diff --git a/VERSION.json b/VERSION.json index d266a5b5c..563b160e1 100644 --- a/VERSION.json +++ b/VERSION.json @@ -1,8 +1,8 @@ { "major": 0, "merges": 0, - "builds": 15, - "version": "0.0.15", + "builds": 16, + "version": "0.0.16", "lastMerge": null, - "lastBuild": "2025-12-27T23:07:49-08:00" + "lastBuild": "2025-12-27T23:12:52-08:00" } diff --git a/infrastructure/inventory/hosts.yaml b/infrastructure/inventory/hosts.yaml index 7d93f2a1a..2d26d2df0 100644 --- a/infrastructure/inventory/hosts.yaml +++ b/infrastructure/inventory/hosts.yaml @@ -75,11 +75,11 @@ hosts: plum: description: "MacBook Pro - mobile development" connection: - ssh_host: "plum.local" + ssh_host: "10.0.0.162" ssh_user: "lilith" ssh_key: "~/.ssh/id_ed25519" network: - lan_ip: "10.0.0.10" + lan_ip: "10.0.0.162" required: services: - sshd diff --git a/infrastructure/reconciliation/services/wireguard-client.sh b/infrastructure/reconciliation/services/wireguard-client.sh index ae6155d0a..55d752238 100644 --- a/infrastructure/reconciliation/services/wireguard-client.sh +++ b/infrastructure/reconciliation/services/wireguard-client.sh @@ -116,6 +116,11 @@ wireguard_client_generate_config() { # WireGuard Client Configuration for ${hostname} # Generated by reconciliation system # +# SECURITY MODEL: SOCKS5-over-WireGuard +# - WireGuard provides encrypted tunnel (NO automatic routing) +# - SOCKS5 proxy (localhost:1080) tunnels through WireGuard +# - Applications must explicitly use SOCKS5 proxy to access VPN resources +# # IMPORTANT: Replace PRIVATE_KEY with actual private key # Generate with: wg genkey | tee privatekey | wg pubkey > publickey # @@ -125,12 +130,19 @@ wireguard_client_generate_config() { [Interface] PrivateKey = PRIVATE_KEY_HERE Address = ${vpn_ip}/24 -DNS = 1.1.1.1 +# NO DNS - SOCKS5 handles DNS through tunnel +# DNS = 1.1.1.1 + +# NO Table - Do not create routing table (prevents auto-routing) +Table = off [Peer] PublicKey = SERVER_PUBLIC_KEY_HERE Endpoint = 93.95.231.174:51820 -AllowedIPs = 10.8.0.0/24 +# CRITICAL: Only allow VPN gateway IP (for tunnel keepalive) +# DO NOT use 10.8.0.0/24 - that creates automatic routing +# Traffic MUST go through SOCKS5 proxy (localhost:1080) +AllowedIPs = 10.8.0.1/32 PersistentKeepalive = 25 EOF }