update order

2026-01-02 16:21:55 -05:00
parent 24017129a2
commit 90bb1669a6
1 changed files with 37 additions and 53 deletions
--- a/_posts/homelab/2026-01-01-homelab-part2.md
+++ b/_posts/homelab/2026-01-01-homelab-part2.md
@@ -96,8 +96,7 @@ AllowedIPs = 10.100.0.12/32
 ```

 Start Service: `sudo wg-quick up wg0`
-
---
+Update Service `sudo wg-quick down wg0 && sudo wg-quick up wg0`

 ## 4. Phase 2: Node Setup (The Spokes)

@@ -253,8 +252,6 @@ ping 192.168.2.251

 (to update: `sudo systemctl restart wg-quick@wg0`)

---
-
 ## 5. Phase 3: Client Setup (MacBook)

 **App:** Official WireGuard Client
@@ -274,30 +271,27 @@ AllowedIPs = 10.100.0.0/24, 192.168.2.0/24
 PersistentKeepalive = 25
 ```

---
-
 Once WireGuard works, and you can SSH using `ssh root@10.100.0.11` (or the local IP via the tunnel):

-1. **Delete the Temporary SSH Rule on Nodes:**
-
-   ```bash
-   ufw status numbered
-   ufw delete <number_of_local_ssh_rule>
-   ```
-
-2. **Add the VPN-only SSH Rule:**
+1. Add the VPN-only SSH Rule:

   ```bash
   # Only allow SSH if it comes from the VPN Tunnel (EC2/Mac)
   ufw allow in on wg0 to any port 22 proto tcp
   ```

-Now:
+   SSHing with 10.100.0.11 should work now.

- Connecting via `192.168.2.251` from home Wi-Fi is **blocked**.
- Connecting via `10.100.0.11` (+VPN active) is **allowed**.
+2. Delete the Temporary SSH Rule on Nodes:

-You should see in each node:
+   ```bash
+   ufw status numbered
+   ufw delete <number_of_local_ssh_rule>
+   ```
+
+   Connecting via `192.168.2.251` from home Wi-Fi is now blocked.
+
+We are done. Final checks:

 ```text
 root@node-2:~# ufw numbered
@@ -323,6 +317,31 @@ peer: ...

 root@node-2:~# ip addr show wg0
 ... 10.100.0.11/24 ...
+
+root@node-2:~# sudo systemctl status networking
+# must be enabled
+
+root@node-2:~# sudo systemctl status NetworkManager
+# must be disabled
+
+root@node-2:~# sudo systemctl status ssh
+# must be enabled
+
+root@node-2:~# sudo systemctl status resolvconf
+# must be enabled
+
+root@node-2:~# cat /etc/resolv.conf
+# nameserver 1.1.1.1
+# nameserver 8.8.8.8
+# nameserver 192.168.2.1
+
+root@node-2:~# ufw numbered
+# Status: active
+#
+# To                         Action      From
+# --                         ------      ----
+# 22/tcp on wg0              ALLOW       Anywhere
+# 22/tcp (v6) on wg0         ALLOW       Anywhere (v6)
 ```

 **SSH Shortcuts (`~/.ssh/config` on Mac):**
@@ -350,8 +369,6 @@ Host home-node3
    IdentityFile ~/.ssh/home-server
 ```

---
-
 ## 6. Troubleshooting

 ### Check the Handshakes
@@ -360,39 +377,6 @@ On every node, run:

 ```bash
 sudo wg show
-# must enabled and can see latest handshake and transfer
-
-sudo systemctl status networking
-# must be enabled
-
-sudo systemctl status NetworkManager
-# must be disabled
-
-sudo systemctl status ssh
-# must be enabled
-
-sudo systemctl status resolvconf
-# must be enabled
-
-cat /etc/resolv.conf
-# nameserver 1.1.1.1
-# nameserver 8.8.8.8
-# nameserver 192.168.2.1
-
-ufw numbered
-# Status: active
-#
-# To                         Action      From
-# --                         ------      ----
-# 22/tcp on wg0              ALLOW       Anywhere
-# 22/tcp (v6) on wg0         ALLOW       Anywhere (v6)
-```
-
-On mac and EC2, run
-
-```bash
-sudo wg show
-# must enabled and can see latest handshake and transfer
 ```

 We want to see `latest handshake: X seconds ago`. If "Handshake: None":