another e2e test complete

e2e/generate-remote-access-to-lan/A-alice-wireguard.conf

@@ -1,9 +1,9 @@
 [Interface]
 ListenPort = 41820
 Address = 192.168.10.1/24
-PrivateKey = WMh23W9s19mvZseY6lVhHZUIfMD7AQvkNallqodYFEw=
+PrivateKey = CMpkdMc865hIRYMEzUmL8IVrRjIlq+R7Fo9XbNlEAVU=
 
 [Peer]
-PublicKey = S6/3+1+gMZtQHuBgUKMMBVMNYihmL7RkzUuRu3CU8nM=
-PresharedKey = l50Qy3iSJYcSa60lfzml6BxACw9Z25Rfkz6HSZHMy08=
+PublicKey = ej8hwbGqgNfSTHrq9sUZvKPZfiT7HnsO4Yn54qGYVks=
+PresharedKey = cmjYWlwp9Fj0HDXom6k3xGCdeUs3YruYHNl72BQRBWY=
 AllowedIPs = 192.168.10.2/32

e2e/generate-remote-access-to-lan/B-bob-wireguard.conf

@@ -1,10 +1,10 @@
 [Interface]
 ListenPort = 0
 Address = 192.168.10.2/24
-PrivateKey = 2FSRHZJIRIRZNT+tbkazvaGOXKSg9dGfiOCVlFQ67Hc=
+PrivateKey = wL5tec7BfLSIClRCCYeJLn3nMQF9ca5ihVMZb7uQMmQ=
 
 [Peer]
-PublicKey = 6USy2EOFdoeOEquaAHHyu3mf0n/BZQb6AJ3cdnaNN3Q=
-PresharedKey = l50Qy3iSJYcSa60lfzml6BxACw9Z25Rfkz6HSZHMy08=
+PublicKey = pW1kMyT4l49kkw26FDdljDop6OgaSM//M7I6W3QwTlU=
+PresharedKey = cmjYWlwp9Fj0HDXom6k3xGCdeUs3YruYHNl72BQRBWY=
 Endpoint = 10.0.0.2:51820
 AllowedIPs = 192.168.10.1/32, 10.0.2.0/24

e2e/generate-remote-access-to-server/A-alice-wireguard.conf

@@ -1,9 +1,9 @@
 [Interface]
 ListenPort = 51820
 Address = 192.168.10.1/24
-PrivateKey = wIORnc6gwOkkQAlTOsUjwu6MqLoK0dTinizI4MK/UU0=
+PrivateKey = iDTWifb0oZgGxHKl81KV3fhmeb9YBUGWu2JdBjfszUg=
 
 [Peer]
-PublicKey = QjSElgV3eP+urh8xHPhYreYl0C/LdGcx6djbPG4Xywg=
-PresharedKey = CDjIYXByd743fT8yflAF8lF0zCK69ysCs9ljn0bl3Zc=
+PublicKey = xuP23HqaH8vpEKmsINC3fMWVdAwRKr9gidBeuIdoR14=
+PresharedKey = 8fTYuBxDor8DSO18oFewE3jad+R3rpol6VORqlXDgRA=
 AllowedIPs = 192.168.10.2/32

e2e/generate-remote-access-to-server/B-bob-wireguard.conf

@@ -1,10 +1,10 @@
 [Interface]
 ListenPort = 0
 Address = 192.168.10.2/24
-PrivateKey = IIGyVMnPWZrBwbKmG3iHPXCLBxI1QAGwW1+7AsDt7Hg=
+PrivateKey = MFZHvB7hY7btUlmCuQ3i920KBP8WrOy6L+drGnd/X2w=
 
