Richard Bucker

OpenBSD Encrypted Microsegments With Wireguard

Posted at — Nov 12, 2020

Everything I have been reading about wireguard suggests that most prople use it as a replacement for VPN. Meaning the client/server model. It does that quite well but my mission, without reverse engineering Docker’s encrypted micronetwork, was to implement the same idea as part of a zero trust architecture.

I have 3 machines with this intended network:

                     mach1      mach2       mach3
                      ^          ^           ^
	              |          |           |
internet <--> FW <<-----------(network admin)------------------>

then adding the wg conections

                     mach1 <---> mach2 <---> mach3
                      ^           ^           ^
	              |           |           |
internet <--> FW <<----------(network admin)------------------->

Then adding some fiewwall rules so that the admin network is limited to port 22 and the ssh authentication is limited to certs or passwords with 2fa or some such. And the wg network is limited to it’s peers. So there is no way for mach1 to connect to mach3. Furthermore, the fiewwall would also limit the traffic to the permitted ports and therefore protocols.

Eventually I might be able to add DPI to check the connection contents.