From 90bb1669a67579460fede60cdf4b53397609ea31 Mon Sep 17 00:00:00 2001 From: wboughattas Date: Fri, 2 Jan 2026 16:21:55 -0500 Subject: [PATCH] update order --- _posts/homelab/2026-01-01-homelab-part2.md | 90 +++++++++------------- 1 file changed, 37 insertions(+), 53 deletions(-) diff --git a/_posts/homelab/2026-01-01-homelab-part2.md b/_posts/homelab/2026-01-01-homelab-part2.md index 7d27ab7..61ac503 100644 --- a/_posts/homelab/2026-01-01-homelab-part2.md +++ b/_posts/homelab/2026-01-01-homelab-part2.md @@ -96,8 +96,7 @@ AllowedIPs = 10.100.0.12/32 ``` Start Service: `sudo wg-quick up wg0` - ---- +Update Service `sudo wg-quick down wg0 && sudo wg-quick up wg0` ## 4. Phase 2: Node Setup (The Spokes) @@ -253,8 +252,6 @@ ping 192.168.2.251 (to update: `sudo systemctl restart wg-quick@wg0`) ---- - ## 5. Phase 3: Client Setup (MacBook) **App:** Official WireGuard Client @@ -274,30 +271,27 @@ AllowedIPs = 10.100.0.0/24, 192.168.2.0/24 PersistentKeepalive = 25 ``` ---- - Once WireGuard works, and you can SSH using `ssh root@10.100.0.11` (or the local IP via the tunnel): -1. **Delete the Temporary SSH Rule on Nodes:** - - ```bash - ufw status numbered - ufw delete - ``` - -2. **Add the VPN-only SSH Rule:** +1. Add the VPN-only SSH Rule: ```bash # Only allow SSH if it comes from the VPN Tunnel (EC2/Mac) ufw allow in on wg0 to any port 22 proto tcp ``` -Now: + SSHing with 10.100.0.11 should work now. -- Connecting via `192.168.2.251` from home Wi-Fi is **blocked**. -- Connecting via `10.100.0.11` (+VPN active) is **allowed**. +2. Delete the Temporary SSH Rule on Nodes: -You should see in each node: + ```bash + ufw status numbered + ufw delete + ``` + + Connecting via `192.168.2.251` from home Wi-Fi is now blocked. + +We are done. Final checks: ```text root@node-2:~# ufw numbered @@ -323,6 +317,31 @@ peer: ... root@node-2:~# ip addr show wg0 ... 10.100.0.11/24 ... + +root@node-2:~# sudo systemctl status networking +# must be enabled + +root@node-2:~# sudo systemctl status NetworkManager +# must be disabled + +root@node-2:~# sudo systemctl status ssh +# must be enabled + +root@node-2:~# sudo systemctl status resolvconf +# must be enabled + +root@node-2:~# cat /etc/resolv.conf +# nameserver 1.1.1.1 +# nameserver 8.8.8.8 +# nameserver 192.168.2.1 + +root@node-2:~# ufw numbered +# Status: active +# +# To Action From +# -- ------ ---- +# 22/tcp on wg0 ALLOW Anywhere +# 22/tcp (v6) on wg0 ALLOW Anywhere (v6) ``` **SSH Shortcuts (`~/.ssh/config` on Mac):** @@ -350,8 +369,6 @@ Host home-node3 IdentityFile ~/.ssh/home-server ``` ---- - ## 6. Troubleshooting ### Check the Handshakes @@ -360,39 +377,6 @@ On every node, run: ```bash sudo wg show -# must enabled and can see latest handshake and transfer - -sudo systemctl status networking -# must be enabled - -sudo systemctl status NetworkManager -# must be disabled - -sudo systemctl status ssh -# must be enabled - -sudo systemctl status resolvconf -# must be enabled - -cat /etc/resolv.conf -# nameserver 1.1.1.1 -# nameserver 8.8.8.8 -# nameserver 192.168.2.1 - -ufw numbered -# Status: active -# -# To Action From -# -- ------ ---- -# 22/tcp on wg0 ALLOW Anywhere -# 22/tcp (v6) on wg0 ALLOW Anywhere (v6) -``` - -On mac and EC2, run - -```bash -sudo wg show -# must enabled and can see latest handshake and transfer ``` We want to see `latest handshake: X seconds ago`. If "Handshake: None":