<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8"/>
<title>Proxy reverso com WireGuard</title>
<meta name="author" content="Sergio Durigan Junior"/>
<meta name="description" content=""/>
<meta name="keywords" content=""/>
<style type="text/css">
.underline { text-decoration: underline; }
</style>
<link rel="stylesheet" href="file:///home/sergio/pessoal/slides/wireguard-reverse-proxy/reveal.js-master/dist/reveal.css"/>
<link rel="stylesheet" href="file:///home/sergio/pessoal/slides/wireguard-reverse-proxy/reveal.js-master/dist/theme/night.css" id="theme"/>
</head>
<body>
<div class="reveal">
<div class="slides">
<section id="sec-title-slide"><h2>Proxy reverso com WireGuard</h2><h6>Sergio Durigan Junior <<a href="mailto:sergiodj@debian.org">sergiodj@debian.org</a>></h6>
</section>
<section>
<section id="slide-org43a1573">
<h2 id="org43a1573"><span class="section-number-2">1.</span> WireGuard</h2>
<ul>
<li>Implementação de VPN moderna, simples e <b>rápida</b>.
<ul>
<li>Jason A. Donenfeld (<code>cgit</code>, <code>pass</code>, etc.), 2015.</li>
</ul></li>
<li>Remove bastante da complexidade de configurar uma VPN.</li>
<li>Estabelece apenas uma interface de rede.
<ul>
<li>Todo o resto é delegado para outras ferramentas (<code>ip</code>, <code>iptables</code>,
etc.)</li>
</ul></li>
</ul>
</section>
</section>
<section>
<section id="slide-org14f3441">
<h2 id="org14f3441"><span class="section-number-2">2.</span> Modo de usar</h2>
<ul>
<li>O conceito de servidor não é definido.</li>
<li>Geralmente usa-se o <code>wg-quick</code> (do pacote <code>wireguard-tools</code>).
<ul>
<li>Mas outras ferramentas suportam WireGuard: <code>systemd-networkd</code>,
<code>network-manager</code>.</li>
</ul></li>
<li>Gera-se um par de chaves (pense em <code>ssh</code>), distribui-se a chave
pública para os <i>peers</i>.</li>
<li>Arquivo de configuração (geralmente) fica em <code>/etc/wireguard/</code>
(nesse caso, há integração com o <code>wg-quick@.service</code>).</li>
</ul>
</section>
<section id="slide-org0a17d72">
<h3 id="org0a17d72"><span class="section-number-3">2.1.</span> Exemplo de configuração</h3>
<pre class="example" >
# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = eJdSgoS7BZ/uWkuSREN+vhCJPPr3M3UlB3v1Su/amWk=
ListenPort = 51000
Address = 10.10.11.10/24
[Peer]
# office
PublicKey = xeWmdxiLjgebpcItF1ouRo0ntrgFekquRJZQO+vsQVs=
Endpoint = wg.example.com:51000
AllowedIPs = 10.10.11.0/24, 10.10.10.0/24
</pre>
</section>
<section id="slide-orge1c080d">
<h3 id="orge1c080d"><span class="section-number-3">2.2.</span> Habilitando a interface</h3>
<pre class="example" >
# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.11.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.10.10.0/24 dev wg0
</pre>
</section>
</section>
<section>
<section id="slide-orge644829">
<h2 id="orge644829"><span class="section-number-2">3.</span> Exemplos de topologia de rede</h2>
<div class="outline-text-2" id="text-3">
</div>
</section>
<section id="slide-org7aa0d4c">
<h3 id="org7aa0d4c"><span class="section-number-3">3.1.</span> Wireguard no roteador</h3>
<pre class="example" >
internet ┌─── wg0 10.10.11.1/24
10.10.11.2/24 │ VPN network
home0│ xxxxxx ppp0 ┌───────┴┐
┌─┴──┐ xx xxxxx ──────┤ router │
│ ├─wlan0 xx xx └───┬────┘ home network, .home domain
│ │ xx x │.1 10.10.10.0/24
│ │ xxx xxx └───┬─────────┬─────────┐
