Wireguard Bastion Host
A Wireguard bastion host (Wireguard server) provides secure private channel to access MOSIP cluster. The host restrics public access, and enables access to only those clients who have their public key listed in Wireguard server. Wireguard listens on UDP port51820.
- Provision a Virtual Machine (VM) and make sure it has access to internal load balancer (refer Deployment Architecture. Recommended configuration of VM is 2 vCPU, 4 GB RAM, 16 GB storage. While this configuration should work for small scale deployments, it must be scaled up if the host becomes a bottleneck in high loads.
- Install docker, and make sure you add
$USERto docker group:
sudo usermod -aG docker $USER
docker run -d \
-e PUID=1000 \
-e PGID=1000 \
-e PEERS=30 \
-p 51820:51820/udp \
-v /home/ubuntu/config:/config \
-v /lib/modules:/lib/modules \
--restart unless-stopped \
- If you already have a config file you may mount it with
-v <your host path>:/config.
- You may increase the number of peers keeping the above mounted folders intact, stopping the docker and running it again with
-e PEERS=<number of peers>
- Install a Wireguard app on your machine. For MacOS there is a Wireguard app on the App Store.
- Enter the server docker and cd to
/configfolder. Here you will find the config files for peers. You may add the corresponding
peer.conffile in client Wireguard config.
- Make sure
Endpointmentioned for the client is Wireguard bastion hosts' IP adddress.
- Modify the
Allowed IPsof the client to private IP addresses for Internal Load Balancers of your clusters. Here, we assumed that all your clusters are running in the same VPC so that bastion host is able to reach all of them.