[HN Gopher] Quick VPN Setup with AWS Lightsail and WireGuard
___________________________________________________________________
Quick VPN Setup with AWS Lightsail and WireGuard
Author : mcoliver
Score : 28 points
Date : 2023-06-07 20:37 UTC (2 hours ago)
(HTM) web link (mcoliver.substack.com)
(TXT) w3m dump (mcoliver.substack.com)
| thatcherc wrote:
| Fairly off-topic, but I've been having the hardest time finding a
| Wireguard configuration guide that lets me connect two peers (my
| phone and an SBC at my house behind my router) to a VPS peer
| (with a public IP) in a way that routes all the traffic from my
| phone through the SBC (via WG) and out to the internet via my
| home fiber connection. All the blog posts and tutorials I've seen
| have traffic going out through the VPS peer, with little
| explanation of how all the firewall and iptables commands might
| change if I wanted a different configuration. Has anyone seen a
| configuration like that, or know which networking concepts I
| should keep searching for to go in the right direction?
| Nux wrote:
| What is an sbc and the phone's relation to it?
| lormayna wrote:
| Why not using an Ansible playbook? You can deploy it on any VPS
| without vendor lock in.
| Nux wrote:
| I didn't care about the AWS and zsh aspects of the article, but
| what vendor lock-in are you talking about and how exactly would
| an ansible playbook sort it?
|
| All you need is any ubuntu vps - in fact any systemd distro if
| you ignore the "ufw" commands - and the 50 or so lines
| following "Wireguard Setup".
|
| It doesn't get more simple than this.
| hejcloud wrote:
| Well using the aws cli is locking you in to AWS, isn't it?
| And at least from my experience those "just 50 lines of
| shell" can get very messy overtime. Eventually, if you add
| more features (pretty much every project gets more features
| over time), you will refactor once or twice and end up
| rewriting it in Python, make it more declarative because it's
| easier to test and tada, you just reinvented Ansible
| yourself. I think this question is legit.
| brazzledazzle wrote:
| Might be the only tooling they have experience using. "When the
| only thing you have is a hammer everything is a nail" sort of
| thing.
| [deleted]
| aborsy wrote:
| This VPN setup is great to use in public WiFi.
|
| But be aware that the IP address may not be private in cloud
| instances.
|
| Is it known to what extent the traffic is logged on AWS EC2 or
| Lightsail?
| [deleted]
| atomicnumber3 wrote:
| >traffic logging
|
| None! that's an enterprise feature, you'll have to contact
| sales for pricing
| aborsy wrote:
| I guess your response indicates that the DNS records are not
| logged.
|
| I thought some metadata is logged, at least for security or
| to fight abuse, but probably for more reasons. But I'm not
| sure.
| jesuspiece wrote:
| ? VPC FLow logs exist, as well as load balancer logs
| slt2021 wrote:
| if you enable these features and pay for them? so just by
| not paying for these features will you get privacy
| naturally?
| hejcloud wrote:
| Question: Assuming PKI is "solved" (whatever that means) isn't
| mTLS in contrast to sth like a VPN the preferred solution
| nowadays? Or both? I'm asking because Wireguard itself looks a
| lot like mTLS to me and I'm curious how HN people currently see
| that context.
| MallocVoidstar wrote:
| Easier to use https://github.com/trailofbits/algo
| tyingq wrote:
| Depending on the instance type, Lightsail easily gets throttled
| into oblivion. The $3.50/month instance allows for 5% utilization
| before you start eating up burst capacity. Perhaps WireGuard is
| light enough that it's okay, but thought it worth mentioning.
___________________________________________________________________
(page generated 2023-06-07 23:00 UTC)