For now, this is a manual process to access the “new” Sepia lab in Poughkeepsie, NY.

1. For Mac, Install Wireguard from the App Store

For Linux,

sudo apt install wireguard-tools resolvconf
# or
sudo dnf install wireguard-tools

For Mac, install wireguard-tools using Homebrew

brew install wireguard-tools

3. Create a directory for a Wireguard keypair. E.g.,

mkdir ~/.wireguard

4. Generate a keypair

wg genkey | tee ~/.wireguard/private.key | wg pubkey > ~/.wireguard/public.key

Keep the Private Key secret!!

5. Send the public.key contents to David or Dan. They will update the Wireguard server and give you your VPN IP address.

6. Create ~/.wireguard/client.conf

PRIVATE_KEY=$(cat ~/.wireguard/private.key)

cat <<EOF > ~/.wireguard/client.conf
[Interface]
PrivateKey = $PRIVATE_KEY
Address = X.X.X.X/32
DNS = 10.20.192.11, front.sepia.ceph.com, ipmi.sepia.ceph.com
MTU = 1200

[Peer]
PublicKey = kyEHy3ZBewI5RiK4/a0/UQn6O1kMt3h8V3u0OwsfUXc=
AllowedIPs = 172.16.48.0/24, 10.20.192.0/20, 10.20.208.0/20, 172.16.50.0/23, 172.16.53.0/25, 172.16.55.0/26, 172.16.56.0/23, 172.16.59.0/25, 172.16.60.0/25
Endpoint = 192.86.31.5:1194
PersistentKeepalive = 25
EOF

6. Once Dan or David give you your private IP, replace X.X.X.X in client.conf with it.

7. Bring up the interface

On Mac OS, open the Wireguard GUI. Press Command+O and open ~/.wireguard/client.conf

On Ubuntu,

sudo mkdir -p /etc/wireguard
sudo mv ~/.wireguard/client.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf
sudo wg-quick up wg0

8. Click Activate

Success looks like

9. More about DNS Configuration on Linux

If you're using systemd-resolved, stop. It is incapable of handling split DNS. I would not use resolvconf.

The way I (dmick) chose on Fedora 41 was to disable systemd-resolved and set up a dnsmasq instance behind /etc/resolv.conf. Here's what I did:

1) sudo systemctl stop systemd-resolved; sudo systemctl disable systemd-resolved 2) add this to /etc/systemd/networkd.conf and restart networkd (because I'm running networkd to configure networks):

[Network]
DynamicUser=no
ManageResolver=false

3) install dnsmasq if necessary, and configure it. I chose to put my configuration in /etc/dnsmasq.d/dnsmasq.conf (because my system runs dnsmasq with a conf search path of /etc/dnsmasq.d):

# add domain to shortnames in /etc/hosts; may be helpful
expand-hosts
# don't use /etc/resolv.conf for servers configured here
no-resolv

# for debugging, enable log-queries
# log-queries

# set the server that should handle these three domains
server=/sepia.ceph.com/10.20.192.11
server=/front.sepia.ceph.com/10.20.192.11
server=/ipmi.sepia.ceph.com/10.20.192.11

# set the upstream servers for anything else
server=1.1.1.1
server=9.9.9.9

4) remove the existing /etc/resolv.conf and replace with this:

 
nameserver 127.0.0.1
search front.sepia.ceph.com ipmi.sepia.ceph.com sepia.ceph.com
options ndots:2

5) systemctl restart dnsmasq

Now lookups of shortname or shortname.front or shortname.ipmi should work. Note that dig does not respect the search domains in /etc/resolv.conf by default; you must use dig +search <domain>