Exit (ESC)
Once re-installed, press ESC to quit the config tool.
Find the wireguard peer config
You can check the wireguard service is now started:
Run this on the Raspberry Pi
sentry make traefik show-wireguard-peers
(stdout)
## /config/peer_pi/peer_pi.conf [Interface] Address = 10.13.16.2 PrivateKey = 2E1vQHCS5JuaoRrt21GO0bYVrafOhplrGNFqoFBivEY= ListenPort = 51820 DNS = 10.13.16.1 [Peer] PublicKey = AZiNh/5sk71QTy6Rk0ygzIUsSGAX8/s3EeGN6lT9oj0= PresharedKey = tEIW8FuxR6I+Qu79bORatbD+JgNPeigNvc9V18f7to8= Endpoint = sentry.example.com:51820 AllowedIPs = 10.13.16.0/24
Copy the output you see into a tempory buffer / notepad, you will need to copy this information in the next chapter.