 [Peer]
-PublicKey = nowZXSZCvvLieLo0S5XCo/A6LkjrLSa9wqTFgvk/xF0=
-PresharedKey = CDjIYXByd743fT8yflAF8lF0zCK69ysCs9ljn0bl3Zc=
+PublicKey = QvCzB/9F37LFO8CfpuqNYVvpfEXhyc12McnnxM8m1VE=
+PresharedKey = 8fTYuBxDor8DSO18oFewE3jad+R3rpol6VORqlXDgRA=
 Endpoint = 10.0.0.2:51820
 AllowedIPs = 192.168.10.1/32

e2e/generate-server-hub-and-spoke-access/A-alice-client-tests.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+wg-quick up wg0
+ping 192.168.10.1 -c 5
+ping 192.168.10.2 -c 5
+ping 192.168.10.3 -c 5
+ping 192.168.10.100 -c 5
+sleep 5s

e2e/generate-server-hub-and-spoke-access/A-alice-wireguard.conf

@@ -0,0 +1,19 @@
+[Interface]
+ListenPort = 51820
+Address = 192.168.10.1/24
+PrivateKey = KBpqv+IZvgCnm1RpYPRRPCGSE1ajzx6Z7OuGfV3a314=
+
+[Peer]
+PublicKey = k6xHfehO4coIeJrK67ctfSDa0xSoLTdyUbYnodS2Kyw=
+PresharedKey = y17Vo56HTDAS4HeFQR7xSxqr6ItsORf5X66Btrmbqc4=
+AllowedIPs = 192.168.10.100/32
+
+[Peer]
+PublicKey = q1gtPuCehVpdA2pn+Ts55VnHb/+UWNoGF3htQOp41nI=
+PresharedKey = kgXT3nZ+axRrnGwi4I9hfDhgYwOP3pgp5KoROJXXXO4=
+AllowedIPs = 192.168.10.2/32
+
+[Peer]
+PublicKey = Po0jQhyrlQZofTCJCd/JLU51zMzIesFQU7SbM+r4aW0=
+PresharedKey = WxMl2W9b2J0ZyAkDNJ73aeFlvML65UeA2bhcRLMCjQ0=
+AllowedIPs = 192.168.10.3/32

e2e/generate-server-hub-and-spoke-access/B-bob-client-tests.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ip route add 10.0.0.0/24 via 10.0.1.2
+wg-quick up wg0
+ping 192.168.10.1 -c 5
+ping 192.168.10.2 -c 5
+ping 192.168.10.3 -c 5
+ping 192.168.10.100 -c 5
+sleep 5s

e2e/generate-server-hub-and-spoke-access/B-bob-wireguard.conf

@@ -0,0 +1,10 @@
+[Interface]
+ListenPort = 0
+Address = 192.168.10.100/24
+PrivateKey = 8Ep0KATQAG2q4oYFnTHav/3pMV6OKpu5+gbu1am/WGs=
+
+[Peer]
+PublicKey = Fp0MHw3rAwT669FDaKP+LJyZdLNllxAKeqs0Q4Oa8Uo=
+PresharedKey = y17Vo56HTDAS4HeFQR7xSxqr6ItsORf5X66Btrmbqc4=
+Endpoint = 10.0.0.2:51820
+AllowedIPs = 192.168.10.1/32, 192.168.10.3/32, 192.168.10.2/32

e2e/generate-server-hub-and-spoke-access/C-charlie-client-tests.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ip route add 10.0.0.0/24 via 10.0.2.2
+wg-quick up wg0
+ping 192.168.10.1 -c 5
+ping 192.168.10.2 -c 5
+ping 192.168.10.3 -c 5
+ping 192.168.10.100 -c 5
+sleep 5s

e2e/generate-server-hub-and-spoke-access/C-charlie-wireguard.conf

@@ -0,0 +1,10 @@
+[Interface]
+ListenPort = 0
+Address = 192.168.10.2/24
+PrivateKey = qAZcc4ZZYiw+ZhY9TKCzoCiDlqEvTUq6c4QuSjeua0g=
+
+[Peer]
+PublicKey = Fp0MHw3rAwT669FDaKP+LJyZdLNllxAKeqs0Q4Oa8Uo=
+PresharedKey = kgXT3nZ+axRrnGwi4I9hfDhgYwOP3pgp5KoROJXXXO4=
+Endpoint = 10.0.0.2:51820
+AllowedIPs = 192.168.10.1/32, 192.168.10.3/32, 192.168.10.100/32

e2e/generate-server-hub-and-spoke-access/D-dave-client-tests.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+ip route add 10.0.0.0/24 via 10.0.3.2
+wg-quick up wg0
+ping 192.168.10.1 -c 5
+ping 192.168.10.2 -c 5
+ping 192.168.10.3 -c 5
+ping 192.168.10.100 -c 5
+sleep 5s

