<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8"/>
<title>Proxy reverso com WireGuard</title>
<meta name="author" content="Sergio Durigan Junior"/>
<meta name="description" content=""/>
<meta name="keywords" content=""/>
<style type="text/css">
.underline { text-decoration: underline; }
</style>
<link rel="stylesheet" href="reveal.js-master/dist/reveal.css"/>

<link rel="stylesheet" href="reveal.js-master/dist/theme/night.css" id="theme"/>

</head>
<body>
<div class="reveal">
<div class="slides">
<section id="sec-title-slide"><h2>Proxy reverso com WireGuard</h2><h6>Sergio Durigan Junior &lt;<a href="mailto:sergiodj@debian.org">sergiodj@debian.org</a>&gt;</h6>
</section>

<section>
<section id="slide-org57a8a12">
<h2 id="org57a8a12"><span class="section-number-2">1.</span> WireGuard</h2>
<ul>
<li>Implementação de VPN moderna, simples e <b>rápida</b>.
<ul>
<li>Jason A. Donenfeld (<code>cgit</code>, <code>pass</code>, etc.), 2015.</li>

</ul></li>
<li>Remove bastante da complexidade de configurar uma VPN.</li>
<li>Estabelece apenas uma interface de rede.
<ul>
<li>Todo o resto é delegado para outras ferramentas (<code>ip</code>, <code>iptables</code>,
etc.)</li>

</ul></li>

</ul>

</section>
</section>
<section>
<section id="slide-org497ccb1">
<h2 id="org497ccb1"><span class="section-number-2">2.</span> Modo de usar</h2>
<ul>
<li>O conceito de servidor não é definido.</li>
<li>Geralmente usa-se o <code>wg-quick</code> (do pacote <code>wireguard-tools</code>).
<ul>
<li>Mas outras ferramentas suportam WireGuard: <code>systemd-networkd</code>,
<code>network-manager</code>.</li>

</ul></li>
<li>Gera-se um par de chaves (pense em <code>ssh</code>), distribui-se a chave
pública para os <i>peers</i>.</li>
<li>Arquivo de configuração (geralmente) fica em <code>/etc/wireguard/</code>
(nesse caso, há integração com o <code>wg-quick@.service</code>).</li>

</ul>

</section>
<section id="slide-org6f9b5ff">
<h3 id="org6f9b5ff"><span class="section-number-3">2.1.</span> Exemplo de configuração</h3>
<pre  class="example" >
# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = eJdSgoS7BZ/uWkuSREN+vhCJPPr3M3UlB3v1Su/amWk=
ListenPort = 51000
Address = 10.10.11.10/24

[Peer]
# office
PublicKey = xeWmdxiLjgebpcItF1ouRo0ntrgFekquRJZQO+vsQVs=
Endpoint = wg.example.com:51000
AllowedIPs = 10.10.11.0/24, 10.10.10.0/24
</pre>

</section>
<section id="slide-orgceb2589">
<h3 id="orgceb2589"><span class="section-number-3">2.2.</span> Habilitando a interface</h3>
<pre  class="example" >
# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.11.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.10.10.0/24 dev wg0
</pre>

</section>
</section>
<section>
<section id="slide-org1ad9583">
<h2 id="org1ad9583"><span class="section-number-2">3.</span> Exemplos de topologia de rede</h2>
<div class="outline-text-2" id="text-3">
</div>
</section>
<section id="slide-orgfff7f54">
<h3 id="orgfff7f54"><span class="section-number-3">3.1.</span> Wireguard no roteador</h3>
<pre  class="example" >
                           internet              ┌─── wg0 10.10.11.1/24
10.10.11.2/24                                       │        VPN network
        home0│            xxxxxx       ppp0 ┌───────┴┐
           ┌─┴──┐         xx   xxxxx  ──────┤ router │
           │    ├─wlan0  xx       xx        └───┬────┘    home network, .home domain
           │    │       xx        x             │.1       10.10.10.0/24
           │    │        xxx    xxx             └───┬─────────┬─────────┐
           └────┘          xxxxxx                   │         │         │
Laptop                                            ┌─┴─┐     ┌─┴─┐     ┌─┴─┐
(Coffee shop)                                     │   │     │   │     │   │
                                                  │pi4│     │NAS│     │...│
                                                  │   │     │   │     │   │
                                                  └───┘     └───┘     └───┘
</pre>

