-
Notifications
You must be signed in to change notification settings - Fork 3
Admin Guide: Using Liquid with WireGuard VPN and Tails Clients
Liquid can be used in an isolated environment accessible using a WireGuard VPN only. Moreover, a slightly more paranoid setup is using Tails accessing this isolated service.
Consider the generic instruction to use Liquid on VPN, first.
Based on top of the WireGuard Quick Start you may want to use the WireGuard installer provided by angristan at GitHub. Some unofficial WireGuard Documentation is very useful for more advanced setups.
Install WireGuard
sudo apt install wireguardCreate a private/public key pair using:
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickeyCreate a configuration file at /etc/wireguard/wg0.conf using a private IP range like 10.11.12.0/24:
[Interface]
Address = 10.11.12.1/32
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = **private server key**
[Peer]
PublicKey = **public client key**
AllowedIPs = 10.11.12.2/32# start
sudo wg-quick up wg0
# stop
sudo wg-quick down wg0You'll need the public key for every peer and assign an individual IP used on the client side. On the client install WireGuard and create a configuration file /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = **private client key**
Address = 10.11.12.2/32
[Peer]
PublicKey = **public server key**
AllowedIPs = 10.11.12.0/24
Endpoint = **public server ip**:51820
PersistentKeepalive = 25Add the client peer on the server side using:
# add peer
sudo wg set wg0 peer **public client key** allowed-ips 10.11.12.2
# remove peer
sudo wg set wg0 peer **public client key** removeAssuming: an existing Tails Persistence layer, a configured Administration user and an enabled Unsafe Browser, start installing WireGuard using sudo apt update && sudo apt install wireguard, first. Answer Install Every Time when prompted. Add a client config as above.
Allow incoming and outgoing udp packets by editing /etc/ferm/ferm.conf:
domain ip {
table filter {
chain INPUT {
policy DROP;
daddr (**public server ip**/32) {
proto udp ACCEPT;
}
# ...
chain OUTPUT {
policy DROP;
daddr (**public server ip**/32) {
proto udp ACCEPT;
}
# ...
}Apply changes with service ferm restart.
Add local DNS setting applying a patch to /usr/local/sbin/usafe-browser:
--- /usr/local/sbin/unsafe-browser 2022-12-19 09:43:26.000000000 +0000
+++ unsafe-browser 2023-01-12 12:24:06.980003349 +0000
@@ -152,6 +152,8 @@
echo '127.0.0.42 firefox.settings.services.mozilla.com' \
>> "${CHROOT}"/etc/hosts
+echo '10.11.12.1 **servername**.home.arpa hoover.**servername**.home.arpa dokuwiki.**servername**.home.arpa rocketchat.**servername**.home.arpa nextcloud.**servername**.home.arpa codimd.**servername**.home.arpa wikijs.**servername**.home.arpa' >> "${CHROOT}"/etc/hosts
+
echo "* Starting Unsafe Browser"
# Do not localize the 5th argument: it becomes WM_CLASS and then GNOME
# displays the localized app name found in the matching .desktop file;Report incomplete documentation by opening a new Issue in this repository.