heonie’s Blog/
WireGuard + Vaultwarden on AWS 구축
Search

WireGuard + Vaultwarden on AWS 구축

Title
WireGuard + Vaultwarden on AWS 구축
Date
최소의 비용으로 구축 시도했으나, 구축 후 Bitwarden 이 VPN을 통한 HTTPS 통신시 사설 CA를 미지원하여 접음

AWS 인프라 셋업

VPC 생성

  • 서울 리전, Public / Private Subnet 각 1개
    • 예시: 10.20.0.0/20 / 10.20.128.0/20
  • Public 에 NAT Gateway 생성 및 Private subnet routing table 에서 0.0.0.0/0을 NAT Gateway로 연결

EC2 셋업

Security Group

  • VPN(WireGuard)용
    • Inbound
      • UDP 51820 from 0.0.0.0/0
      • TCP 22 from My IP
    • Outbound
      • All Traffic
  • Vaultwarden 용
    • Inbound
      • (Source는 모두 VPN용 Security Group으로 지정)
      • HTTPS, HTTP, SSH, TCP 8080
    • Outbound
      • All Traffic
 

EC2 생성

  • VPN(WireGuard)용
    • t3.nano, Ubuntu 22 LTS, EBS 8GB(최소), 새로 생성한 VPC, Public subnet
    • Elastic IP 연결
    • 설치
        • sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
sudo sed -i 's|http://.*.ubuntu.com|http://mirror.kakao.com|g' /etc/apt/sources.list
sudo sed -i 's|http://security.ubuntu.com|http://mirror.kakao.com|g' /etc/apt/sources.list
sudo apt update
sudo apt -y install wireguard qrencode
    • 서버용, Admin용 키 생성
        • umask 077
wg genkey | tee ~/server_private.key | wg pubkey > ~/server_public.key
wg genkey | tee ~/admin_private.key | wg pubkey > ~/admin_public.key
    • /etc/wireguard/wg0.conf 생성
        • [Interface]
PrivateKey = <server_private.key 내용>
Address = 10.8.0.1/24
ListenPort = 51820
DNS = 10.20.0.2

# VPN → VPC 라우팅 허용
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE

# admin 사용자
[Peer]
PublicKey = <admin_private.key 내용>
AllowedIPs = 10.8.0.2/32
    • /etc/wireguard/admin.conf 생성
        • [Interface]
PrivateKey = <admin_private.key 내용>
Address = 10.8.0.2/32
DNS = 10.20.0.2, 1.1.1.1

[Peer]
PublicKey = <server_public.key 내용>
Endpoint = 15.164.87.13:51820
AllowedIPs = 10.8.0.0/24, 10.20.0.0/20, 10.20.128.0/20
PersistentKeepalive = 25
    • 포트포워딩 설정
        • echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show
sudo iptables -t nat -L -n -v
        아래와 같이 MASQUERADE 에 ens5 가 잘 나오는지 확인
        Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
10582 1583K MASQUERADE  all  --  *      ens5    0.0.0.0/0            0.0.0.0/0
    • Admin 클라이언트 등록용 QR 생성
        • qrencode -t ansiutf8 < /etc/wireguard/admin.conf
<QR 출력됨>
    • Mobile 또는 Mac용 WireGuard 설치하고
      • “터널 추가”
      • admin.conf내용 또는 QR통해서 추가
      • activate 시도
    • 재시작 하려면
        • sudo wg-quick down wg0
sudo wg-quick up wg0
  • Vaultwarden 설치
    • t3.micro, Ubuntu 22 LTS, EBS 8GB(최소), 새로 생성한 VPC, Private Subnet
    • 도커 설치
        • sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
sudo sed -i 's|http://.*.ubuntu.com|http://mirror.kakao.com|g' /etc/apt/sources.list
sudo sed -i 's|http://security.ubuntu.com|http://mirror.kakao.com|g' /etc/apt/sources.list
sudo apt update
sudo apt install -y docker.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
    • Vaultwarden 설치
      • ADMIN TOKEN argon 문자열 생성
          • sudo docker exec -it vaultwarden /vaultwarden hash
Generate an Argon2id PHC string using the 'bitwarden' preset:

Password: <복잡비밀번호>
Confirm Password: <한번 더>
ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$C...'

Generation of the Argon2id PHC string took: 191.018172ms
      • Docker 로 Vaultwarden생성
          • sudo docker run -d \
   --name vaultwarden \
   -e ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$...' \
   -v /vw-data:/data \
   -p '8080:80' \
   vaultwarden/server:latest
        • 뭔가 잘못되었다면 지우고 다시 생성
            • sudo docker stop vaultwarden
sudo docker rm vaultwarden
sudo docker run -d ...
      • Caddy 설치
          • sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /usr/share/keyrings/caddy-stable-archive-keyring.gpg > /dev/null
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install -y caddy
      • Caddyfile 파일 생성
          • sudo cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak
sudo vi /etc/caddy/Caddyfile
          :80 {
    redir https://{host}{uri}
}

# HTTPS(443) → Vaultwarden
vw.ndot.intra {
    encode gzip
    reverse_proxy 127.0.0.1:8080
    tls internal
}
      • Caddy 실행
          •  sudo caddy validate --config /etc/caddy/Caddyfile
 sudo systemctl reload caddy
    • VPN 접속 후 Vaultwarden의 Private IP를 통해 접속 시도