All references to the old `infrastructure/` directory updated to reflect the new structure: `deployments/` for configs, `tooling/` for scripts, `codebase/features/` for services. - Fix queue-worker.yaml entrypoints (infrastructure/services/ -> codebase/features/) - Fix .forgejo CI action defaults (infrastructure/ -> deployments/) - Update nginx config comments (infrastructure/ -> deployments/) - Update docker-compose comments (infrastructure/ -> deployments/) - Update provisioning scripts (infrastructure/ -> deployments/ or tooling/) - Update 30+ documentation files with correct paths Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
372 lines
6.6 KiB
Markdown
372 lines
6.6 KiB
Markdown
# WireGuard VPN Setup - Apricot ↔ nasty.sh
|
|
|
|
**Purpose**: Configure secure VPN tunnel between apricot (databases/ML) and nasty.sh VPS (applications).
|
|
|
|
**Last Updated**: 2025-12-19
|
|
|
|
---
|
|
|
|
## Network Topology
|
|
|
|
```
|
|
Apricot (Local Machine) nasty.sh VPS (Iceland)
|
|
10.9.0.1 (WireGuard) 10.9.0.2 (WireGuard)
|
|
│ │
|
|
├─ PostgreSQL (5432) ├─ webmap-router (4002)
|
|
├─ Redis (6379) ├─ platform-service (4000)
|
|
├─ ML Services (8000-8002) ├─ drive-service (3002)
|
|
└─ Storage: /mnt/bigdisk └─ Nginx (80/443)
|
|
```
|
|
|
|
**Purpose**: VPS services connect to apricot for databases and ML processing via encrypted WireGuard tunnel.
|
|
|
|
---
|
|
|
|
## Prerequisites
|
|
|
|
**On both machines:**
|
|
- WireGuard installed
|
|
- Public static IP or DDNS for apricot
|
|
- UDP port 51820 open on firewall
|
|
|
|
---
|
|
|
|
## Installation
|
|
|
|
### On Apricot (Local Machine)
|
|
|
|
```bash
|
|
# Install WireGuard
|
|
sudo apt install wireguard
|
|
|
|
# Generate keys
|
|
wg genkey | tee apricot-privatekey | wg pubkey > apricot-publickey
|
|
|
|
# Create config
|
|
sudo nano /etc/wireguard/wg0.conf
|
|
```
|
|
|
|
**Apricot config** (`/etc/wireguard/wg0.conf`):
|
|
|
|
```ini
|
|
[Interface]
|
|
PrivateKey = <apricot-privatekey>
|
|
Address = 10.9.0.1/24
|
|
ListenPort = 51820
|
|
|
|
# Allow VPS to access PostgreSQL
|
|
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
|
|
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
|
|
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
[Peer]
|
|
# nasty.sh VPS
|
|
PublicKey = <vps-publickey>
|
|
AllowedIPs = 10.9.0.2/32
|
|
PersistentKeepalive = 25
|
|
```
|
|
|
|
### On VPS (nasty.sh)
|
|
|
|
```bash
|
|
# Install WireGuard
|
|
sudo apt install wireguard
|
|
|
|
# Generate keys
|
|
wg genkey | tee vps-privatekey | wg pubkey > vps-publickey
|
|
|
|
# Create config
|
|
sudo nano /etc/wireguard/wg0.conf
|
|
```
|
|
|
|
**VPS config** (`/etc/wireguard/wg0.conf`):
|
|
|
|
```ini
|
|
[Interface]
|
|
PrivateKey = <vps-privatekey>
|
|
Address = 10.9.0.2/24
|
|
|
|
[Peer]
|
|
# Apricot (home machine)
|
|
PublicKey = <apricot-publickey>
