Configure sentry wireguard server

Reconfigure Traefik to enable WireGuard server

Run this on the Raspberry Pi

sentry make traefik config

(stdout)

? Traefik:
> Config
  Install (make install)
  Admin
  Exit (ESC)

? Traefik Configuration:
^ Entrypoints (including dashboard)
  TLS certificates and authorities
  Middleware (including sentry auth)
> Advanced Routing (Layer 7 / Layer 4 / WireGuard)
  Error page template
  Logging level
  Access logs

? Traefik routes
  Configure layer 7 TLS proxy
  Configure layer 4 TCP/UDP proxy
> Configure wireguard VPN

? Should this Traefik instance connect to a wireguard VPN?
  No, Traefik should use the host network directly.
> Yes, and this Traefik instance should start the wireguard server.
  Yes, but this Traefik instance needs credentials to connect to an outside VPN.

? Should Traefik bind itself exclusively to the VPN interface?
> No, Traefik should work on all interfaces (including the VPN).
  Yes, Traefik should only listen on the VPN interface.

TRAEFIK_VPN_HOST: Enter the public Traefik VPN hostname (e.g., vpn.example.com)

: sentry.example.com

TRAEFIK_VPN_SUBNET: Enter the Traefik VPN private subnet (no mask) (e.g., 10.13.16.0)

: 10.13.16.0

TRAEFIK_VPN_ADDRESS: Enter the Traefik VPN private IP address (e.g., 10.13.16.1)

: 10.13.16.1

TRAEFIK_VPN_PORT: Enter the Traefik VPN TCP port number (e.g., 51820)

: 51820

Enter the Traefik VPN peers list

: pi

You may enter up 253 peer names, separated by commas, with no spaces, e.g., pi,pi2,phone1,toaster,garage. Each client name should be a single word of letters and/or numbers.

Press ESC two times to back out to the main menu.

Tip

You may also add additional clients at a later time, however you should not remove or change the order of the existing clients, so it is only safe to append to this list. If you need to remove a client, you should destroy all the clients and recreate them.

Run this if you need to reset all the client keys

## Resets all WireGuard keys:
sentry make traefik destroy service=wireguard
sentry make traefik install

Reconfigure Traefik to add a Layer 7 route to the Raspberry Pi

Run this on your Raspberry Pi

sentry route set pi whoami.pi.example.com

Tip

You may also create the route interactively through the Traefik config menu.

Find the wireguard peer config

You can check the wireguard service is now started:

Run this on the Raspberry Pi

sentry make traefik show-wireguard-peers

(stdout)

## /config/peer_pi/peer_pi.conf
[Interface]
Address = 10.13.16.2
PrivateKey = 2E1vQHCS5JuaoRrt21GO0bYVrafOhplrGNFqoFBivEY=
ListenPort = 51820
DNS = 10.13.16.1

[Peer]
PublicKey = AZiNh/5sk71QTy6Rk0ygzIUsSGAX8/s3EeGN6lT9oj0=
PresharedKey = tEIW8FuxR6I+Qu79bORatbD+JgNPeigNvc9V18f7to8=
Endpoint = sentry.example.com:51820
AllowedIPs = 10.13.16.0/24

Copy the output you see into a tempory buffer / notepad, you will need to copy this information in the next chapter.