From 16a29d00cc4e19ce33de16a8dcc28e7f1d4d43d3 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 28 Jun 2026 11:53:59 +0200 Subject: [PATCH] WireGuard-Secrets ins Repo (privates docu). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OPNsense- und VM101-Client-Configs plus Horus-Peer-Blöcke unter shared/horus-opnsense-wireguard/. Co-authored-by: Cursor --- pve1/guests/vm101-ubuntu/README.md | 2 +- shared/git-und-repos.md | 2 +- shared/horus-opnsense-wireguard/README.md | 115 ++++++++++++++++++ .../horus-server-peer-opnsense.conf | 5 + .../horus-server-peer-vm101.conf | 5 + .../opnsense-client.conf | 12 ++ .../vm101-client.conf | 13 ++ 7 files changed, 152 insertions(+), 2 deletions(-) create mode 100644 shared/horus-opnsense-wireguard/README.md create mode 100644 shared/horus-opnsense-wireguard/horus-server-peer-opnsense.conf create mode 100644 shared/horus-opnsense-wireguard/horus-server-peer-vm101.conf create mode 100644 shared/horus-opnsense-wireguard/opnsense-client.conf create mode 100644 shared/horus-opnsense-wireguard/vm101-client.conf diff --git a/pve1/guests/vm101-ubuntu/README.md b/pve1/guests/vm101-ubuntu/README.md index 4f8f2d6..d618d51 100644 --- a/pve1/guests/vm101-ubuntu/README.md +++ b/pve1/guests/vm101-ubuntu/README.md @@ -7,7 +7,7 @@ | **Stacks** | `/opt/stacks/` | | **Stack-UI** | Dockge → `:5001` | | **Docker** | `iptables: false` → [docker-daemon.json](docker-daemon.json), NAT: [../../scripts/vm101-docker-nat-rules.sh](../../scripts/vm101-docker-nat-rules.sh) | -| **Horus VPS** | WireGuard `wg0` 10.1.1.5 → Horus 10.1.1.1 · SSH-Keys: [shared/ssh](../../shared/ssh/README.md#horus-vps-wireguard) · **Direkt via OPNsense:** [shared/horus-opnsense-wireguard.md](../../shared/horus-opnsense-wireguard.md) | +| **Horus VPS** | WireGuard `wg0` 10.1.1.5 → Horus 10.1.1.1 · SSH: [shared/ssh](../../shared/ssh/README.md#horus-vps-wireguard) · **OPNsense-WG:** [shared/horus-opnsense-wireguard/](../../shared/horus-opnsense-wireguard/README.md) | ## Netzwerk `docbr0` diff --git a/shared/git-und-repos.md b/shared/git-und-repos.md index e80be88..bd1ca10 100644 --- a/shared/git-und-repos.md +++ b/shared/git-und-repos.md @@ -68,7 +68,7 @@ export PATH="/usr/local/go/bin:$PATH" | Pfad | Inhalt | |------|--------| | [shared/ssh/](ssh/README.md) | Gemeinsame `authorized_keys`-Fragmente + Deploy-Skript | -| [shared/horus-opnsense-wireguard.md](horus-opnsense-wireguard.md) | WireGuard OPNsense ↔ Horus (ohne VM) | +| [shared/horus-opnsense-wireguard/](horus-opnsense-wireguard/README.md) | WireGuard OPNsense ↔ Horus (Configs inkl. Keys) | | `pve1/ansible/` | Fish-Setup für VM 101 | | `pve2/ansible/` | LXC Disk-Maintenance (Cron auf pve2) | diff --git a/shared/horus-opnsense-wireguard/README.md b/shared/horus-opnsense-wireguard/README.md new file mode 100644 index 0000000..d4e5651 --- /dev/null +++ b/shared/horus-opnsense-wireguard/README.md @@ -0,0 +1,115 @@ +# Horus ↔ OPNsense WireGuard (Site-to-Site) + +Direkter WireGuard-Tunnel zwischen **OPNsense** (lokales Netz) und **Horus** (VPS), ohne Umweg über VM 101. + +| | | +|---|---| +| **Horus** | `horus.jeanavril.com` / `207.180.222.207`, WG-Port **61951**, Tunnel-IP **10.1.1.1** | +| **OPNsense** | Tunnel-IP **10.1.1.22** (Peer `opnsense-jeanavril`) | +| **VM 