Using Wireguard, DigitalOcean and firewalld to give your roaming computer a static IP

"Have fun storming the castle"

While we’re waiting to figure out where in Ireland we’ll be living long-term, we’re currently using mobile broadband. I’d like to be able to ssh into my home network from outside, but when I looked into setting up DDNS, I found that I don’t even have a public IP address. My mobile dongle says that its IP address is in the 10.0.0.0/8 range, so there’s no way to direct traffic to it from the internet.

After my first foray in using wireguard, I figured it should be a good fit to give myself ssh access to the home network. I could have just forwarded a specific port to my home network, but I prefer not to have to deal with non-standard ports. And, as this site is hosted on DigitalOcean, the natural next step was to see if I could pull it off with them.

It took a couple of hours (mainly dealing with firewalld as I’m much more comfortable with iptables), but I got there in the end, and I can now ssh into my home network (using key-based authentication, of course).

This guide will walk you through the process, step by step. It assumes you have a DigitalOcean droplet running, that you’re using Fedora on both the roaming computer and the DigitalOcean droplet, and that you have firewalld on both.

Step 1 - Give your droplet a Floating IP

  1. Log into DigitalOcean
  2. Go to Networking, Floating IPs
  3. Select the droplet you want to use as your gateway and click Assign Floating IP:
  4. Check to see what address you got. This will be your new static IP address

Do note that the floating IP will not appear when you run ip addr in your droplet, but there will be a local IP (most likely in the 10.16.0.0/16 range) that all the floating IP’s traffic will be forwarded to.

Step 2 - Setup wireguard between DigitalOcean and your roaming computer

On both the DigitalOcean droplet and your roaming computer, install wireguard. I want to quickly note that it’s not available from the official Fedora repositories because the kernel module hasn’t been merged into the mainline kernel yet. It has just become available in the RPM Fusion Free testing repositories. This guide assumes you’ve already configured the RPM Fusion Free repository on your system.

$ sudo dnf --enablerepo=rpmfusion-free-updates-testing install wireguard

Now, it’s time to set wireguard up on the DigitalOcean droplet.

  1. We’ll use the wg-quick service to set everything up, so put the following in /etc/wireguard/wgnet0.conf:

     [Interface]
     Address = 192.168.32.1/24
     SaveConfig = true
     ListenPort = 51820
     PrivateKey = 
    
     [Peer]
     PublicKey = 
     PresharedKey = 
     AllowedIPs = 192.168.32.0/24
    
  1. Generate a private key and insert it into the line that says PrivateKey:

     $ wg genkey
    
  1. Generate a pre-shared key (which should protect your VPN from the omnipresent quantum computers that are undoubtedly listening in) and insert it into the line that says PresharedKey:

     $ wg genpsk
    
  1. Figure out the public key from the private key you generated in step 2:

     $ echo {private key} | wg pubkey
    

Now for the roaming computer. Because the roaming computer initiates the connection to the DigitalOcean droplet, we need to setup a keepalive so traffic that starts at the droplet (which is the whole point of this exercise) will get back to the roaming computer in 10 seconds max if the link is completely idle.

  1. Put the following in /etc/wireguard/wgnet0.conf, substituting your droplet’s hostname or public IP (but not the floating IP) for www.example.com:

     [Interface]
     Address = 192.168.32.2/24
     PrivateKey = 
    
     [Peer]
     PublicKey = 
     PresharedKey = 
     AllowedIPs = 192.168.32.0/24
     Endpoint = www.example.com:51820
     PersistentKeepalive = 10
    
  1. Insert the public key we extracted in step 4 of the droplet configuration into the line that says PublicKey

  2. Insert the pre-shared key generated in step 3 of the droplet configuration into the line that says PresharedKey

  3. Generate a private key and insert it into the line that says PrivateKey:

     $ wg genkey
    
  1. Now, extract the public key from the private key you just generated, go back to the droplet and insert it into the line that says PublicKey:

     $ echo {private key} | wg pubkey
    

At this point, you should have two configuration files with everything filled in.

Go back to the DigitalOcean droplet now and get the service running.

  1. First open the service port in the firewall:

     $ sudo firewall-cmd --add-port=51820/udp --permanent
     $ sudo firewall-cmd --reload
    
  1. Enable and start the service

     $ sudo systemctl enable wg-quick@wgnet0.service
     $ sudo systemctl start wg-quick@wgnet0.service
    

Assuming you haven’t hit any errors, you should now have wireguard running on your droplet

On your roaming computer, get the service running.