</section>
<section id="slide-orge9ad030">
<h3 id="orge9ad030"><span class="section-number-3">3.2.</span> WireGuard dentro da rede interna</h3>
<pre  class="example" >
                            internet
10.10.10.3/24
        home0│            xxxxxx       ppp0 ┌────────┐
           ┌─┴──┐         xx   xxxxx  ──────┤ router │
           │    ├─ppp0  xxx       xx        └───┬────┘    home network, .home domain
           │    │       xx        x             │         10.10.10.0/24
           │    │        xxx    xxx             └───┬─────────┬─────────┐
           └────┘          xxxxxx                   │         │         │
                                                  ┌─┴─┐     ┌─┴─┐     ┌─┴─┐
                                            wg0 ──┤   │     │   │     │   │
                                  10.10.10.10/32  │pi4│     │NAS│     │...│
                                                  │   │     │   │     │   │
                                                  └───┘     └───┘     └───┘
Reservado para VPN:
10.10.10.2-9
</pre>

</section>
<section id="slide-org6d1a1fb">
<h3 id="org6d1a1fb"><span class="section-number-3">3.3.</span> WireGuard ponto-a-ponto (nosso caso)</h3>
<pre  class="example" >
                           internet
10.20.30.2/32
        home0│            xxxxxx       ppp0 ┌────────┐
           ┌─┴──┐         xx   xxxxx  ──────┤ router │
           │    ├─ppp0  xxx       xx        └───┬────┘    home network
           │    │       xx        x             │         10.10.10.0/24
           │    │        xxx    xxx             └───┬
           └────┘          xxxxxx                   │
                                                  ┌─┴─────┐
                                            wg0 ──┤       │
                                  10.20.30.1/32   │Service│
                                                  │       │
                                                  └───────┘
</pre>

</section>
</section>
<section>
<section id="slide-org4f24033">
<h2 id="org4f24033"><span class="section-number-2">4.</span> Por que fazer (em casa)?</h2>
<ul>
<li>Controle sobre a localidade dos dados.</li>
<li>Controle da máquina onde o serviço está rodando.</li>
<li>Gasto menor com servidores.</li>

</ul>

</section>
</section>
<section>
<section id="slide-org15dc58e">
<h2 id="org15dc58e"><span class="section-number-2">5.</span> Por que <b>NÃO</b> fazer (em casa)?</h2>
<ul>
<li><b>Aumento da superfície de ataque à sua rede doméstica</b>.</li>
<li>Consumo de banda/dados.</li>
<li>Gasto com energia elétrica.</li>
<li>Menos <i>uptime</i>.</li>

</ul>

</section>
</section>
<section>
<section id="slide-org30e8f84">
<h2 id="org30e8f84"><span class="section-number-2">6.</span> Cuidados</h2>
<ul>
<li>Proteja sua rede interna!
<ul>
<li>Firewall, VLAN, fail2ban, etc.</li>

</ul></li>
<li>Isole o serviço!
<ul>
<li>VM, container, chroot, etc.</li>

</ul></li>
<li>Use SSL/TLS no proxy reverso.
<ul>
<li>Lembre-se que o servidor onde o proxy está rodando é o <i>SSL termination</i>!</li>

</ul></li>

</ul>

</section>
</section>
<section>
<section id="slide-org87a06bc">
<h2 id="org87a06bc"><span class="section-number-2">7.</span> Referências</h2>
<ul>
<li><a href="https://www.wireguard.com/">https://www.wireguard.com/</a></li>
<li><a href="https://ubuntu.com/server/docs/wireguard-vpn-introduction">https://ubuntu.com/server/docs/wireguard-vpn-introduction</a></li>

</ul>
</section>
</section>
</div>
</div>
<script src="reveal.js-master/dist/reveal.js"></script>
<script src="reveal.js-master/plugin/markdown/markdown.js"></script>
<script src="reveal.js-master/plugin/zoom/zoom.js"></script>
<script src="reveal.js-master/plugin/notes/notes.js"></script>


<script>
// Full list of configuration options available here:
// https://github.com/hakimel/reveal.js#configuration
Reveal.initialize({
plugins: [RevealMarkdown, RevealZoom, RevealNotes],
transition:'concave', slideNumber:"c/t", hash:true, center:true
});

</script>
</body>
</html>