diff --git a/Chaining-Warpgates-together.md b/Chaining-Warpgates-together.md new file mode 100644 index 0000000..e2e9da8 --- /dev/null +++ b/Chaining-Warpgates-together.md @@ -0,0 +1,77 @@ +Sometimes exposing a host on the network to the outside is not an option. In this case you can opt to forward connections from one Warpgate to another. + +Note: this is transparent to the client (except for two "warpgate connected" messages in interactive sessions) - there are no SSH "jump hosts" involved in this setup. + +# Copy outer Warpgate's public key + +* Run `warpgate client-keys` and copy the Ed25519 public key: + +``` +➜ ~ warpgate client-keys +16:55:10 INFO Using config: "/etc/warpgate.yaml" (users: 1, targets: 6, roles: 1) +Warpgate SSH client keys: +(add these to your target's authorized_hosts file) + +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAxxxx+3RBsT5 # <-- this line +rsa-sha2-256 AAAADHJzYS1zaGEyLTI1Ngxxxx +``` + +# Set up inner Warpgate + +* Add your targets as usual +* Add a "jump user" (here we'll be using `wg-jump` as a username) and add the outer Warpgate's public key as a credential: + +```diff + users: ++ - username: wg-jump ++ roles: ['warpgate:admin'] # Note that we're adding the user to the admin group for simplicity here ++ credentials: ++ - type: publickey ++ key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAxxxx+3RBsT5 + +``` + +* Add the targets on the inner network as well: + +```diff + targets: + - name: Web admin + allow_roles: + - "warpgate:admin" + web_admin: {} ++ - name: server-behind-jump ++ allow_roles: ++ - warpgate:admin ++ ssh: ++ host: 192.168.77.2 +``` + +* Check your config with `warpgate check`. +* Check connection to the target with `warpgate test-target server-behind-jump` + +# Set up outer Warpgate + +* Add the targets on the inner network again, using the inner Warpgate's address and port, as well as the Warpgate-style username: + +``` + targets ++ - name: internal-server ++ allow_roles: ['warpgate:admin'] ++ ssh: ++ host: 192.168.77.1 ++ port: 2222 ++ username: 'wg-jump:server-behind-jump' +``` + +* Check your config with `warpgate check`. +* Check connection to the target _through the inner Warpgate_ with `warpgate test-target internal-server` + +# Connect + +You can now grab the connection command from the landing page (or the admin UI) as usual and test it on a client: + +``` +ssh :internal-server@ -p +``` + +Note that the names user in the internal Warpgate's config file are not exposed to users. \ No newline at end of file