  1. Enable and start the service

     $ sudo systemctl enable wg-quick@wgnet0.service
     $ sudo systemctl start wg-quick@wgnet0.service
    

Test the service by pinging 192.168.32.1 from your roaming computer and 192.168.32.2 from your DigitalOcean droplet. Assuming both work, congratulations, you’ve now setup a VPN between your two systems!

Step 3 - Forward ports from the roaming IP to your roaming computer

So now you have a floating IP on your DigitalOcean droplet and a VPN between the droplet and your roaming computer, so the final step is to put them together.

This process would be easier if DigitalOcean used different interfaces for the public IP and the floating IP, but they don’t, so we have to use firewalld’s rich rules to make this work.

First, figure out which ports you want to open up. We’ll just open the ssh port in this example.

On the droplet, do the following steps:

  1. Verify that you can ssh into the roaming computer:

     $ ssh user@192.168.32.2
    

    If this step fails, you’ve made a mistake in your ssh configuration, and fixing it is beyond the scope of this guide.

  2. Figure out the private address that traffic to the floating IP is coming to:

     $ ip addr show eth0
    

    Look for the line that begins with inet 10.x.x.x. 10.x.x.x is the IP address you’re looking for. On my system it’s 10.16.0.5, so that’s what I’m going to use for the rest of the example.

  3. Turn on masquerading for any traffic going over the VPN:

     $ sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address=192.168.32.2/32 masquerade" --permanent
    
  1. Forward the ports from the floating IP to the VPN, making sure to substitute the IP address you found in step 2 for 10.16.0.5:

     $ sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address=10.16.0.5/32 forward-port port=22 protocol=tcp to-port=22 to-addr=192.168.32.2" --permanent
    
  1. Repeat step four for any other ports you want open.

  2. Reload the firewall rules:

     $ sudo firewall-cmd --reload
    

VoilĂ ! When you ssh into your floating IP, it should be forwarded to your roaming computer, while your droplet is still accessible on its public IP.

Security notice: you do not want to allow root to ssh into your system using a password. That’s just begging for someone to guess the password and get root access on your roaming computer. Setup SSH keys, and, at the minimum, make sure that root can only log in with an SSH key

One of the benefits of wireguard is that the client (in this case, the roaming computer) will automatically reconnect as it moves from network to network, so your roaming computer will automatically be available at the floating IP no matter where it is as long as it’s on the Internet.

Do note that DigitalOcean doesn’t seem to allow you to connect more than one floating IP to a droplet at a time, so you’ll be limited to one forwarded IP per droplet.

Enjoy your new static IP. If you run into any problems, please leave a message in the comments below.

How (not) to pack smart

The media center in transit

As those who know me are probably aware, in July, we left Beirut, Lebanon and moved to Skibbereen, Ireland, my wife’s hometown. We’ve spent the last couple of months settling in, and I’ve been looking for a position that will be a good fit.

One item in the “settling in” checklist is the joyful process of setting up my home network. I was able to bring all of my data with me, but, with my background in system administration, making sure that data is safe is very important to me. I’ve set up RAID1 on my media center that doubles as a datastore, and I’ve just finished assembling a Raspberry Pi with an external hard drive as my backup. Once we have decent internet (dependent on us knowing where we’ll live for the next while which is dependent on me knowing where I’ll be working), I’ll also be setting up something on the cloud, most likely with Amazon Glacier.

But the story of bringing the media center computer to Ireland is the one that I would like to share, especially as it wasn’t as straightforward as you might think.

How (not) to pack smart

In Lebanon, I had a media center in the living room, connected to a TV and a nice 5.1 surround sound system. We didn’t watch much TV, but we did like listening to music and having our photos on a random slideshow was a great way of keeping our kids aware of distant family.

When it came time to leave Lebanon, I had originally planned to just bring the hard drives and buy a new desktop. But when it came time to pack, we had extra luggage space, so I changed my mind and decided to bring the motherboard, RAM, graphics card, etc. The question was, how am I going to keep all that safe? If only there was some box designed to protect a computer’s internals! I decided to just bring the computer case. Granted, it was old, large and heavy, but Qatar airways was giving us 30 kg (66 lbs) per bag, so we had the space.

This is the point where I had my epiphany. I consider myself an expert on packing. I’ve spent all of my adult life traveling between Lebanon, the US and Ireland, and I have become quite skilled at getting our belongings from one place to the other without damage.