└────┘ xxxxxx │ │ │
Laptop ┌─┴─┐ ┌─┴─┐ ┌─┴─┐
(Coffee shop) │ │ │ │ │ │
│pi4│ │NAS│ │...│
│ │ │ │ │ │
└───┘ └───┘ └───┘
</pre>
</section>
<section id="slide-org5b72bb0">
<h3 id="org5b72bb0"><span class="section-number-3">3.2.</span> WireGuard dentro da rede interna</h3>
<pre class="example" >
internet
10.10.10.3/24
home0│ xxxxxx ppp0 ┌────────┐
┌─┴──┐ xx xxxxx ──────┤ router │
│ ├─ppp0 xxx xx └───┬────┘ home network, .home domain
│ │ xx x │ 10.10.10.0/24
│ │ xxx xxx └───┬─────────┬─────────┐
└────┘ xxxxxx │ │ │
┌─┴─┐ ┌─┴─┐ ┌─┴─┐
wg0 ──┤ │ │ │ │ │
10.10.10.10/32 │pi4│ │NAS│ │...│
│ │ │ │ │ │
└───┘ └───┘ └───┘
Reservado para VPN:
10.10.10.2-9
</pre>
</section>
<section id="slide-orgd289f02">
<h3 id="orgd289f02"><span class="section-number-3">3.3.</span> WireGuard ponto-a-ponto (nosso caso)</h3>
<pre class="example" >
internet
10.20.30.2/32
home0│ xxxxxx ppp0 ┌────────┐
┌─┴──┐ xx xxxxx ──────┤ router │
│ ├─ppp0 xxx xx └───┬────┘ home network
│ │ xx x │ 10.10.10.0/24
│ │ xxx xxx └───┬
└────┘ xxxxxx │
┌─┴─────┐
wg0 ──┤ │
10.20.30.1/32 │Service│
│ │
└───────┘
</pre>
</section>
</section>
<section>
<section id="slide-orgbbcbf0c">
<h2 id="orgbbcbf0c"><span class="section-number-2">4.</span> Por que fazer (em casa)?</h2>
<ul>
<li>Controle sobre a localidade dos dados.</li>
<li>Controle da máquina onde o serviço está rodando.</li>
<li>Gasto menor com servidores.</li>
</ul>
</section>
</section>
<section>
<section id="slide-orgc591211">
<h2 id="orgc591211"><span class="section-number-2">5.</span> Por que <b>NÃO</b> fazer (em casa)?</h2>
<ul>
<li><b>Aumento da superfície de ataque à sua rede doméstica</b>.</li>
<li>Consumo de banda/dados.</li>
<li>Gasto com energia elétrica.</li>
<li>Menos <i>uptime</i>.</li>
</ul>
</section>
</section>
<section>
<section id="slide-org681fc3e">
<h2 id="org681fc3e"><span class="section-number-2">6.</span> Cuidados</h2>
<ul>
<li>Proteja sua rede interna!
<ul>
<li>Firewall, VLAN, fail2ban, etc.</li>
</ul></li>
<li>Isole o serviço!
<ul>
<li>VM, container, chroot, etc.</li>
</ul></li>
<li>Use SSL/TLS no proxy reverso.
<ul>
<li>Lembre-se que o servidor onde o proxy está rodando é o <i>SSL termination</i>!</li>
</ul></li>
</ul>
</section>
</section>
<section>
<section id="slide-orga9d81a0">
<h2 id="orga9d81a0"><span class="section-number-2">7.</span> Referências</h2>
<ul>
<li><a href="https://www.wireguard.com/">https://www.wireguard.com/</a></li>
<li><a href="https://ubuntu.com/server/docs/wireguard-vpn-introduction">https://ubuntu.com/server/docs/wireguard-vpn-introduction</a></li>
</ul>
</section>
</section>
</div>
</div>
<script src="/home/sergio/pessoal/slides/wireguard-reverse-proxy/reveal.js-master/dist/reveal.js"></script>
<script src="file:///home/sergio/pessoal/slides/wireguard-reverse-proxy/reveal.js-master/plugin/markdown/markdown.js"></script>
<script src="file:///home/sergio/pessoal/slides/wireguard-reverse-proxy/reveal.js-master/plugin/zoom/zoom.js"></script>
<script src="file:///home/sergio/pessoal/slides/wireguard-reverse-proxy/reveal.js-master/plugin/notes/notes.js"></script>
<script>
// Full list of configuration options available here:
// https://github.com/hakimel/reveal.js#configuration
Reveal.initialize({
plugins: [RevealMarkdown, RevealZoom, RevealNotes],
transition:'concave', slideNumber:"c/t", hash:true, center:true
});
</script>
</body>
</html>