101** (legacy) | Tunnel-IP **10.1.1.5** (Peer `server5`) | + +Configs inkl. Private Keys: **privates Repo** — siehe Dateien in diesem Ordner. + +| Datei | Inhalt | +|-------|--------| +| [opnsense-client.conf](opnsense-client.conf) | OPNsense Client (Private Key, PSK, Endpoint) | +| [horus-server-peer-opnsense.conf](horus-server-peer-opnsense.conf) | Gegenstück auf Horus | +| [vm101-client.conf](vm101-client.conf) | VM 101 Client (Referenz / Migration) | +| [horus-server-peer-vm101.conf](horus-server-peer-vm101.conf) | VM-Peer auf Horus | + +## Topologie + +``` +LAN/VLANs (192.168.x.0/24, 10.2.2.0/24) + ↓ + OPNsense (10.1.1.22) ←——WireGuard——→ Horus (10.1.1.1) + ↓ ↓ + 10.2.2.0/24 → 192.168.10.10 (docbr0) Services / SSH / … +``` + +**10.2.2.0/24 (docbr0):** Horus schickt Traffic dorthin an OPNsense; OPNsense leitet weiter an **192.168.10.10** (bestehende Route/Gateway `VM101_DOCKER` — siehe [opnsense-docker-subnet-routing.md](../opnsense-docker-subnet-routing.md)). + +## Public Keys + +| Rolle | Public Key | +|-------|------------| +| Horus (Server) | `qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk=` | +| OPNsense | `walbWTYXAGOD1mOxPK+NwKT6qUhLyY0qieWBeTIbdXU=` | +| VM 101 | `VB3Cf8kDxpzO+FyMrLxPyJ0vUjm8yJ/qIKmhY2KeeyI=` | + +## OPNsense einrichten + +Werte aus [opnsense-client.conf](opnsense-client.conf) in die GUI übernehmen. + +**VPN → WireGuard → Local → +** + +| Feld | Wert | +|------|------| +| Enabled | ✓ | +| Name | `wg_horus` | +| Listen port | leer oder `51820` (nur ausgehend nötig) | +| Tunnel Address | `10.1.1.22/32` | +| MTU | `1250` | +| Private key | `[Interface] PrivateKey` aus `opnsense-client.conf` | + +**VPN → WireGuard → Endpoints → +** (Peer Horus) + +| Feld | Wert | +|------|------| +| Enabled | ✓ | +| Name | `horus` | +| Public Key | `qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk=` | +| Shared Secret | `[Peer] PresharedKey` aus `opnsense-client.conf` | +| Allowed IPs | `10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 10.8.0.0/24` | +| Endpoint Address | `horus.jeanavril.com` | +| Endpoint Port | `61951` | +| Persistent Keepalive | `25` | + +Instance und Endpoint verknüpfen (Peer der Instance zuweisen — je nach OPNsense-Version unter **Local → Peers** oder Endpoint an Instance binden). + +### Interface zuweisen + +**Interfaces → Assignments → New → `wg_horus` (optX) → Save** + +Interface aktivieren, ggf. **Block private networks** auf WG-Interface deaktivieren (Site-to-Site). + +### Firewall + +| Regel | Interface | Direction | Source | Destination | Beschreibung | +|-------|-----------|-----------|--------|-------------|--------------| +| Pass | LAN / VLAN10 / … | in | Netz(e) | `10.1.1.0/24`, `10.8.0.0/24`, … | LAN → Horus-Netze | +| Pass | `optX` (WG) | in | `10.1.1.0/24` | LAN / VLANs | Horus → Heimnetz (Rückweg) | + +### Routing auf Horus + +Siehe [horus-server-peer-opnsense.conf](horus-server-peer-opnsense.conf) — bereits auf Horus aktiv. + +## Test + +```bash +# Handshake auf Horus (nach OPNsense-Aktivierung): +ssh jean@192.168.10.10 'ssh root@10.1.1.1 wg show wg0 | grep -A5 walbWTYX' + +# Von LAN-PC: +ping 10.1.1.1 +ssh root@10.1.1.1 # Keys: ../ssh/assembled/horus-root.pub +``` + +## VM 101 (optional später) + +VM 101 nutzt **10.1.1.5** ([vm101-client.conf](vm101-client.conf)) und