e2e/generate-server-hub-and-spoke-access/D-dave-wireguard.conf

@@ -0,0 +1,10 @@
+[Interface]
+ListenPort = 0
+Address = 192.168.10.3/24
+PrivateKey = ULJFP/EBHEBEfQPmVJw/EkjJHJItyY5qvIm/SdTnblY=
+
+[Peer]
+PublicKey = Fp0MHw3rAwT669FDaKP+LJyZdLNllxAKeqs0Q4Oa8Uo=
+PresharedKey = WxMl2W9b2J0ZyAkDNJ73aeFlvML65UeA2bhcRLMCjQ0=
+Endpoint = 10.0.0.2:51820
+AllowedIPs = 192.168.10.1/32, 192.168.10.2/32, 192.168.10.100/32

e2e/generate-server-hub-and-spoke-access/README.md

@@ -0,0 +1,11 @@
+# Server to Server
+
+Alice is a public server with wireguard exposed on their chosen port and Bob, Charlie, and Dave are wireguard clients behind NAT with no port forwarding.
+
+## Running this example
+
+```sh
+tsx generate-configs.ts
+docker compose build
+docker compose up --abort-on-container-failure
+```

e2e/generate-server-hub-and-spoke-access/docker-compose.yml

@@ -0,0 +1,155 @@
+services:
+
+  alice:
+    build:
+      context: ..
+      dockerfile: wireguard-client.dockerfile
+    volumes:
+      - ./A-alice-wireguard.conf:/etc/wireguard/wg0.conf:ro
+      - ./A-alice-client-tests.sh:/usr/local/bin/client-tests.sh:ro
+    networks:
+      internet:
+        ipv4_address: 10.0.0.2
+    hostname: ALICE
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  router_bob:
+    build:
+      context: ..
+      dockerfile: router.dockerfile
+    networks:
+      internet:
+        ipv4_address: 10.0.0.3
+      bob_intranet:
+        ipv4_address: 10.0.1.2
+    hostname: BOB-ROUTER
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  bob:
+    build:
+      context: ..
+      dockerfile: wireguard-client.dockerfile
+    depends_on:
+      - router_bob
+    volumes:
+      - ./B-bob-wireguard.conf:/etc/wireguard/wg0.conf:ro
+      - ./B-bob-client-tests.sh:/usr/local/bin/client-tests.sh:ro
+    networks:
+      bob_intranet:
+        ipv4_address: 10.0.1.3
+    hostname: BOB
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  router_charlie:
+    build:
+      context: ..
+      dockerfile: router.dockerfile
+    networks:
+      internet:
+        ipv4_address: 10.0.0.4
+      charlie_intranet:
+        ipv4_address: 10.0.2.2
+    hostname: CHARLIE-ROUTER
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  charlie:
+    build:
+      context: ..
+      dockerfile: wireguard-client.dockerfile
+    depends_on:
+      - router_charlie
+    volumes:
+      - ./C-charlie-wireguard.conf:/etc/wireguard/wg0.conf:ro
+      - ./C-charlie-client-tests.sh:/usr/local/bin/client-tests.sh:ro
+    networks:
+      charlie_intranet:
+        ipv4_address: 10.0.2.3
+    hostname: CHALIE
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  router_dave:
+    build:
+      context: ..
+      dockerfile: router.dockerfile
+    networks:
+      internet:
+        ipv4_address: 10.0.0.5
+      dave_intranet:
+        ipv4_address: 10.0.3.2
+    hostname: DAVE-ROUTER
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+  dave:
+    build:
+      context: ..
+      dockerfile: wireguard-client.dockerfile
+    depends_on:
+      - router_dave
+    volumes:
+      - ./D-dave-wireguard.conf:/etc/wireguard/wg0.conf:ro
+      - ./D-dave-client-tests.sh:/usr/local/bin/client-tests.sh:ro
+    networks:
+      dave_intranet:
+        ipv4_address: 10.0.3.3
+    hostname: DAVE
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+networks:
+  internet:
+    ipam:
+      config:
+        - subnet: 10.0.0.0/24
+  bob_intranet:
+    ipam:
+      config:
+        - subnet: 10.0.1.0/24
+  charlie_intranet:
+    ipam:
+      config:
+        - subnet: 10.0.2.0/24
+  dave_intranet:
+    ipam:
+      config:
+        - subnet: 10.0.3.0/24

