tastyteablog

WireGuard VPN with 2 or more subnets

tastytea@tastytea.de (tastytea) — Thu, 14 Feb 2019 21:38:28 +0100

I wanted to create a WireGuard VPN with 2 subnets in different physical places, each with their own server. I couldn’t find an example how to do that, so I wrote this one.

Introduction

I’m going to use the IP range fd69::/48 for the VPN, fd69:0:0:1::/64 for subnet 1 and fd69:0:0:2::/64 for subnet 2. I’m going to call the server of subnet 1 server1, its first client client1a, the second one client1b and so on.

All clients in subnet 1 will connect to server1 and all clients in subnet 2 will connect to server2. server1 and server2 will be connected. If client1a wants to connect to client2a, the route will be: client1a → server1 → server2 → client2a.

Preparations

Install WireGuard, create /etc/wireguard and generate a key-pair on each participating peer.

mkdir /etc/wireguard
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Configure servers

server1:/etc/wireguard/wg0.conf:

# This peer
[Interface]
Address = fd69:0:0:1::1/48
PrivateKey = <PRIVATE KEY OF server1>
ListenPort = 51820

# Server of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server2:51820
AllowedIPs = fd69:0:0:2::/64

# Clients of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF client1a>
AllowedIPs = fd69:0:0:1::a/128

[Peer]
PublicKey = <PUBLIC KEY OF client1b>
AllowedIPs = fd69:0:0:1::b/128

server2:/etc/wireguard/wg0.conf:

# This peer
[Interface]
Address = fd69:0:0:2::1/48
PrivateKey = <PRIVATE KEY OF server2>
ListenPort = 51820

# Server of subnet 1
[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69:0:0:1::/64

# Clients of subnet 2
[Peer]
PublicKey = <PUBLIC KEY OF client2a>
AllowedIPs = fd69:0:0:2::a/128

Configure clients

client1a:/etc/wireguard/wg0.conf:

[Interface]
Address = fd69:0:0:1::a/48
PrivateKey = <PRIVATE KEY OF client1a>

[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25

client1b:/etc/wireguard/wg0.conf:

[Interface]
Address = fd69:0:0:1::b/48
PrivateKey = <PRIVATE KEY OF client1b>

[Peer]
PublicKey = <PUBLIC KEY OF server1>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25

client2a:/etc/wireguard/wg0.conf:

[Interface]
Address = fd69:0:0:2::a/48
PrivateKey = <PRIVATE KEY OF client2a>

[Peer]
PublicKey = <PUBLIC KEY OF server2>
Endpoint = server1:51820
AllowedIPs = fd69::/48
PersistentKeepalive = 25

The AllowedIPs setting acts as a routing table. When a peer tries to send a packet to an IP, it will check AllowedIPs, and if the IP appears in the list, it will send it through the WireGuard interface.

The PersistentKeepalive setting ensures that the connection is maintained and that the peer continues to be reachable, even behind a NAT.

Start VPN

Run wg-quick up wg0 on each peer.

Using AsciiDoc(tor) with Gitea

tastytea@tastytea.de (tastytea) — Sat, 26 Jan 2019 13:03:36 +0100

In this blogpost I describe what I did to get AsciiDoc support into Gitea. If you want more than syntax highlighting and basic formatting, Gitea has to be patched unfortunately(this issue has already been reported). But I think most people will only need to edit 1 configuration file and are done.

Asciidoctor or AsciiDoc?

Asciidoctor has inbuilt support for highlight.js, the solution Gitea uses and is therefore the best choice in most scenarios. If you can’t or don’t want to use it you can use AsciiDoc.

Add the following section to conf/app.ini in your Gitea path. The change causes .adoc files to be rendered with asciidoctor.

[markup.asciidoc]
ENABLED = true
; List of file extensions that should be rendered by an external command
FILE_EXTENSIONS = .adoc,.asciidoc
; External command to render all matching extensions
RENDER_COMMAND = "asciidoctor --backend=html5 --no-header-footer --attribute source-highlighter=highlightjs --out-file=- -"
; Don't pass the file on STDIN, pass the filename as argument instead.
IS_INPUT_FILE = false

If you want to use asciidoc instead the command would be: asciidoc --backend=xhtml11 --no-header-footer --attribute source-highlighter=highlight --out-file=- -. I would choose the xhtml11 backend because it is the only one that encloses code snippets with <code> tags. Instead of highlight you can use source-highlight or Pygments.

If you use asciidoctor and don’t need tables or other fancy stuff you’re now done! If you use asciidoc, you’ll have to patch Gitea to get syntax highlighting.

Patching Gitea

The sanitizer strips almost all attributes from HTML-tags, as a security precaution. I’ve added exceptions for:

class attributes on all the tags Asciidoctor introduces,
Numerous attributes on table tags,
align and valign on td tags,
style attributes on span tags, but only if they contain nothing more than color and font definitions.

If you use Asciidoctor with highlight.js output, you don’t need to allow style attributes, if you don’t use tables you can omit the lines that deal with them and the class exception is only useful if you add custom CSS to use them.

Apply the patch with patch -p1 < gitea_relax-sanitizer.patch.

diff -ur a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
--- a/modules/markup/sanitizer.go   2019-01-26 16:04:56.014108339 +0100
+++ b/modules/markup/sanitizer.go   2019-01-26 16:03:21.776401012 +0100
@@ -38,6 +38,16 @@
 
        // Custom URL-Schemes
        sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
+       // Allow style on span tags
+       sanitizer.policy.AllowAttrs("style").Matching(regexp.MustCompile(`^(background-)?color:[^;]+(; ?font[^;]+)?;?$`)).OnElements("span")
+
+       // Allow class attribute
+       sanitizer.policy.AllowAttrs("class").OnElements("code", "pre", "span", "div", "p", "table", "td")
+
+       // Allow table attributes
+       sanitizer.policy.AllowAttrs("width", "frame", "rules", "cellspacing", "cellpadding").OnElements("table")
+       sanitizer.policy.AllowAttrs("width").OnElements("col")
+       sanitizer.policy.AllowAttrs("align", "valign").OnElements("td")
    })
 }

Tables without borders

I used tables without borders in a manpage I wrote for the list of options. Gitea insist on drawing borders around them, so I had to create a custom CSS snippet.

In your Gitea directory, create custom/templates/custom/header.tmpl.

<style>
    /* Additions for asciidoc */
    .markdown:not(code) table.frame-none
    {
        border: 0 !important;
    }
    .markdown:not(code) table.grid-none *
    {
        border: 0 !important;
    }
</style>