Wireguard Bastion Host
Last updated
Last updated
Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.
A Wireguard bastion host (Wireguard server) provides secure private channel to access MOSIP cluster. The host restrics public access, and enables access to only those clients who have their public key listed in Wireguard server. Wireguard listens on UDP port51820.
Provision a Virtual Machine (VM) and make sure it has access to internal load balancer (refer Deployment Architecture. Recommended configuration of VM is 2 vCPU, 4 GB RAM, 16 GB storage. While this configuration should work for small scale deployments, it must be scaled up if the host becomes a bottleneck in high loads.
Install docker, and make sure you add $USER
to docker group:
Install Wireguard on the VM using Docker as given here. Sample config :
If you already have a config file you may mount it with -v <your host path>:/config
.
You may increase the number of peers keeping the above mounted folders intact, stopping the docker and running it again with -e PEERS=<number of peers>
Install a Wireguard app on your machine. For MacOS there is a Wireguard app on the App Store.
Enter the server docker and cd to /config
folder. Here you will find the config files for peers. You may add the corresponding peer.conf
file in client Wireguard config.
Make sure Endpoint
mentioned for the client is Wireguard bastion hosts' IP adddress.
Modify the Allowed IPs
of the client to private IP addresses for Internal Load Balancers of your clusters. Here, we assumed that all your clusters are running in the same VPC so that bastion host is able to reach all of them.