e2e/generate-server-hub-and-spoke-access/generate-configs.ts

@@ -0,0 +1,21 @@
+import * as NodeContext from "@effect/platform-node/NodeContext";
+import * as NodeRuntime from "@effect/platform-node/NodeRuntime";
+import * as Effect from "effect/Effect";
+
+import * as GenerateExample from "../../examples/generate-server-hub-and-spoke-access.js";
+
+const serverAddress = "10.0.0.2:51820:51820" as const;
+const wireguardNetworkCidr = "192.168.10.1/24" as const;
+
+Effect.gen(function* () {
+    const [configAlice, configBob, configCharlie, configDave] = yield* GenerateExample.program(
+        wireguardNetworkCidr,
+        serverAddress
+    );
+    yield* configBob.writeToFile("B-bob-wireguard.conf");
+    yield* configDave!.writeToFile("D-dave-wireguard.conf");
+    yield* configAlice.writeToFile("A-alice-wireguard.conf");
+    yield* configCharlie!.writeToFile("C-charlie-wireguard.conf");
+})
+    .pipe(Effect.provide(NodeContext.layer))
+    .pipe(NodeRuntime.runMain);

e2e/generate-server-to-server-access/A-alice-wireguard.conf

@@ -1,10 +1,10 @@
 [Interface]
 ListenPort = 51820
 Address = 192.168.10.1/24
-PrivateKey = QDBacvTZaGHKInosPrmzn2NI9rCIEhurLA06wLzUjGY=
+PrivateKey = EPCpJOS57XGpWxIRlOYwr5xyfJ7uwSQTj/Qwu2y99nY=
 
 [Peer]
-PublicKey = q+c5YeROkY/qxc13FAntfoLPWo8z/iTQBKcjlyClCnc=
-PresharedKey = UPIwxBjPWK1eguhT8LDd11d6wgF/nRck+Idmf90oQWM=
+PublicKey = RSnQYXI1FE0MgYZVI780+3YN2xUBscNs+b2JMotBQw8=
+PresharedKey = XAd/VpKlkmGKUHl+qXHgHQ6ln5fbMxO/RKWjRGsGTvU=
 Endpoint = 10.0.0.3:51820
 AllowedIPs = 192.168.10.2/32

e2e/generate-server-to-server-access/B-bob-wireguard.conf

@@ -1,10 +1,10 @@
 [Interface]
 ListenPort = 51820
 Address = 192.168.10.2/24
-PrivateKey = SCFiFp2OwpaFiHNPYjFj3PXkPF25/fo2l1RpzZVaMHE=
+PrivateKey = 6CF+v2CjusV/GqHxutkGyflaqva0TGDNuuho8V8LWlA=
 
 [Peer]
-PublicKey = X8sLkkXWydHyjeHk7NFTgSmJtbXj1t84IQOvqj0b0nU=
-PresharedKey = UPIwxBjPWK1eguhT8LDd11d6wgF/nRck+Idmf90oQWM=
+PublicKey = xL/IW3wfqwSOxR4xM++idwHe4XDLeohv+VMhSdb04T4=
+PresharedKey = XAd/VpKlkmGKUHl+qXHgHQ6ln5fbMxO/RKWjRGsGTvU=
 Endpoint = 10.0.0.2:51820
 AllowedIPs = 192.168.10.1/32

e2e/router.dockerfile

@@ -1,3 +1,3 @@
 FROM alpine:latest
 RUN apk add bash iproute2 iptables tcpdump --no-cache
-CMD ["sh", "-c", "iptables -A FORWARD -j ACCEPT && iptables -t nat -A POSTROUTING -j MASQUERADE && sleep 10s"]
+CMD ["sh", "-c", "iptables -A FORWARD -j ACCEPT && iptables -t nat -A POSTROUTING -j MASQUERADE && sleep 30s"]