Interacting with MITIGATOR via VPN
Collector and MITIGATOR interact via Wireguard.
Collector has a key pair:
a private key and a public key, like every MITIGATOR instance.
The private key is stored only on Collector in vpn-private.conf
.
The public keys of all VPN nodes are listed in vpn-public.conf
,
which must be the same for all nodes.
VPN Collector address is specified as COLLECTOR_VPN_ADDRESS
in .env
.
VPN is maintained by gateway
service.
It configure VPN according to vpn-private.conf
, vpn-public.conf
,
COLLECTOR_VPN_ADDRESS
.
If you need to change gateway
settings other than *.conf
, you need to
completely restart Collector (docker-compose down && docker-compose up -d
).
If only the VPN membership changes, the docker-compose exec gateway reconfigure
command allows you to update the VPN configuration without restarting Collector.
System Preparation
Kernel Module
Ubuntu 20.04+ includes Wireguard in the base distribution, no additional steps required.
Debian 10 requires installation of a ported package:
echo deb http://deb.debian.org/debian buster-backports main > /etc/apt/sources.list.d/buster-backports.list
apt update
apt install -y linux-headers-amd64 wireguard-dkms
You can check support with the modprobe wireguard
command. If nothing is printed
in response, the module is available. In this case, it is enough to configure its
automatic loading. Otherwise, a reboot is required.
To add wireguard to automatic load:
echo wireguard >> /etc/modules-load.d/collector.conf
Tool Installation
Install wg
utility:
apt install -y wireguard-tools
Setup
All of the files are created in /srv/collector
catalog.
If you configure not the first VPN node, the vpn-public.conf
file
must be taken from any of the configured nodes.
Create the private key (Resulting example:
yDPg5doavYH7fdD86nt+cOzSBL4znVZcrcrJwjY/Xmw=
):wg genkey
Write the key in
vpn-private.conf
:[Interface] ListenPort = 4567 PrivateKey = yDPg5doavYH7fdD86nt+cOzSBL4znVZcrcrJwjY/Xmw=
The specified port 4567 must be open for UDP traffic.
Get public key from private key (Resulting example:
acfzxE6ZsiYE4jIqsBicOt7oT8ZuKhxBvuz0+6JxiEc=
):echo 'yDPg5doavYH7fdD86nt+cOzSBL4znVZcrcrJwjY/Xmw=' | wg pubkey
Add a section with the public key and VPN nodes addresses to
vpn-public.conf
(create a file if this is the first node):[Peer] PublicKey = acfzxE6ZsiYE4jIqsBicOt7oT8ZuKhxBvuz0+6JxiEc= AllowedIPs = 10.8.3.1/32 Endpoint = 192.0.2.1:4567
10.8.3.1
— Collector address inside VPN. Must be unique among all VPN nodes. All addresses must be within the same /24 network (default).192.0.2.1:4567
— external address of the Collector and the port configured above. Other instances will send UDP packets to this address and port.Download
docker-compose.vpn.yml
file:wget https://docs.mitigator.ru/collector/v24.07/dist/docker-compose.vpn.yml
Edit the address of the Collector inside the VPN in
.env
file:COLLECTOR_VPN_ADDRESS=X.X.X.X
It must match the one configured in
vpn-public.conf
.Restart Collector:
docker-compose down && docker-compose up -d
After adding a new VPN node to the
vpn-public.conf
file, or when changingvpn-private.conf
, you need to make changes on all nodes.Update the VPN configuration on each node without restarting:
docker-compose exec gateway reconfigure