Part 7 – Migrating SSH access
Migrate SSH to Wireguard interface
Notice that I am running SSH on a non-standard port. The default is 22 and is often changed to reduce the number of bots spamming it on public servers. When running over VPN, it is safe to return back to the default 22 for simpler configuration.
Configure SSH on all interfaces
Currently my iptables firewall accepts SSH traffic on all interfaces on the correct port. SSH server configuration resides in /etc/ssh/ssdh_config. In this file ListenAddress is currently pointed to the public IP only. To bind both the public and Wireguard IP, replace the old value of ListenAddress with 0.0.0.0 and restart the service (your SSH connection won't be droped)
....
Port 7985
#AddressFamily any,inet
ListenAddress 0.0.0.0
#ListenAddress ::
....$ sudo systemctl restart sshd$ systemctl status sshd
sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-09-21 20:02:01 CEST; 4s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 3503 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 3504 (sshd)
CPU: 55ms
CGroup: /system.slice/ssh.service
└─3504 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Sep 21 20:02:00 hostname systemd[1]: ssh.service: Succeeded.
Sep 21 20:02:00 hostname systemd[1]: Stopped OpenBSD Secure Shell server.
Sep 21 20:02:00 hostname systemd[1]: Starting OpenBSD Secure Shell server...
Sep 21 20:02:01 hostname sshd[3504]: Server listening on 0.0.0.0 port 7985.
Sep 21 20:02:01 hostname systemd[1]: Started OpenBSD Secure Shell server.Connect SSH using the Wireguard server IP
Open another terminal windows on the machine that you use to connect to the server (Windows clients in my case):
> ssh username@10.20.20.1 -p 7985It will give you the classic warning about unknown ECDSA fingerprint, type yes to procceed.
The authenticity of host '[10.20.20.1]:7985 ([10.20.20.1]:7985)' can't be established.
ECDSA key fingerprint is SHA256:&UIhigdanUYdfs/wF56atgafd851jL4w9uT564sg6133.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.20.20.1]:7985' (ECDSA) to the list of known hosts.Voila...you should be in. Before binding SSH to the Wireguard interface only, edit SSHd service to start after wg-quick. Currently, SSHd doesn't care if wg-quick already started or not and might try to bind to an interface that doesn't exist yet. See the config now:
$ sudo systemctl cat sshd
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.serviceEdit the config like this: (changes on the Requires and After line)
$ sudo systemctl edit --full sshd
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
Requires=wg-quick@wg0.service
After=network.target auditd.service wg-quick@wg0.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.serviceReload systemctl daemon to make the new configuration active:
$ sudo systemctl daemon-reloadI am now going to reboot the server for the last time I hope to see whether all services started up in a correct order and everything works. Surprise, surprise – it does.
Limit SSH to the Wireguard interface only
Go back to the sshd config file in /etc/ssh/sshd_config and set the ListenAddress field to 10.20.20.1. Restart sshd to apply.
$ sudo systemctl restart sshdNotice sshd binding to the Wireguard interface.
$ systemctl status sshd
...
Sep 21 22:53:20 hostname sshd[301]: Server listening on 10.20.20.1 port 7985.
...Check netstat to confirm that everything is running on the Wireguard interface:
$sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 76/python3
tcp 0 0 10.20.20.1:7985 0.0.0.0:* LISTEN 301/sshd: /usr/sbin
tcp 0 0 10.20.20.1:80 0.0.0.0:* LISTEN 149/nginx: master p
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 71/systemd-resolved
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 230/uwsgi
tcp 0 0 10.20.20.1:443 0.0.0.0:* LISTEN 149/nginx: master p
tcp 0 0 127.0.0.1:4004 0.0.0.0:* LISTEN 80/filtron
tcp 0 0 127.0.0.1:4005 0.0.0.0:* LISTEN 80/filtron
udp 0 0 127.0.0.53:53 0.0.0.0:* 71/systemd-resolved
udp 0 0 0.0.0.0:51895 0.0.0.0:* -
udp6 0 0 :::51895 :::* -Adjust iptables
Make a last slight change to the iptables configuration in /etc/iptables/rules.v4 by restricting SSH to the wg0 interface
Replace the line
-A INPUT -p tcp -m tcp --dport 7985 -j ACCEPTwith
-A INPUT -i wg0 -p tcp -m tcp --dport 7985 -j ACCEPTApply iptables using iptables-restore
$ sudo iptables-restore /etc/iptables/rules.v4This should be it. Turned out to be way more complicated than expected, but that's exactly how it usually works, but unexpected things occur :)
Recap what we have managed to do today:
- Setup Wireguard with 3 peers (Linux server, Windows and Android client)
- Setup web services and SSH on correct interfaces
- Setup a DNS server for our clients
- Adjust network firewall and make it persistent
Doesn't seems like a lot, though when you look through this entire article, it's clear that it took some serious research and troubleshooting (just like any other IT thing, right?).
No Comments