Securing external nodes with wireguard

Discussion in 'Installation/Configuration' started by pyte, Dec 13, 2023.

  1. pyte

    pyte Well-Known Member HowtoForge Supporter

    Hi there,
    as i need to secure the connection between 2 nodes and the master in a multiserver setup i want to talk through the steps beforehand to might get some helpful insights and tips.
    The setup contains the following systems:
    panel - master - location1
    web01 - webs - location1
    web02 - webs - location1
    db- web dbs - location1
    mail01 - mail - location1
    mail02 - mail- location2
    ns01 - dns - location1
    ns02 - dns - location3

    The connection between mail02 and the master currently goes over the internet. The mysql traffic is not secured with ssl.
    Same goes for the traffic between ns02 and the master.
    To minimize security concerns I think it would be best to use wireguard.

    mail02 (localtion2) -- wireguard tunnel --> master
    ns02 (localtion3) -- wireguard tunnel --> master

    After successfully establishing the connection via wireguard, I would do the following:
    • Update the /etc/hosts file on the mail02 node to use the wireguard IP of the master for panel.domain.tld - all other entries stay untouched
    • Update the /etc/hosts file on the ns02 node to use the wireguard IP of the master for panel.domain.tld - all other entries stay untouched
    • Update the /etc/hosts file on the master to use the wireguard IP for the mail02 and ns02 node - all other entries stay untouched
    • Edit the users for the master mysql accordingly/create new ones for user@wireguardnodeip
    • Run the ISPConfig Update script on both slave nodes
    Are the steps sufficient?
    Is there anything else i need to be aware of as both of the nodes in question are mirrors for their services?
    Is there a better or easier way to solve the problem?

    Any help is appreciated.
    ahrasis likes this.
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You already noted that mysql connections between servers are not secured, but opted to use wireguard instead of securing the connections themselves. I know there is no proper tutorials or guides or discussions on about this for ISPConfig, but it is doable whether with self-signed or LE SSL certs. We did discuss this somewhere at the later stage of securing ISPConfig server with LE certs and whether to extend this proposal as ISPConfig feature but I remember that there was no progress. Do check them if you like but no promise that this can be a solution for your shortcoming. Sorry for not giving some of the discussions' links as I am on mobile.
    pyte likes this.
  3. pyte

    pyte Well-Known Member HowtoForge Supporter

    It would be sufficient for me. The problem is, I am cautious about making changes to ISPConfig as i don't want to risk incompatibilities with future upgrades of ISPConfig. So sure it isn't that hard to secure MariaDB/Mysql with SSL certs, but there sure are a few things that i can't think about from the top of my head that might cause issues or don't work.

    Do you by chance have any first hand expirience with it? Is it an approved solution for ISPConfig? Are there at least some directions on how to setup it up / what i need to be aware of?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I think that we should look into securing the dbmaster connection with SSL anyway, so if there are changes needed in ISPConfig, it should be no issue to implement them. ISPConfig has already database client flags setting to the the mysql driver to use SSL, but I guess we should modernize that to have settings like $conf['db_ssl_key'], $conf['db_ssl_cert'] and $conf['db_ssl_ca_cert'] and also $conf['dbmaster_ssl_key'], $conf['dbmaster_ssl_cert'] and $conf['dbmaster_ssl_ca_cert'] with paths to the cert files and then set these before mysqli_connect in the database library if these settings are used.
    ahrasis likes this.
  5. pyte

    pyte Well-Known Member HowtoForge Supporter

    So this is a "feature" or actually a new default that is planned for ISPConfig? I may want to wait until this is implemented in a stable version and use it when it's available.

    One of the challenges in the setup above is that some of the services are already used in production so messing around too much is not the best idea :rolleyes:

    Any rough idea on when this will be a default and how the migration of current system would work?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    This is an idea for a feature, so I can not give you any estimates. But it will require just 1-2 lines added in the db lib plus the above mentioned new config file settings, so I think I will try adding it in 3.2.12. You can use SSL for mysql connects already by using the client flags setting in plus configuring SSL settings in client section of the mysql config file. But I do not have any guides for that available and have not tested that setup for some time, but as far as I know, several users are using it.
    pyte likes this.
  7. pyte

    pyte Well-Known Member HowtoForge Supporter

    Thank you for the clarification. If you implement the feature you can let me know if tests from other users help. I will gladly give feedback and test intensively.
    till likes this.
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter
    You basically just use the above to extend LE SSL certs to mysql in your ISPConfig server and thereafter add --ssl param in ISPConfig mysql connecting command. The first part supposedly won't affect the existing system and the default way mysql is connecting between servers which is without ssl. Only by adding the --ssl param in the default ISPConfig mysql command will secure their connection. I tested the same long time ago so I cannot remember which ISPConfig file(s) to edit for this. Do explore and run several tests before you use them on production. Use ISPConfig LE pre and post hooks to automate updates.
    Last edited: Dec 14, 2023
    pyte likes this.
  9. vk3heg

    vk3heg Member

    Have a look at Tinc as well..
  10. pyte

    pyte Well-Known Member HowtoForge Supporter

    Sorry but i don't know how this should help in this situation and if you've read any of my posts in this thread you would see that using a tunnel is not my preference.

Share This Page