So, as I was looking at the computer case, it hit me that it’s made out of metal and would be able to withstand the attention of the most careless baggage handler. Why not put all of our fragile goods in it? If I padded it with enough clothing, everything would be snug as a bug! I gave myself a pat on the back for such a brilliant idea and proceeded to fill the case with ceramic bowls, a Starbucks gift mug, my Wii remotes, and various other technology, with plenty of socks and underwear to keep things from rattling around. Then, not wanting anything to fall out the side, I screwed the side cover on. With both screws. And tossed the screwdriver in a different bag.

I showed off my ingenious packing job to my wife, expounding on the fact that her precious bowls were safe in the bowels of the computer case. She rolled her eyes at me (a common occurrence when I share my brilliant ideas with her), and I went off to wrap the case in a blanket and put it in our lightest piece of luggage, a large duffel bag filled with lots of clothing.

Now one or two readers may be leaning back in their chairs, astounded at my brilliance, but I suspect that the majority will have spotted the teensy-weensy little flaw in my cunning plan. I am ashamed to admit that I didn’t spot it until we were actually in the airport.

Beirut’s Rafic Hariri International Airport differs from most in that you clear your first security check before checking in. It was only as we were in the queue that it suddenly occurred to me that airport security might be somewhat unimpressed with my irregular packing scheme.

As I watched the duffel bag go through the scanner, the guy at the machine sat up and looked at me. “What do you have in the bag?” he asked.

“It’s just my computer.”

“Can you please take it out of the bag and run it through the scanner again?” So I opened the duffel bag, dumped half the clothes on the floor, pulled out the computer, unwrapped it from the blanket, and sent it through the x-ray machine again. The guy pointed at a big dark blob on the screen, and asked, “What’s this?”

“I think it’s one of my wife’s ceramic bowls,” I answered.

“Can you please open the computer up and show me?”

“Uh, no, I don’t know where my screwdriver is.”

The security guy at the front of the x-ray machine walked around to look at the screen, and there was an animated discussion as both pointed and debated what they should do. One was of the opinion that only an idiot would try to smuggle something out of the country in a computer case, while the other pointed out (quite rightly) that only an idiot would pack a ceramic bowl in a computer case.

The suspicious security guy then came over to me and asked for my passport. He escorted us to the check-in desks, told my wife and kids to wait there, and escorted me and the computer to the other side of the airport where there was another security checkpoint, and, more importantly, his boss.

“Can you please open the case?” the boss asked, in that calm tone that professional soldiers use just before beating you to a pulp and tossing you into deepest corner of Gitmo.

“Um, I don’t have my screwdriver. I’m sorry,” I answered sheepishly.

He looked at me steadily, said “Ok,” and then wandered away, presumably to find a screwdriver. As I waited for him to return, I started fiddling with the screws. I managed to unscrew the first with my fingers, but couldn’t get the second one undone.

One of the security guys saw what I was doing, and, to my lasting astonishment, handed me a sharp-tipped knife. Granted, it was just a dinner knife, but still… I used the knife to unscrew the final screw and handed the knife back to the security guy. He called the boss back over (he still hadn’t found a screwdriver), and I started to open the case for him.

“Stand back! Don’t touch it!” he ordered.

I stepped back as five security guys surrounded my computer and started to pull out and examine each item. The socks and underwear used as padding went flying everywhere. It was obvious that these guys had decided that I was a smuggler and they were going to catch me!

One guy pulled out a ceramic bowl and held it up to the light, checking for who knows what. Another opened up my Wii remotes, pulled the batteries out of them and checked for anything that shouldn’t be there. A third tried to pull the graphics card out of the computer case, and, when it wouldn’t come, used the flashlight on his phone to see if anything was hidden in the GPU fan.

I watched as the fourth pulled out a souvenir Starbucks mug, removed it from the box, examined the box in detail, checked the mug for hidden compartments, and then put the mug back in the box. The fifth guy then picked up the Starbucks mug and repeated the examination, just in case the fourth guy had missed something.

When it became obvious that I wasn’t trying to smuggle anything illegal out of the country, the security guys gradually drifted away in disappointment. I was left with one guy who handed me my passport, told me to pack my computer back up, and then stood back and watched as I tried to fit everything back into the case.

As I used the dinner knife to put the screws back in, he looked at me, and said, “That’s a very… unusual… way to pack. Why did you do it?”

I gave him the only response I could. “It seemed like a good idea at the time.”

I took my computer back to my family at the check-in desk, packed it into the duffel bag, and checked it to Ireland. When we picked it up in Dublin, everything in the case had survived the journey, and the computer worked perfectly. I still don’t know if using a computer case as a suitcase was a very good idea or a very bad one.