Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/cybernazmul/wireguard-vault

Zero Trust VPN using WireGuard + Hasi Vault
https://github.com/cybernazmul/wireguard-vault

hasicorp-vault secure-vpn vault-vpn vpn-security-tool wireguard zero-trust-security

Last synced: 3 months ago
JSON representation

Zero Trust VPN using WireGuard + Hasi Vault

Awesome Lists containing this project

README 

          
# ๐ŸŒŸ Zero Trust VPN using WireGuard + Hasi Vault



## ๐ŸŽฏ High-Level Design



- โœ… WireGuard Server on Ubuntu 20

- โœ… Vault Server at https://vault.vault-url.nip.io

- โœ… Vault Authentication:

    - Server โ†’ Vault โ†’ using AppRole

    - Client โ†’ Vault โ†’ using Username/Password

- โœ… Vault manages all keys dynamically:

    - Server keypairs

    - Client keypairs

    - Client public key auto-synced to server config

    - Private keys securely hidden inside Vault

- โœ… Zero Trust:

    - Clients only have access to their OWN keys.

    - No client has access to server private key.

    - Full rotation capability (refresh keys any time).



## ๐Ÿ›  Step 1: Set Up Vault Properly



### 1.1 Login to Vault

``` bash

export VAULT_ADDR="https://vault.vault-url.nip.io"

vault login

```

### 1.2 Enable KV Secrets Engine (for Key Storage)

``` bash

vault secrets enable -path=wireguard kv-v2

```

### 1.3 Create Vault Policies



Server Policy (wireguard-server-policy.hcl):



``` hcl

path "wireguard/server/*" {

  capabilities = ["create", "update", "read", "list"]

}



path "wireguard/clients-public/*" {

  capabilities = ["read", "list"]

}

vault policy write wireguard-server wireguard-server-policy.hcl

Client Policy (wireguard-client-policy.hcl):



path "wireguard/clients-private/{{identity.entity.name}}" {

  capabilities = ["create", "update", "read"]

}



path "wireguard/clients-public/{{identity.entity.name}}" {

  capabilities = ["create", "update", "read"]

}



path "wireguard/server/*" {

  capabilities = ["read"]

}

```

vault policy write wireguard-client wireguard-client-policy.hcl

### 1.4 Enable AppRole (for server)



vault auth enable approle

Create AppRole for server:



    vault write auth/approle/role/wireguard-server-role \

        token_policies="wireguard-server" \

        token_ttl=24h \

        token_max_ttl=72h

    Fetch:



    vault read auth/approle/role/wireguard-server-role/role-id

    vault write -f auth/approle/role/wireguard-server-role/secret-id

### 1.5 Enable Userpass (for clients)



    vault auth enable userpass

    Create client users:



    vault write auth/userpass/users/client1 password="Client1StrongPassword!" policies="wireguard-client"

    vault write auth/userpass/users/client2 password="Client2StrongPassword!" policies="wireguard-client"

- โœ… Each client gets username/password.



## ๐Ÿ–ฅ Step 2: Setup WireGuard Server (Ubuntu)



### 2.1 Install WireGuard



    sudo apt update

    sudo apt install wireguard -y

### 2.2 Prepare Server Bash Script

```

$ chmod +x server_wireguard_sync.sh

$ ./server_wireguard_sync.sh

```

- โœ… Server auto-syncs client peers dynamically.



## ๐Ÿง‘โ€๐Ÿ’ป Step 3: Setup WireGuard Client Script



### 3.1 Prepare Client Bash Script



Each client will have a script: client_wireguard_fetch.sh



```

$ chmod client_wireguard_fetch.sh

$ ./client_wireguard_fetch.sh

```

โœ… Clients auto-create their own wg0.conf file securely.



## ๐Ÿ“œ Final Commands



Server Setup:



    sudo bash /usr/local/bin/server_wireguard_sync.sh

    Client Setup:



    bash ~/client_wireguard_fetch.sh

    Then start WireGuard normally:



    sudo wg-quick up wg0

## ๐Ÿ›ก Security Checkpoints



- Vault policies ensure strict separation.

- No private key leaks outside of Vault.

- WireGuard server only knows public keys.

- Clients cannot see other clientsโ€™ keys.

- Clients authenticate with password, server authenticate with AppRole.

โœ… True Zero Trust VPN!



## ๐ŸŽฏ Diagram of Full System



    Client1 โฎ‘ [Login Username/Password] โž” Vault โž” Fetch Private Key + Server Public Key โž” Build wg0.conf

    Client2 โฎ‘ [Login Username/Password] โž” Vault โž” Fetch Private Key + Server Public Key โž” Build wg0.conf



    WireGuard Server โฎ‘ [Login AppRole] โž” Vault โž” Sync Clients' Public Keys โž” Update wg0.conf