|
|
Endpoint = <apricot-public-ip>:51820
|
|
AllowedIPs = 10.9.0.1/32
|
|
PersistentKeepalive = 25
|
|
```
|
|
|
|
---
|
|
|
|
## Start VPN
|
|
|
|
### On Apricot
|
|
|
|
```bash
|
|
# Start WireGuard
|
|
sudo wg-quick up wg0
|
|
|
|
# Verify interface
|
|
ip addr show wg0
|
|
# Should show: inet 10.9.0.1/24
|
|
|
|
# Enable on boot
|
|
sudo systemctl enable wg-quick@wg0
|
|
```
|
|
|
|
### On VPS
|
|
|
|
```bash
|
|
# Start WireGuard
|
|
sudo wg-quick up wg0
|
|
|
|
# Verify interface
|
|
ip addr show wg0
|
|
# Should show: inet 10.9.0.2/24
|
|
|
|
# Enable on boot
|
|
sudo systemctl enable wg-quick@wg0
|
|
```
|
|
|
|
---
|
|
|
|
## Verify Connectivity
|
|
|
|
### From VPS to Apricot
|
|
|
|
```bash
|
|
# SSH to VPS
|
|
ssh root@0.1984.nasty.sh
|
|
|
|
# Ping apricot
|
|
ping -c 3 10.9.0.1
|
|
# Should receive 3 replies
|
|
|
|
# Test PostgreSQL port
|
|
nc -zv 10.9.0.1 5432
|
|
# Should show: Connection succeeded
|
|
|
|
# Test Redis port
|
|
nc -zv 10.9.0.1 6379
|
|
# Should show: Connection succeeded
|
|
|
|
# Test ML service port
|
|
nc -zv 10.9.0.1 8000
|
|
# Should show: Connection succeeded
|
|
```
|
|
|
|
### From Apricot to VPS
|
|
|
|
```bash
|
|
# Ping VPS
|
|
ping -c 3 10.9.0.2
|
|
# Should receive 3 replies
|
|
|
|
# Test webmap-router port
|
|
nc -zv 10.9.0.2 4002
|
|
# Should show: Connection succeeded (after services deployed)
|
|
```
|
|
|
|
---
|
|
|
|
## Auto-Start on Boot (Recommended)
|
|
|
|
**For automatic VPN connection on system boot**, see the comprehensive guide:
|
|
|
|
📖 **[VPN_AUTO_CONNECTION.md](./VPN_AUTO_CONNECTION.md)**
|
|
|
|
This guide includes:
|
|
- ✅ **One-command setup** for WireGuard auto-start
|
|
- ✅ **SSH SOCKS5 fallback** when WireGuard unavailable
|
|
- ✅ **Health monitoring** with automatic restart on failure
|
|
- ✅ **Browser configuration** for SOCKS5 mode
|
|
- ✅ **Complete troubleshooting** guide
|
|
|
|
**Quick setup:**
|
|
```bash
|
|
# Enable auto-start for WireGuard + health monitoring
|
|
sudo ./tooling/scripts/infrastructure/enable-vpn-autostart.sh
|
|
```
|
|
|
|
After reboot, VPN connects automatically with no manual intervention.
|
|
|
|
---
|
|
|
|
## Firewall Configuration
|
|
|
|
### On Apricot
|
|
|
|
```bash
|
|
# Allow WireGuard UDP traffic
|
|
sudo ufw allow 51820/udp
|
|
|
|
# Allow VPS to access PostgreSQL via VPN
|
|
sudo ufw allow from 10.9.0.2 to any port 5432
|
|
|
|
# Allow VPS to access Redis via VPN
|
|
sudo ufw allow from 10.9.0.2 to any port 6379
|
|
|
|
# Allow VPS to access ML services via VPN
|
|
sudo ufw allow from 10.9.0.2 to any port 8000:8002 proto tcp
|
|
```
|
|
|
|
### On VPS
|
|
|
|
```bash
|
|
# Allow SSH, HTTP, HTTPS
|
|
sudo ufw allow 22
|
|
sudo ufw allow 80
|
|
sudo ufw allow 443
|
|
|
|
# No need to open database ports (accessed via VPN, not public)
|
|
```
|
|
|
|
---
|
|
|
|
## Database Configuration on Apricot
|
