WireGuard

We use WireGuard (WG) as a VPN in many places.

How-to

Manage user clients

List of allowed client for the user VPN service are managed in the private Puppet repository, in the hiera file for the active VPN server.

To find the active VPN server, check where the vpn.majava.org service name points:

$ host -tCNAME vpn.majava.org
vpn.majava.org is an alias for gw02.srv.majava.org.

This means the file to edit is hieradata/nodes/gw02.srv.majava.org.yaml.

In the hiera file, clients are listed first by server interface and then by client public key. The structure is this:

profile::network::gateway::wireguard_clients:
  wg0: # user
    # username, some client description
    - public_key: aaaasomekey=
      addresses: [10.20.14.123]
    # username, some other client description
    - public_key: aaaasomeotherkey=
      addresses: [10.20.14.456]

To add a key, add a new YAML block to the end of that array for the interface you want to edit. Feel free to just pick the next unused IP address and assign that to the client. Keep the list sorted by IP addresses to make it easy to see the next available address.

After saving the file, commit the changes as usual and run Puppet on the active server to apply the changes.