advertised u.a. `10.2.0.0/16` an Horus. + +Wenn OPNsense stabil läuft: + +1. **Horus:** beim Peer `server5` LAN-Routen aus `AllowedIPs` entfernen — nur `10.1.1.5/32` behalten. +2. **VM:** `wg0` abschalten, wenn Cert-Sync angepasst ist. + +Nicht beides parallel dieselben Subnetze an Horus announcen. + +## Referenzen + +| Thema | Doc | +|-------|-----| +| Horus SSH-Keys | [../ssh/README.md](../ssh/README.md#horus-vps-wireguard) | +| docbr0 / 10.2.2.0/24 | [../../pve1/guests/vm101-ubuntu/docbr0-opnsense-routing.md](../../pve1/guests/vm101-ubuntu/docbr0-opnsense-routing.md) | +| VLAN-Übersicht | [../infrastruktur-netzwerk.md](../infrastruktur-netzwerk.md) | diff --git a/shared/horus-opnsense-wireguard/horus-server-peer-opnsense.conf b/shared/horus-opnsense-wireguard/horus-server-peer-opnsense.conf new file mode 100644 index 0000000..7ca9557 --- /dev/null +++ b/shared/horus-opnsense-wireguard/horus-server-peer-opnsense.conf @@ -0,0 +1,5 @@ +# Horus wg0 — Peer opnsense-jeanavril (Eintrag in /etc/wireguard/wg0.conf) +[Peer] +PublicKey = walbWTYXAGOD1mOxPK+NwKT6qUhLyY0qieWBeTIbdXU= +PresharedKey = z4VXyOG41/+4JbiUdkb055Bpyxlte+ecW7Bzdvb1s+w= +AllowedIPs = 10.1.1.22/32, 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24, 192.168.60.0/24, 10.2.2.0/24 diff --git a/shared/horus-opnsense-wireguard/horus-server-peer-vm101.conf b/shared/horus-opnsense-wireguard/horus-server-peer-vm101.conf new file mode 100644 index 0000000..2cff555 --- /dev/null +++ b/shared/horus-opnsense-wireguard/horus-server-peer-vm101.conf @@ -0,0 +1,5 @@ +# Horus wg0 — Peer server5 / VM 101 (Eintrag in /etc/wireguard/wg0.conf) +[Peer] +PublicKey = VB3Cf8kDxpzO+FyMrLxPyJ0vUjm8yJ/qIKmhY2KeeyI= +PresharedKey = xeXr67LSX7phEAAz6U+D+UhIFoLEvcSLs8qFu2/L4Cs= +AllowedIPs = 10.1.1.5/32, 192.168.2.0/24, 192.168.178.0/24, 10.1.2.0/24, 10.2.0.0/16 diff --git a/shared/horus-opnsense-wireguard/opnsense-client.conf b/shared/horus-opnsense-wireguard/opnsense-client.conf new file mode 100644 index 0000000..8d862da --- /dev/null +++ b/shared/horus-opnsense-wireguard/opnsense-client.conf @@ -0,0 +1,12 @@ +[Interface] +PrivateKey = AGEam06B9IKmy3wSNRUOLoeLIaGJ5q1ftasOs3qlHEI= +Address = 10.1.1.22/32 +MTU = 1250 +DNS = 10.1.1.1 + +[Peer] +PublicKey = qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk= +PresharedKey = z4VXyOG41/+4JbiUdkb055Bpyxlte+ecW7Bzdvb1s+w= +Endpoint = horus.jeanavril.com:61951 +AllowedIPs = 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 10.8.0.0/24 +PersistentKeepalive = 25 diff --git a/shared/horus-opnsense-wireguard/vm101-client.conf b/shared/horus-opnsense-wireguard/vm101-client.conf new file mode 100644 index 0000000..b0774d2 --- /dev/null +++ b/shared/horus-opnsense-wireguard/vm101-client.conf @@ -0,0 +1,13 @@ +# VM 101 ubuntu — WireGuard Client zu Horus (Peer „server5“, 10.1.1.5) +# Quelle: /etc/wireguard/wg0.conf auf jean@192.168.10.10 +[Interface] +Address = 10.1.1.5/32 +ListenPort = 61951 +PrivateKey = SKMnLpkjSyCHCoKuKGEmd18uDk1u5UALgHKvL8FEr2E= + +[Peer] +PublicKey = qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk= +PresharedKey = xeXr67LSX7phEAAz6U+D+UhIFoLEvcSLs8qFu2/L4Cs= +AllowedIPs = 10.1.1.0/24, 10.8.0.0/24, 10.1.3.0/24, 10.1.4.0/24, 192.168.0.0/24 +Endpoint = 207.180.222.207:61951 +PersistentKeepalive = 15