Categories
Linux Network Security Ubuntu

WireGuard – Minor Bumps in the Road

A couple of issues I’ve ran into whilst using WireGuard:

IPv6 preferred over IPv4

I use DDNS at home on my Mikrotik with the /ip cloud feature, it is a really simple way to map a dynamic IP address to a static host name.

I used this static host name for the Wireguard server, unfortuantly the IPv6 address is for the router rather than the server.

WireGuard no matter how long I leave it for does not try use the IPv4 address if an IPv6 address is also present on the hostname

For now I have had to disable my IPv6 HE.net tunnel and stick with IPv4.

Pings and traffic suddenly stop working

After a period of time, I was unable to ping the clients at the other end of the WireGuard tunnel. I assume it was due to something, like Network Address Translation, timing out.

This was a fairly trival fix by adding by adding the PersistentKeepalive to the configuration

[Peer] 
PersistentKeepalive = 10

This sends a packet across the tunnel every 10 seconds to show any other network appliances that the traffic stream is ‘active’.

Categories
Network Security Ubuntu

Checking out Wireguard – Server Installation

Wireguard is the new kid on the block to open source VPN servers, let’s check it out.

The code base is described as slim, quick, and easy to set up.

I’m starting off with a new and ready to go Ubuntu 20.04 installation, let’s check out Wireguard

I start things off with installing the WireGuard package

sudo apt install wireguard

I switch to the root user and navigate to the /etc/wireguard folder, we can’t access the /etc/wireguard folder being just a normal user. That’s for a good reason too.

sudo -i
cd /etc/wireguard

Now that we are in the folder, we want to create our private key and public key.

The private and public keys make up the main security border to getting access to the Wireguard server so we will want to be careful with these.

We restrict access with our certificates by creating them with special file permissions to allow the ‘root’ user to only have access.

By setting the command umask 077; only the owner and group ‘root’ will have access to these certificates

umask 077

We can now safely generate our private and public keys, we accomplish this by running the command below:

wg genkey | tee privatekey | wg pubkey > publickey

This command generates a private key, sends that output to a file ‘privatekey’ and also sends it to another Wireguard command to generate a public key.

A key part to remember here is that that the private key is to be kept private!

Let’s create a configuration file for Wireguard within /etc/wireguard with nano

nano wg0.conf

Populate the file with the information below

[Interface]
# A seperate IP range for your VPN clients
Address = 10.X.X.254/24
# VPN Server Port
ListenPort = 51820
# The Servers Private Key
PrivateKey = Enter the value from the privatekey file here

We’ll likely want the server to run at boot time which can be enabled with this command

sudo systemctl enable wg-quick@wg0

And we can switch Wireguard on now with this command:

sudo systemctl start wg-quick@wg0

To verify the server has started OK, check that it’s IP address shows with network status:

# ip a show wg0

3: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.X.X.254/24 scope global wg0
valid_lft forever preferred_lft forever

Great! The server is running. Port forwarding to the server is outside of the scope of this post, but I have forwarded UDP 51820 on my router to the private IP address of the Ubuntu system.

Let’s set up a client to test with, I’ll use my Android Phone with the WireGuard app below:

https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en_GB

After setting up the WireGuard app on the phone, creating a new profile will require copying the public key from the server to the phone.

The settings I went for on the phone app are as follows:

Name – Whatever

Private Key – Tapped a few times to generate

Public Key – Copy this and keep it safe for your server configuration

Addresses: Enter the clients IP address here

DNS Servers: Enter the DNS server you want to use whilst connected to the VPN

There is an option to add a peer, this is where the server details go:

Public Key – Public key from the server

Pre-shared key – Blank

Persistent keepalive – Blank

Endpoint – Enter the VPN server address, if you have port forwarded this will be the WAN IP

Allowed IP/s – Traffic that should be routed to the VPN server, if you want to route all traffic enter 0.0.0.0/0

The phone will generate it’s own public key which will need to be copied back to the server.

Add the section of the client to the wg0.conf file with nano:

[Peer]
# The Public Key Provided By The Client
PublicKey = ThePublicKeyCopiedFromTheClient
# The Clients IP Address
AllowedIPs = 10.X.X.1/32

Once that is done we can restart the client:

sudo systemctl stop wg-quick@wg0
sudo systemctl start wg-quick@wg0

At this stage if you connect the client to the server, both sides should be able to ping each other.

As I’ll be using this to access the rest of my LAN, it will be good to allow the Ubuntu OS to forward packets onwards. This is quite easy to do by running this command:

sysctl -w net.ipv4.ip_forward=1

This concludes the set-up of WireGuard server, a lot easier than OpenVPN for sure!

Categories
Linux Postfix Ubuntu

Adding SPF checking to incoming mail on Postfix (Ubuntu 16.04)

Install the required packages:

apt-get install postfix-policyd-spf-python postfix-pcre

Our server runs amavis-new, so we don’t want postfix to reject the mail outright but rather mark the headers so we need to edit some settings in the file:

/etc/postfix-policyd-spf-python/policyd-spf.conf

HELO_reject default option is SPF_Not_Pass

The options available to us are:

SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
Softfail - Reject if result Softfail and Fail
Fail - Reject on HELO Fail
Null - Only reject HELO Fail for Null sender (SPF Classic)
False - Never reject/defer on HELO, append header only. 
No_Check - Never check HELO.

The option I’ll select is False and allow the filtering to happen later in process (likely with a Dovecot sieve)

Mail_From_reject default option is Fail

The options available to us are:

SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
Softfail - Reject if result Softfail and Fail
Fail - Reject on Mail From Fail (default)
False - Never reject/defer on Mail From, append header only
No_Check - Never check Mail From/Return Path.

Again I’ll change this to False. Leaving my complete configuration file as:

 debugLevel = 1
 defaultSeedOnly = 1

 HELO_reject = False
 Mail_From_reject = False

 PermError_reject = False
 TempError_Defer = False

 skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

We now move onto our master.cf file in the /etc/postfix directory and add this at the end:

policyd-spf  unix  -       n       n       -       0       spawn
     user=policyd-spf argv=/usr/bin/policyd-spf

We move onto main.cf now and add a line to extend the timeout of checking a SPF record:

policyd-spf_time_limit = 3600

And finally adjust our smtpd_recipient_restrictions to account for the new SPF check

smtpd_recipient_restrictions = reject_unauth_destination, check_policy_service unix:private/policyd-spf

Restart Postfix to check it’s working:

Jul  1 19:47:01 brwn-one policyd-spf[29555]: Pass; identity=mailfrom; client-ip=209.85.128.48; helo=mail-wm1-f48.google.com; envelope-from=yyy@gmail.com; receiver=xxx@brwn.uk