Skip to content

marawan206/Wireguard_VPN

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
Figures
Figures
 
 
VPN_Backend_DJ
VPN_Backend_DJ
 
 
Readme.md
Readme.md
 
 
VPN_Client_Gen.sh
VPN_Client_Gen.sh
 
 
Vagrantfile
Vagrantfile
 
 
mosquitto.conf
mosquitto.conf
 
 
myvpn
myvpn
 
 

Repository files navigation

Project

This project creates a secure and scalable communication system using WireGuard VPN, a Django backend, and MQTT for IoT communication. WireGuard secures the network, with the Django server and Mosquitto MQTT broker bound to it. Encrypted communication is ensured through certificates signed by a custom CA. Nginx acts as a reverse proxy, allowing only VPN-connected clients. Monitoring is handled with Prometheus and Grafana, while a Bash script simplifies VPN client management. This setup ensures reliable and secure communication for IoT devices and Web/mobile applications.

Table of Contents

  1. Setup Work Environment
  2. WireGuard VPN
  3. MQTTS Server with TLS/SSL
  4. Monitoring

System Architecture and Design

Whole system

Setup Work Environment

  • Use the following commands with the provided Vagrantfile to create and manage three virtual machines (VMs):

    • I set up three VMs for the purpose of simulation and testing:

      • Server VM: Hosts the main server components.
      • IoT Device VM: Simulates IoT device interactions.
      • Client VM: Represents a regular user client.
vagrant init
vagrant up
vagrant ssh main
vagrant ssh client

WireGuard VPN

  • Installing WireGuard, resolvconf
  • Genrate Public & Private Key pairs
  • Configuring the WireGuard
  • Verifing

Main "Wireguard Server"

Installation & Genrate Key pair

sudo apt install wireguard -y
wg genkey > privatekey
cat privatekey | wg pubkey > publickey

Server Configuration

  • Replace server-prikey, Client-pubKey network-interface
sudo nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <Your-default-network-interface> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <Your-default-network-interface> -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32
  • To get your default network interface name, see the output and the name after "dev"
ip route list default

Start and Verify WireGuard Interface

wg-quick up wg0
sudo wg show
# these lines to To enable WireGuard to start automatically at system boot
# sudo systemctl enable wg-quick@wg0
# sudo systemctl start wg-quick@wg0
# sudo systemctl status wg-quick@wg0

Forward Traffic to the Internet

sudo nano /etc/sysctl.conf
  • Uncomment this "net.ipv4.ip_forward=1" and apply changes by this:
sudo sysctl -p

Clients "Peers"

Installation & Genrate Key pair

sudo apt install wireguard -y
wg genkey > privatekey
cat privatekey | wg pubkey > publickey

Peer Configuration

  • replace server-pubkey, Client-priKey and Server-IP
sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.2/32
PrivateKey = <contents-of-client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-accessable-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Start and Verify WireGuard Interface

sudo wg-quick up wg0
# sudo systemctl start wg-quick@wg0
# sudo systemctl status wg-quick@wg0

For Disconnection

sudo wg-quick down wg0
# sudo systemctl stop wg-quick@wg0

For automating Client creation in this VPN

  • Run ./VPN_Client_Gen.sh
  • send the created Client_config.sh to the client
  • Run the Client_config.sh on the client after giving permissions and run in root mode

For easy to use vpn

  • We will add bash script to make it easier to use this vpn.
# write the content of the myvpn into the file 
sudo nano /usr/local/bin/myvpn
# or use this
sudo cp myvpn /usr/local/bin/myvpn
# Make the file Executable
sudo chmod +x /usr/local/bin/myvpn
  • You can use this script like this:
myvpn start
myvpn status
myvpn stop
myvpn restart

VPN&tools working desktop

Mobile

MQTTS Server with TLS/SSL

Steps

  1. Install MQTT server and client.
  2. Create CA certificate and private key.
  3. Create broker and clients' private keys and certificates signed by the CA.
  4. Configure the broker to bind with the VPN IP on port 8883.
  5. Enable username and password authentication for added security.
  6. Test the setup.

Server Installation

sudo apt install mosquitto mosquitto-clients

sudo cp mosquitto.conf /etc/mosquitto/mosquitto.conf

sudo mosquitto_passwd -c /etc/mosquitto/passwords username

sudo systemctl restart mosquitto

Creating CA Certificates

Follow this guide: Creating CA Certificates

sudo cp certs/* /etc/mosquitto/certs/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs/

MQTTS MQTTS

Test from Another Machine

mosquitto_pub -p 8883 --cafile ca.crt --cert client.crt --key client.key -h 10.0.0.1 -u username -P password -t hello/world -m "Hello From Client inside VPN"
mosquitto_sub -p 8883 --cafile ../ca/ca.crt --cert client.crt --key client.key -h 10.0.0.1 -u username -P password -t hello/world

Monitoring

vm vpn

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 79.0%
  • Shell 21.0%