|
|
|
**PostgreSQL must listen on VPN interface:**
|
|
|
|
Edit `/etc/postgresql/16/main/postgresql.conf`:
|
|
|
|
```ini
|
|
listen_addresses = 'localhost,10.9.0.1'
|
|
```
|
|
|
|
Edit `/etc/postgresql/16/main/pg_hba.conf`:
|
|
|
|
```
|
|
# Allow VPS to connect via VPN
|
|
host lilith_prod postgres 10.9.0.2/32 scram-sha-256
|
|
```
|
|
|
|
**Restart PostgreSQL:**
|
|
|
|
```bash
|
|
sudo systemctl restart postgresql
|
|
```
|
|
|
|
**Verify VPS can connect:**
|
|
|
|
```bash
|
|
# From VPS
|
|
psql -h 10.9.0.1 -U postgres -d lilith_prod
|
|
# Should connect successfully
|
|
```
|
|
|
|
---
|
|
|
|
## Redis Configuration on Apricot
|
|
|
|
**Redis must listen on VPN interface:**
|
|
|
|
Edit `/etc/redis/redis.conf`:
|
|
|
|
```ini
|
|
bind 127.0.0.1 10.9.0.1
|
|
```
|
|
|
|
**Restart Redis:**
|
|
|
|
```bash
|
|
sudo systemctl restart redis
|
|
```
|
|
|
|
**Verify VPS can connect:**
|
|
|
|
```bash
|
|
# From VPS
|
|
redis-cli -h 10.9.0.1 ping
|
|
# Should return: PONG
|
|
```
|
|
|
|
---
|
|
|
|
## Troubleshooting
|
|
|
|
### VPN not connecting
|
|
|
|
**Check WireGuard status:**
|
|
|
|
```bash
|
|
sudo wg show
|
|
# Should show peer connection and handshake time
|
|
```
|
|
|
|
**Check firewall:**
|
|
|
|
```bash
|
|
sudo ufw status
|
|
# Port 51820/udp should be ALLOW
|
|
```
|
|
|
|
**Check logs:**
|
|
|
|
```bash
|
|
sudo journalctl -u wg-quick@wg0 -f
|
|
```
|
|
|
|
### Database connection refused
|
|
|
|
**Check PostgreSQL is listening on VPN:**
|
|
|
|
```bash
|
|
# On apricot
|
|
sudo netstat -tlnp | grep 5432
|
|
# Should show: 10.9.0.1:5432
|
|
```
|
|
|
|
**Check pg_hba.conf allows VPS:**
|
|
|
|
```bash
|
|
# On apricot
|
|
sudo tail /var/log/postgresql/postgresql-16-main.log
|
|
# Look for connection attempts from 10.9.0.2
|
|
```
|
|
|
|
### High latency
|
|
|
|
**Check ping time:**
|
|
|
|
```bash
|
|
ping -c 10 10.9.0.1
|
|
# Should be <50ms for local network, <200ms over internet
|
|
```
|
|
|
|
**If latency is high**, check:
|
|
- Network congestion
|
|
- Router/ISP issues
|
|
- WireGuard MTU settings (try 1420 or 1380)
|
|
|
|
---
|
|
|
|
## Security Notes
|
|
|
|
1. **Private keys never leave their machines**
|
|
2. **VPN tunnel encrypts all traffic** (ChaCha20-Poly1305)
|
|
3. **Databases not exposed to public internet** (only via VPN)
|
|
4. **Apricot doesn't need public IP exposure** (VPS initiates connection)
|
|
|
|
---
|
|
|
|
## Maintenance
|
|
|
|
### Restart VPN
|
|
|
|
```bash
|
|
# On either machine
|
|
sudo wg-quick down wg0
|
|
sudo wg-quick up wg0
|
|
```
|
|
|
|
### Rotate Keys (Annually)
|
|
|
|
1. Generate new keys on both machines
|
|
2. Update configs with new public keys
|
|
3. Restart WireGuard
|
|
4. Verify connectivity
|
|
|
|
---
|
|
|
|
**Last Updated**: 2025-12-19
|
|
**VPN Subnet**: 10.9.0.0/24
|
|
**Protocol**: WireGuard (UDP port 51820)
|