warp-tech/warpgate
1
1
Fork 0
mirror of https://github.com/warp-tech/warpgate.git synced 2025-02-21 22:15:24 +08:00
Code Issues Projects Releases Packages Wiki Activity

Created Chaining Warpgates together (markdown)

Eugene 2022-08-19 19:02:47 +02:00
parent d10d318976
commit e0de5e8f3e
1 changed files with 77 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
Chaining-Warpgates-together.md Normal file

@ -0,0 +1,77 @@
Sometimes exposing a host on the network to the outside is not an option. In this case you can opt to forward connections from one Warpgate to another.
Note: this is transparent to the client (except for two "warpgate connected" messages in interactive sessions) - there are no SSH "jump hosts" involved in this setup.
# Copy outer Warpgate's public key
* Run `warpgate client-keys` and copy the Ed25519 public key:
```
➜ ~ warpgate client-keys
16:55:10 INFO Using config: "/etc/warpgate.yaml" (users: 1, targets: 6, roles: 1)
Warpgate SSH client keys:
(add these to your target's authorized_hosts file)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAxxxx+3RBsT5 # <-- this line
rsa-sha2-256 AAAADHJzYS1zaGEyLTI1Ngxxxx
```
# Set up inner Warpgate
* Add your targets as usual
* Add a "jump user" (here we'll be using `wg-jump` as a username) and add the outer Warpgate's public key as a credential:
```diff
users:
+ - username: wg-jump
+ roles: ['warpgate:admin'] # Note that we're adding the user to the admin group for simplicity here
+ credentials:
+ - type: publickey
+ key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAxxxx+3RBsT5
```
* Add the targets on the inner network as well:
```diff
targets:
- name: Web admin
allow_roles:
- "warpgate:admin"
web_admin: {}
+ - name: server-behind-jump
+ allow_roles:
+ - warpgate:admin
+ ssh:
+ host: 192.168.77.2
```
* Check your config with `warpgate check`.
* Check connection to the target with `warpgate test-target server-behind-jump`
# Set up outer Warpgate
* Add the targets on the inner network again, using the inner Warpgate's address and port, as well as the Warpgate-style username:
```
targets
+ - name: internal-server
+ allow_roles: ['warpgate:admin']
+ ssh:
+ host: 192.168.77.1
+ port: 2222
+ username: 'wg-jump:server-behind-jump'
```
* Check your config with `warpgate check`.
* Check connection to the target _through the inner Warpgate_ with `warpgate test-target internal-server`
# Connect
You can now grab the connection command from the landing page (or the admin UI) as usual and test it on a client:
```
ssh <username>:internal-server@<outer-warpgate> -p <outer-wg-port>
```
Note that the names user in the internal Warpgate's config file are not exposed to users.