Table of Contents
Wireguard Access
Summary
For now, this is a manual process to access the “new” Sepia lab in Poughkeepsie, NY.
How To
Overall flow: * install Wireguard * generate a public/private keypair; * send in the public key to David/Dan to get a server entry * get an IP address to use in return * use the private key, the IP address, and these instructions to configure your client
Mac/Linux
1. For Mac, Install Wireguard from the App Store
For Linux,
sudo apt install wireguard-tools resolvconf # or sudo dnf install wireguard-tools
For Mac, install wireguard-tools using Homebrew
brew install wireguard-tools
3. Create a directory for a Wireguard keypair. E.g.,
mkdir ~/.wireguard
4. Generate a keypair
wg genkey | tee ~/.wireguard/private.key | wg pubkey > ~/.wireguard/public.key
Keep the Private Key secret!!
5. Send the Wireguard public key (~/.wireguard/public.key contents) to David or Dan. They will update the Wireguard server and give you your VPN IP address.
6. Create ~/.wireguard/client.conf (note that the $PRIVATE_KEY must expand to
the actual text of your private key)
PRIVATE_KEY=$(cat ~/.wireguard/private.key) cat <<EOF > ~/.wireguard/client.conf [Interface] PrivateKey = $PRIVATE_KEY Address = X.X.X.X/32 DNS = 10.20.192.11, front.sepia.ceph.com, ipmi.sepia.ceph.com MTU = 1200 [Peer] PublicKey = kyEHy3ZBewI5RiK4/a0/UQn6O1kMt3h8V3u0OwsfUXc= AllowedIPs = 172.16.48.0/24, 10.20.192.0/20, 10.20.208.0/20, 172.16.50.0/23, 172.16.53.0/25, 172.16.55.0/26, 172.16.56.0/23, 172.16.59.0/25, 172.16.60.0/25 Endpoint = 192.86.31.5:1194 PersistentKeepalive = 25 EOF
6. Once Dan or David give you your private IP, replace X.X.X.X in client.conf with it.
7. Bring up the interface
On Mac OS, open the Wireguard GUI. Press Command+O and open ~/.wireguard/client.conf. Click Activate
Success looks like
On Ubuntu,
sudo mkdir -p /etc/wireguard sudo mv ~/.wireguard/client.conf /etc/wireguard/wg0.conf sudo chmod 600 /etc/wireguard/wg0.conf sudo wg-quick up wg0
use wg show to show status.
Windows
1. Install Windows client from https://www.wireguard.com/install/
2. In the wireguard app, select “Add tunnel/Add empty tunnel”. A public and private key will be automatically generated for you. Note them. KEEP THE PRIVATE KEY SECRET.
3. send in your public key to David/Dan
4. get an IP address in return
5. add the configuration to the wireguard app. The first two lines ([Interface] and PrivateKey = <your private key>) will already be present. Be very careful to not change anything besides your Address. In particular, do not edit [Peer] PublicKey; that is the server's public key and does not change.
[Interface] PrivateKey = <your private key> Address = <address from communication with David/Dan>/32 DNS = 10.20.192.11, front.sepia.ceph.com, ipmi.sepia.ceph.com MTU = 1200 [Peer] PublicKey = kyEHy3ZBewI5RiK4/a0/UQn6O1kMt3h8V3u0OwsfUXc= AllowedIPs = 172.16.48.0/24, 10.20.192.0/20, 10.20.208.0/20, 172.16.50.0/23, 172.16.53.0/25, 172.16.55.0/26, 172.16.56.0/23, 172.16.59.0/25, 172.16.60.0/25 Endpoint = 192.86.31.5:1194 PersistentKeepalive = 25
6. Save the configuration, which should activate the wg0 tunnel. If all goes well, you will see “Latest Handshake” in the Peer section be a few seconds out of date
7. despite DNS = , the current wireguard client does not properly handle split-horizon DNS. You must add Powershell scripts to the configuration, and enable their execution with a Windows Registry setting.
