WireGuard and lsyncd to sync a directory.
install wireguard
apt install wireguard / pacman install wireguard-tools
generate keypairs
wg genkey | tee server_private.key | wg pubkey > server_public.key
Server config file /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <server_private_key>
Address = 10.11.12.1/24
ListenPort = 51820
[Peer]
PublicKey = <client1_public_key>
AllowedIPs = 10.11.12.2/32
[Peer]
PublicKey = <client2_public_key>
AllowedIPs = 10.11.12.3/32
# Repeat for all clients...Enable wireguard in systemdsudo systemctl enable wg-quick@wg0.servicesudo systemctl daemon-reload
Server iptables
sudo iptables -A FORWARD -o wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.11.12.0/24 -o eth0 -j MASQUERADE
sudo iptables -A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.11.12.x:22
sudo iptables -A POSTROUTING -d 10.11.12.X/22 -p tcp -m tcp --dport 22 -j MASQUERADE
sudo iptables -A INPUT -i wg0 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A OUTPUT -o wg0 -j ACCEPTClient config
[Interface]
PrivateKey =
Address = 10.11.12.3/24 # Unique IP for each client, e.g., 10.11.12.2, 10.11.12.3, etc.
[Peer]
PublicKey =
Endpoint = hostname:51820
AllowedIPs = 10.11.12.0/24 # Route only traffic destined for the VPN subnet through WireGuard
PersistentKeepalive = 25On both server and client
/etc/syssctl.conf /etc/wireguard/wg0.conf
net.ipv4.ip_forward=1
sudo sysctl -pMake a keypair on the serverssh-keygen -t ed25519
Copy key to hostsudo ssh -i /path/to/.ssh/id_ed25519 $user@10.11.12.4
lsyncd config on server /etc/lsyncd/lsyncd.conf.lua
settings {
logfile = "/var/log/lsyncd/lsyncd.log",
statusFile = "/var/log/lsyncd/lsyncd.status",
insist = true,
}
sync {
default.rsyncssh,
source = "/home/v3d/fubomatic/media/events/failsafe",
host = "limiteduser@10.11.12.3",
targetdir = "/home/limiteduser/apply.fubar.space-backup/",
delay = 2,
rsync = {
archive = true,
compress = true,
_extra = {"--delete"}
},
ssh = {
port = 22,
identityFile = "/root/.ssh/limited-user"
}
}
No Comments