Interacting with MITIGATOR via VPN

Collector and MITIGATOR interact via Wireguard.

Collector has a key pair: a private key and a public key, like every MITIGATOR instance. The private key is stored only on Collector in vpn-private.conf. The public keys of all VPN nodes are listed in vpn-public.conf, which must be the same for all nodes.

VPN Collector address is specified as COLLECTOR_VPN_ADDRESS in .env.

VPN is maintained by gateway service. It configure VPN according to vpn-private.conf, vpn-public.conf, COLLECTOR_VPN_ADDRESS.

Info

If you need to change gateway settings other than *.conf, you need to completely restart Collector (docker-compose down && docker-compose up -d).
If only the VPN membership changes, the docker-compose exec gateway reconfigure command allows you to update the VPN configuration without restarting Collector.

System Preparation

Kernel Module

Ubuntu 20.04+ includes Wireguard in the base distribution, no additional steps required.

Debian 10 requires installation of a ported package:

echo deb http://deb.debian.org/debian buster-backports main > /etc/apt/sources.list.d/buster-backports.list
apt update
apt install -y linux-headers-amd64 wireguard-dkms

You can check support with the modprobe wireguard command. If nothing is printed in response, the module is available. In this case, it is enough to configure its automatic loading. Otherwise, a reboot is required.

To add wireguard to automatic load:

echo wireguard >> /etc/modules-load.d/collector.conf

Tool Installation

Install wg utility:

apt install -y wireguard-tools

Setup

All of the files are created in /srv/collector catalog.

If you configure not the first VPN node, the vpn-public.conf file must be taken from any of the configured nodes.

  1. Create the private key (Resulting example: yDPg5doavYH7fdD86nt+cOzSBL4znVZcrcrJwjY/Xmw=):

    wg genkey
  2. Write the key in vpn-private.conf:

    [Interface]
    ListenPort = 4567
    PrivateKey = yDPg5doavYH7fdD86nt+cOzSBL4znVZcrcrJwjY/Xmw=

    The specified port 4567 must be open for UDP traffic.

  3. Get public key from private key (Resulting example: acfzxE6ZsiYE4jIqsBicOt7oT8ZuKhxBvuz0+6JxiEc=):

    echo 'yDPg5doavYH7fdD86nt+cOzSBL4znVZcrcrJwjY/Xmw=' | wg pubkey
  4. Add a section with the public key and VPN nodes addresses to vpn-public.conf (create a file if this is the first node):

    [Peer]
    PublicKey = acfzxE6ZsiYE4jIqsBicOt7oT8ZuKhxBvuz0+6JxiEc=
    AllowedIPs = 10.8.3.1/32
    Endpoint = 192.0.2.1:4567

    10.8.3.1 — Collector address inside VPN. Must be unique among all VPN nodes. All addresses must be within the same /24 network (default).

    192.0.2.1:4567 — external address of the Collector and the port configured above. Other instances will send UDP packets to this address and port.

  5. Download docker-compose.vpn.yml file:

    wget https://docs.mitigator.ru/collector/v24.07/dist/docker-compose.vpn.yml
  6. Edit the address of the Collector inside the VPN in .env file:

    COLLECTOR_VPN_ADDRESS=X.X.X.X

    It must match the one configured in vpn-public.conf.

  7. Restart Collector:

    docker-compose down && docker-compose up -d
  8. After adding a new VPN node to the vpn-public.conf file, or when changing vpn-private.conf, you need to make changes on all nodes.

    Update the VPN configuration on each node without restarting:

    docker-compose exec gateway reconfigure