slawek/gcp-simple-lz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finished LZ.

Browse Source
This commit is contained in:
Sławek Koszewski
2025-04-25 06:45:10 +02:00
parent da3893a912
commit 5968cb558e
6 changed files with 298 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+96
View File
@@ -22,3 +22,99 @@ Compute Engine free tier regions:
* `us-east1-b`
* `us-east1-c`
* `us-east1-d`
## Terraform and Google Cloud
Initialize Google authentication:
```shell
gcloud auth
```
## Firewall configuration
Google Cloud network range: `192.168.16.0/20` or `192.168.16.0/24` and `192.168.17.0/24`
On-premise network range: `192.168.0.0/20` or `192.168.2.0/24` and `192.168.10.0/24`
* Allow ICMP traffic (`allow-icmp-ingress`):
* from: `0.0.0.0/0`
* to: `gcp-range`
* protocol: `icmp`
* Allow SSH access (`allow-ssh-ingress`):
* from: `35.235.240.0/20`, `gcp-range`, `on-prem-range`
* to: `gcp-range`
* protocol: `tcp`
* port(s): `22`
* Allow Wireguard access (`allow-wireguard-ingress`):
* from: `0.0.0.0/0`
* to: `vm-gw-internal-ip`
* protocol: `udp`
* port(s): `51820-51829`
* Allow web traffic (`allow-web-ingress`):
* from: `0.0.0.0/0` or `gcp-range` and `on-prem-range`
* to: `gcp-range`
* protocol: `tcp`
* port(s): `80,443,5000,8080,8443` or `80,443`
* Allow DNS traffic (`allow-dns-ingress`):
* from: `35.199.192.0/19`, `gcp-range`
* to: `on-prem-range`
## Configure Wireguard on NVA
Elevate to `root`:
```shell
sudo -i
```
Install wireguard software:
```shell
apt -y install wireguard-tools
```
Enable IP forwarding.
```shell
cat >/etc/sysctl.d/20-ip-forwarding.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -f /etc/sysctl.d/20-ip-forwarding.conf
```
Generate interface key pair:
```shell
wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
```
Create a server config file:
```shell
cat >/etc/wireguard/wg0.conf <<EOF
[Interface]
ListenPort = 51820
Address = 172.16.1.1/30
PostUp = wg set %i private-key /etc/wireguard/%i.key
[Peer]
PublicKey = _enter_client_public_key_here_
AllowedIPs = 172.16.1.2/32,192.168.0.0/20
EOF
```
Enable and start the interface:
```shell
systemctl enable --now wg-quick@wg0.service
```
Configure the client:
```ini
[Peer]
Endpoint = _put_server_external_ip_here_:51820
AllowedIPs = 172.16.1.1/30,35.199.192.0/19,192.168.16.0/20
```
> NOTE: DNS query traffic comes from the `35.199.192.0/19` range.