Weeknotes - Vault Agent, WireGuard, more WireGuard

Not a ton of side project work the last week or so. Though, I've been slowly incorporating Go into my toolbox at work. Think SSO OAuth API calls wrapped in a friendly, portable CLI tool.

I did however update query-bot to use Slack's "App" API authentication flow. Thanks to this PR finally merging. Expect a proper release soon-ish!

Dynamic WireGuard configurations with Vault Agent Templates

Also in the background I've been toiling away on a project to bring together a WireGuard-gated Nomad, Consul, and Vault deployment model that is packed full of things like mTLS, ACLs, and dynamic, Vault-derived secrets.

Last week I implemented a Vault Agent Template for my WireGuard configuration and it's been great not having to bake my WireGuard peer configurations into my machine images.

A sample of the template:

[Interface]
Address = 10.0.0.1/24,fd10::1/64
ListenPort = 51800
PostUp = /etc/wireguard/postup.sh
PostDown = /etc/wireguard/postdown.sh
{{- with secret "kv/node/wireguard" }}
PrivateKey = {{ .Data.data.private_key }}
{{ end }}

{{ range secrets "kv/metadata/node/wireguard-peers/" -}}
{{ with secret (printf "kv/node/wireguard-peers/%s" .) -}}
[Peer]
# {{ .Data.data.description }}
PublicKey = {{ .Data.data.public_key }}
AllowedIPs = {{ .Data.data.allowed_ips }}

{{ end }}
{{- end }}

Vault Agent configuration:

# WireGuard templates
template {
source = "/etc/wireguard/wg0.conf.tpl"
destination = "/etc/wireguard/wg0.conf"
command = "systemctl restart wg-quick@wg0.service"
}

I know that I can use wg syncconf to hot-reload the configuration, but I have yet to implement that due to some blocking factors.

Bookmarked

WireGuard Endpoint Discovery and NAT Traversal using DNS-SD https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/

  • This type of deep-dive is my happy place. WireGuard + DNS + NAT trickery further makes the case for WireGuard as a minimal, secure, and performant tunnel technology.

Notes on building debugging puzzles
https://jvns.ca/blog/2021/04/16/notes-on-debugging-puzzles/

  • Julia Evans never stops introducing novel methods of knowledge sharing, and this post about her foray into interactive, debugging puzzles is right in line with her usual high-quality content. Plus, it's about DNS!