Remote Sensor via WireGuard VPN

[presianbg]

Hi,

I was able to install and join (successfully) a sensor node to our distributed setup via WireGuard VPN.
I will try to cover every detail in this guide, but please be aware this setup is NOT officially supported and the official docs suggest to use a VPN node (concentrator).

DISCLAIMER : This guide assumes the manager and the sensor node are based on CentOS 7 (the official ISO image).

Without further ado, here is the setup:

1. Configure a port-forwarding (DNAT) rule on the router/firewall in front of the Manager node;

2. Create a custom port and host groups on the manager node:

sudo so-firewall addhostgroup wireguard
sudo so-firewall addportgroup wireguard
so-firewall addport wireguard udp 51820

3. Edit the manager pillar file to include the new host/port groups in the INPUT chain by appending the following at the end of /opt/so/saltstack/local/pillar/minions/<manager.sls>:

firewall:
  assigned_hostgroups:
    chain:
      INPUT:
        hostgroups:
          wireguard:
            portgroups:
              - portgroups.wireguard

4. Proceed with installation of the sensor node

• Choose Configure Network and setup your management interface:
  
  
  
  ...

• After you are done with the network configuration select Cancel:
  

• Double check for connectivity issues to the internet - ping / traceroute / etc... or at least to the manager public IP from step 1;

• Find out the sensor public IP ( the one that MASQ / SNAT the traffic to the internet).
  I'm using:

$ curl canhazip.com

5. Add the public-ip of the sensor from step 4 to the manager firewall:

sudo so-firewall includehost wireguard public-ip

6. Add your sensor wireguard VPN IP address to the manager firewall sensor and minion hostgroups:

sudo so-firewall includehost minion 10.126.126.2
sudo so-firewall includehost sensor 10.126.126.2

7. Apply the firewall rules:

sudo so-firewall apply

OR

sudo salt-call state.apply firewall

8. Now you have to install the wireguard kernel module and its tools on both manager and sensor:

sudo yum install epel-release elrepo-release
sudo yum install yum-plugin-elrepo
sudo yum install kmod-wireguard wireguard-tools

At this point you may reboot the node, though this is not mandatory.

9. Generate key pairs on each node (manager / sensor):

$ wg genkey | tee privatekey | wg pubkey > publickey

Save those keys until the setup is over, after that you may delete tem.

10. Create a config file on the manager node - /etc/wireguard/wg0.conf :

[Interface]
Address = 10.126.126.1/29
ListenPort = 51820
PrivateKey = MANAGER-PRIVATE-KEY

[Peer]
PublicKey = SENSOR-PUBLIC-KEY
AllowedIPs = 10.126.126.2/32,192.168.0.55/32

I'm not sure if the sensor management IP address (192.168.0.55) is required, feel free to experiment without it.

Start and enable the wireguard interface on the manager with:

sudo systemctl enable --now wg-quick@wg0

11. Create a config file on the sensor node - /etc/wireguard/wg0.conf :

[Interface]
Address = 10.126.126.2/29
PrivateKey = SENSOR-PRIVATE-KEY

[Peer]
PublicKey = MANAGER-PUBLIC-KEY
AllowedIPs = 172.22.22.10/32,10.126.126.1/32,192.168.0.55/32
Endpoint = MANAGER-PUBLIC-IP:51820
PersistentKeepalive = 25

MANAGER-PUBLIC-IP is the one you configured DNAT at step 1.

Start and enable the wireguard interface on the sensor with:

sudo systemctl enable --now wg-quick@wg0

12. At this point the manager and the sensor should be able to communicate via the wg0 interface.
    Again double check the connectivity from the sensor via the wireguard VPN - ping/ telnet on ports:

ping 172.22.22.10
telnet 172.22.22.10 4505
telnet 172.22.22.10 4506

If above tests fail... double check everything, because the sensor installation will most probably fail otherwise.
You can check the VPN status with wg command and the quick-start guide also worth reading.

FINALE: If step 12 is successful, then you are READY to proceed with the installation of the sensor, run:

sudo SecurityOnion/setup/so-setup iso

Cheers,
PY