Add the following after MTU = in the [Interface] section:
PostUp = powershell -ExecutionPolicy Bypass -File "C:\Wireguard\wg-up.ps1" PostDown = powershell -ExecutionPolicy Bypass -File "C:\Wireguard\wg-down.ps1"
and add the scripts to C:\Wireguard:
# wg-up.ps1
param(
[string[]]$Domains = @("sepia.ceph.com", "front.sepia.ceph.com"),
[string]$DNSServer = "10.20.192.11"
)
# Ensure admin
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Error "This script must be run as Administrator."
exit 1
}
# Auto-detect WireGuard interface (by type)
$Interface = Get-NetAdapter | Where-Object { $_.InterfaceDescription -match "WireGuard" -and $_.Status -eq "Up" } | Select-Object -First 1
if (-not $Interface) {
Write-Error "No active WireGuard interface found."
exit 1
}
$InterfaceAlias = $Interface.Name
Write-Output "Using WireGuard interface: $InterfaceAlias"
# Add NRPT rules (idempotent)
foreach ($domain in $Domains) {
if (-not (Get-DnsClientNrptRule | Where-Object { $_.Namespace -eq $domain })) {
Write-Output "Adding NRPT rule for $domain -> $DNSServer"
Add-DnsClientNrptRule -Namespace $domain -NameServers $DNSServer
}
}
# Set connection-specific DNS suffix (short names)
Set-DnsClient -InterfaceAlias $InterfaceAlias -ConnectionSpecificSuffix $Domains[0]
Write-Output "Set connection-specific suffix: $($Domains[0])
# wg-down.ps1
param(
[string[]]$Domains = @("sepia.ceph.com")
)
# Ensure admin
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Error "This script must be run as Administrator."
exit 1
}
# Auto-detect WireGuard interface (by type)
$Interface = Get-NetAdapter | Where-Object { $_.InterfaceDescription -match "WireGuard" -and $_.Status -eq "Up" } | Select-Object -First 1
if (-not $Interface) {
Write-Output "No active WireGuard interface found; skipping cleanup."
exit 0
}
$InterfaceAlias = $Interface.Name
Write-Output "Using WireGuard interface: $InterfaceAlias"
# Remove NRPT rules safely
foreach ($domain in $Domains) {
Get-DnsClientNrptRule |
Where-Object { $_.Namespace -eq $domain } |
Remove-DnsClientNrptRule -ErrorAction SilentlyContinue
Write-Output "Removed NRPT rule for $domain"
}
# Clear connection-specific suffix
Set-DnsClient -InterfaceAlias $InterfaceAlias -ConnectionSpecificSuffix ''
Write-Output "Cleared connection-specific suffix"
Add to the registry:
HKEY_LOCAL_MACHINE\Software\WireGuard\DangerousScriptExecution
set it to 1. You can do this with a Command prompt running as administrator:
reg add HKLM\Software\WireGuard /v DangerousScriptExecution /t REG_DWORD /d 1 /f
More about DNS Configuration on Linux
If you're using systemd-resolved, stop. It is incapable of handling split DNS. I would not use resolvconf.
The way I (dmick) chose on Fedora 41 was to disable systemd-resolved and set up a dnsmasq instance behind /etc/resolv.conf. Here's what I did:
1) sudo systemctl stop systemd-resolved; sudo systemctl disable systemd-resolved 2) add this to /etc/systemd/networkd.conf and restart networkd (because I'm running networkd to configure networks):
[Network] DynamicUser=no ManageResolver=false
3) install dnsmasq if necessary, and configure it. I chose to put my configuration in /etc/dnsmasq.d/dnsmasq.conf (because my system runs dnsmasq with a conf search path of /etc/dnsmasq.d):
# add domain to shortnames in /etc/hosts; may be helpful expand-hosts # don't use /etc/resolv.conf for servers configured here no-resolv # for debugging, enable log-queries # log-queries # set the server that should handle these three domains server=/sepia.ceph.com/10.20.192.11 server=/front.sepia.ceph.com/10.20.192.11 server=/ipmi.sepia.ceph.com/10.20.192.11 # set the upstream servers for anything else server=1.1.1.1 server=9.9.9.9
4) remove the existing /etc/resolv.conf and replace with this:
nameserver 127.0.0.1 search front.sepia.ceph.com ipmi.sepia.ceph.com sepia.ceph.com options ndots:2
5) systemctl restart dnsmasq
Now lookups of shortname or shortname.front or shortname.ipmi should work. Note that dig does not respect the search domains in /etc/resolv.conf by default; you must use dig +search <domain>