Skip to content

VPN

The infrastructure repository has the concept of "bastion" hosts: hosts that are accessible over IPv4 and IPv6 on various protocols, allowing traffic to flow towards "inner" hosts.

Specifically, as of early 2025, there is one such host: hublot.ik.vps.flosstools.org. It has the following services allowed for Flosstools admins:

  • SSH on port 22, on the 'user' user, that can be used as JumpHost towards other 'inner' hosts
  • Wireguard on port 51820, to provide IPv6 routing.

The 'inner' hosts have the corresponding security groups allowing SSH ingress from the bastion hosts. In other words, to access 'inner' hosts, you either need to use a bastion as SSH JumpHost, or setup a wireguard VPN connnection to get IPv6 routing via it.

How-to configure a Wireguard connection

  1. install the needed tools: apt install wireguard
  2. generate a private key for yourself: wg genkey | sudo tee /etc/wireguard/flosstools-private.key | wg pubkey
  3. hand that public key to a Flosstools admin with access to the bastion host, they will add the "Peer" section in the /etc/wireguard/wg-fladmins.conf file:
# Tartempion Balthasar
[Peer]
PublicKey = {that's where it gets added}
AllowedIPs = fd72:616b:7368::{a unique number, not matching the other peers}/48
  1. Setup your connection

4.1. In NetworkManager

  • Private Key: from your /etc/wireguard/flosstools-private.key file above
  • MTU: 1280 (this seems to be important when used from certain networks)
  • Tick "Automatically add peers as routes"
  • Peers:
    • Address: vpn.flosstools.org
    • Public key: Mz6cwuN2SCLP1dTc+qvkh1YkqffE3Y17giIDcPoD8VI=
    • AllowedIPs:
    • 2001:1600:10:101::/64 (our IK's dc3-a v6-only network)
    • 2001:1600:16:109::/64 (our IK's dc4-a v6-only network)
  • IPv6 manual address: fd72:616b:7368::***/48 as given by the admin

4.2. As Wireguard system setup

As /etc/wireguard/wg0.conf:

[Interface]
Address = fd72:616b:7368::***/48
MTU = 1280
PrivateKey = xxx

# vpn.flosstools.org
[Peer]
PublicKey = Mz6cwuN2SCLP1dTc+qvkh1YkqffE3Y17giIDcPoD8VI=
AllowedIPs = fd72:616b:7368::1/128,2001:1600:10:101::/64,2001:1600:16:109::/64
Endpoint = vpn.flosstools.org:51820

Then: * systemctl enable wg-quick@wg0 * systemctl start wg-quick@wg0

Wireguard setup

This is how the server-side setup was done:

  1. Compute a somewhat-unique ULA IPv6 prefix. Only 10 hex digits are possible, so I went with 'raksh' => 72616b7368, giving the fd72:616b:7368/48 prefix.
  2. Submit it to ungleich's ULA registry
  3. Install the tools: sudo apt install -y wireguard
  4. Generate a private/public key pair as root (so sudo -s first)
mkdir -p /etc/wireguard/fladmins
cd /etc/wireguard/fladmins
wg genkey | tee private.key | wg pubkey | tee public.key
  1. Create the wireguard configuration file
cat << EOF > /etc/wireguard/wg-fladmins.conf
[Interface]
Address = fd72:616b:7368::1/48
PostUp = ip6tables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = …
EOF