# Remote Access Allowing remote access is just a matter of setting up a new _Wireguard_ interface, allowing incoming traffic to that interface, and making sure the firewall allows that traffic to connect to the rest of the network. ## Create Interface ```bash # cd /etc/wireguard # umask 077 # wg genkey | tee guard.key | wg pubkey > guard.pub # printf "[Interface]\PrivateKey = %s\n" `cat guard.key` ``` Then I modified my file to finish configuring the interface and allow a `[Peer]` for my laptop. ```diff # /etc/wireguard/guard.conf [Interface] PrivateKey = **** + Address = 10.0.2.1/28, 2001:db8:2ebf:2::1/64 + ListenPort = 51820 + + [Peer] + PublicKey = Iz5ceR0+tCN3BLTWehZxSplzdbABRT8geqifFxubHUA= + AllowedIPs = 10.0.2.4/32, 2001:db8:2ebf:1::4/128 + PresharedKey = *** ``` **Line 4:** Sets an IPv4 and IPv6 address for this interface. These will be the servers IPs on each virtual subnet. **Line 5:** Sets the port to listen to for this interface. It is just the default _Wirgaurd_ port and I'll allow traffic through the firewall for it soon. **Line 7-10:** Declare a peer, define the public key to use when communicating and validaing any connections, set what IPs the peer is allowed to use on each virtual subnet, and configure a pre-shared key for additional secuirty.

A preshard key can be generated by running wg genpsk and must be the same on both the [Peer] block on the server and the [Interface] block on the client.

## Firewall Configuration First I had to declare a new interface and since I want it to be as if I was sitting on my laptop at home, I put it in the `lan` zone. ```diff # /etc/shorewall/interfaces ... #ZONE INTERFACE OPTIONS ... wg WGAZSE1_IF tcpflags,nosmurfs,routefilter,logmartians,physical=wgazse1 + lan WGGUARD_IF tcpflags,nosmurfs,routefilter,logmartians,physical=wgguard ``` ```diff # /etc/shorewall/interfaces ... #ZONE INTERFACE OPTIONS ... wg WGAZSE1_IF tcpflags,nosmurfs,routefilter,logmartians,physical=wgazse1 + lan WGGUARD_IF tcpflags,forward=1,physical=wgguard ``` For outside clients to connect I need to add a rule that allows them to connect to the firewall on port 51820. ```diff # /etc/shorewall[6]/rules + ACCEPT wan,lan $FW udp 51820 ``` The last step is to once again setup masquerading so traffic from clients on the _Wireguard_ subnet appear to be originating from the `wgguard` interface which is in the `lan` zone. ```diff # /etc/shorewall/snat + MASQUERADE 10.0.2.0/28 WAN_IF,LAN_IF,DMZ_IF ``` ```diff # /etc/shorewall6/snat + MASQUERADE fde9:2375:2ebf:2::/64 WAN_IF,LAN_IF,DMZ_IF ```