# Remote Access

Allowing remote access is just a matter of setting up a new _Wireguard_ interface, allowing incoming traffic to that interface, and making sure the firewall allows that traffic to connect to the rest of the network.

## Create Interface

```bash
# cd /etc/wireguard
# umask 077
# wg genkey | tee guard.key | wg pubkey > guard.pub
# printf "[Interface]\PrivateKey = %s\n" `cat guard.key`
```

Then I modified my file to finish configuring the interface and allow a `[Peer]` for my laptop. 

```diff
# /etc/wireguard/guard.conf
[Interface]
PrivateKey = ****
+ Address = 10.0.2.1/28, 2001:db8:2ebf:2::1/64
+ ListenPort = 51820
+
+ [Peer]
+ PublicKey = Iz5ceR0+tCN3BLTWehZxSplzdbABRT8geqifFxubHUA=
+ AllowedIPs = 10.0.2.4/32, 2001:db8:2ebf:1::4/128
+ PresharedKey = ***
```

**Line 4:** Sets an IPv4 and IPv6 address for this interface. These will be the servers IPs on each virtual subnet.

**Line 5:** Sets the port to listen to for this interface. It is just the default _Wirgaurd_ port and I'll allow traffic through the firewall for it soon.

**Line 7-10:** Declare a peer, define the public key to use when communicating and validaing any connections, set what IPs the peer is allowed to use on each virtual subnet, and configure a pre-shared key for additional secuirty.

<p class="callout info">A preshard key can be generated by running <code>wg genpsk</code> and must be the same on both the <code>[Peer]</code> block on the server and the <code>[Interface]</code> block on the client.</p>

## Firewall Configuration

First I had to declare a new interface and since I want it to be as if I was sitting on my laptop at home, I put it in the `lan` zone.

```diff
# /etc/shorewall/interfaces
...
 #ZONE	INTERFACE	OPTIONS
...
 wg	WGAZSE1_IF	tcpflags,nosmurfs,routefilter,logmartians,physical=wgazse1
+ lan	WGGUARD_IF	tcpflags,nosmurfs,routefilter,logmartians,physical=wgguard
```

```diff
# /etc/shorewall/interfaces
...
 #ZONE	INTERFACE	OPTIONS
...
 wg	WGAZSE1_IF	tcpflags,nosmurfs,routefilter,logmartians,physical=wgazse1
+ lan	WGGUARD_IF	tcpflags,forward=1,physical=wgguard
```

For outside clients to connect I need to add a rule that allows them to connect to the firewall on port 51820.

```diff
# /etc/shorewall[6]/rules
+ ACCEPT          wan,lan         $FW             udp             51820
```

The last step is to once again setup masquerading so traffic from clients on the _Wireguard_ subnet appear to be originating from the `wgguard` interface which is in the `lan` zone.

```diff
# /etc/shorewall/snat
+ MASQUERADE		10.0.2.0/28				WAN_IF,LAN_IF,DMZ_IF
```

```diff
# /etc/shorewall6/snat
+ MASQUERADE		fde9:2375:2ebf:2::/64	WAN_IF,LAN_IF,DMZ_IF
```