Skip to content

Demo

Jump to bottom
Adam edited this page Sep 24, 2024 · 1 revision

The demo Docker environment has four hosts and three networks for testing multi-hop/nested tunnels, but only the first target host is reached in the examples below. Reaching the rest of the target hosts is left as an exercise for the reader.

┌──────────┐
│ client   │
│          │
│ 10.1.0.2 ├┬───────────────────────┐
│ fd:1::2  ---                      │
└──────────┼│                       │
           ││ exposed network       │
           ││ 10.1.0.0/16,fd:1::/64 │
┌──────────┼│                       │
│ 10.1.0.3 ---                      │
│ fd:1::3  ├┴───────────────────────┘
│          │
│ server   │
│          │
│ 10.2.0.3 ├┬───────────────────────┐
│ fd:2::3  ---                      |
└──────────┼│                       │
           ││ target network        │
           ││ 10.2.0.0/16,fd:2::/64 │
┌──────────┼│                       │
│ 10.2.0.4 ---                      |
│ fd:2::4  ├┴───────────────────────┘
│          │
│ target   │
│          │
│ 10.3.0.4 ├┬───────────────────────┐
│ fd:3::4  ---                      |
└──────────┼│                       │
           ││ target2 network       │
           ││ 10.3.0.0/16,fd:3::/64 │
┌──────────┼│                       │
│ 10.3.0.5 ---                      |
│ fd:3::5  ├┴───────────────────────┘
│          │
│ target2  │
└──────────┘

Video

wiretap_demo.mp4

Step-By-Step

You have unprivileged access to the server host and want to reach the target host from the client host using Wiretap.

Setup

Clone this repo.

Start the demo containers with:

docker compose up --build

Open new tabs for interactive sessions with the client and server machines:

docker exec -it wiretap-client-1 bash
docker exec -it wiretap-server-1 bash

Observe Network Limitations

The target network, and therefore the target host, is unreachable from the client machine. Both the server and target hosts are running a web service on port 80, so try interacting with each of the services from each of the hosts:

Accessing the server's web service from the client should work:

client$ curl http://10.1.0.3

Accessing the target web service from the client should not work, but doing the same thing from the server machine will:

# fails
client$ curl http://10.2.0.4
server$ curl http://10.2.0.4

Configure

Configure Wiretap from the client machine. Remember, --endpoint is how the server machine should reach the client (IP:port) and --routes determines which traffic is routed through Wiretap.

  • --endpoint needs to be the client address and listening port: 10.1.0.2:51820
  • If no --port is specified, the client config will use the same port specified in the endpoint argument as the listening port. In this example, that would be 51820.
  • --routes needs to be the subnet of the target network: 10.2.0.0/16. But there is also an IPv6 subnet, so we should also put fd:2::/64. If you just wanted to route traffic to the target host, you could put 10.2.0.4/32 here instead
./wiretap configure --endpoint 10.1.0.2:51820 --routes 10.2.0.0/16,fd:2::/64

Install the newly created WireGuard configs with:

wg-quick up ./wiretap_relay.conf
wg-quick up ./wiretap.conf

Copy and paste the Wiretap arguments printed by the configure command into the server machine prompt. It should look like this:

WIRETAP_RELAY_INTERFACE_PRIVATEKEY=<key> WIRETAP_RELAY_PEER_PUBLICKEY=<key> WIRETAP_RELAY_PEER_ENDPOINT=10.1.0.2:51820 WIRETAP_E2EE_INTERFACE_PRIVATEKEY=<key> WIRETAP_E2EE_PEER_PUBLICKEY=<key> WIRETAP_E2EE_PEER_ENDPOINT=172.16.0.1:51821 ./wiretap serve

Test

The WireGuard handshake should be complete. Confirm with:

wg show

If the handshake was successful the client should be able to reach the target network transparently. Confirm by running the same test that failed before:

client$ curl http://10.2.0.4

That's it! Try scanning, pinging, and anything else you can think of (please submit an issue if you think something should work but doesn't!). Here are a few ideas:

  • HTTP
    • curl http://10.2.0.4
    • curl http://[fd:2::4]
  • Nmap
    • nmap 10.2.0.4 -v
    • nmap -6 fd:2::4 -v
  • ICMP
    • ping 10.2.0.4
    • ping fd:2::4
  • UDP
    • nmap -sU 10.2.0.4 -v
    • nmap -sU -6 fd:2::4 -v

Exercise

Try to reach the second target by adding another server! You should be able to successfully run curl http://10.3.0.5 from the client host if performed correctly. The status command should output something similar to:

╭────────────────────────╮
│ Wiretap Network Status │
╰────────────┬───────────╯
             │
  ╭──────────┴──────────╮
  │client               │
  │                     │
  │  relay: Ta75SvIb... │
  │   e2ee: cXddDGWC... │
  │                     │
  ╰──────────┬──────────╯
             │
  ╭──────────┴──────────╮
  │server               │
  │  relay: kMj7HwfY... │
  │   e2ee: 3ipWthpJ... │
  │                     │
  │    api: ::2         │
  │ routes: 10.2.0.0/16 │
  ╰──────────┬──────────╯
             │
  ╭──────────┴──────────╮
  │server               │
  │  relay: GMkUzfDy... │
  │   e2ee: YOVI9nOv... │
  │                     │
  │    api: ::3         │
  │ routes: 10.3.0.0/16 │
  ╰─────────────────────╯

Teardown

To bring down the WireGuard interfaces on the client machine, run:

wg-quick down ./wiretap_relay.conf
wg-quick down ./wiretap.conf
Clone this wiki locally