Competition VPN Network Instructions

As part of CPTC this year competitors must connect via a Wireguard VPN. While Wireguard is easy to use, this instruction guide is meant to provide a way to provide step by step instructions.

Installing Wireguard

Wireguard comes with official installers for the majority of platforms including Windows, macOS, and most Linux distributions. Please refer to this document for the installer for your appropriate system https://www.wireguard.com/install/. Plenty of guides are available for installing Wireguard, refer to these if you have issues or create a support ticket if you still have issues.

Getting your Wireguard Profile

Each team will be provided a set of Wireguard profiles available from the Competitors Portal.  Please note the following common issues:

  1. Do not attempt to put multiple blocks into a single configuration file, that will not work properly.
  2. Make sure each competitor has exactly one configuration as all competitors need a unique Address line in the configuration.
  3. WireGuard configurations should be saved as plain text.
  4. This Address is the "Client VPN IP" ensure no two competitors have the same IP address or configuration file. This is often a manual step on Linux.
  5. The 10.0.254.0/24 is the Jump Box (client) range for you to connect to. The VPN cannot be connect to things outside of this range.  You must use the Kali or Windows jump boxes to connect to the environment.

Connecting

Below are the instructions to connect to the VPN on your respective platform:

Windows

  1. Ensure the Wireguard Client is installed on the system in question
  2. Use a text editor such as VSCode or Notepad++ to save the configuration file. Do not use notepad or Wordpad as they can corrupt the line endings and make the file unusable for Wireguard. 
  3. Open the Wireguard client and open the Import Wireguard Config 
  4. Import the configuration and ensure the configuration matches the file
  5. Click "Activate"
  6. Open Command Prompt or your favorite terminal and ping a host in the environment 

macOS

  1. Ensure the Wireguard Client is installed on the system in question, alternatively you can use Homebrew to install the wg client, however that is not covered here. It is recommended you use the graphical client.
  2. Use a text editor such as VSCode, BBEdit, vim, etc. Any text editor can be used, just ensure the file is saved in a place you can access (macOS Security Restrictions can prevent access to certain directories, generally your home folder is a safe location) 
  3. Open the Wireguard client and open the Import Wireguard Config 
  4. Import the configuration and ensure the configuration matches the file
  5. Click "Activate", please note you may be required to approve network monitoring and access before this will work. 
  6. Open another Terminal and attempt to ping a client in the environment 

Linux

Many Linux distributions are now providing helper scripts or service file to enable Wireguard in an easier manner. However these vary by distribution, please refer to your distributions documentation if you wish to use these. The guidance before is agnostic and can be used on any (modern) Linux system.

  1. Ensure the Wireguard Client is installed on the system in question. It is also recommended you have tmux or screen to launch the Wireguard session.
  2. Use a text editor such as vim or nano write the configuration file.
  3. Remove the Address line from the configuration file and save. Note the IP Address so you can add it to your interface. 
  4. Open the Wireguard client and open the Import Wireguard Config
  5. Ensure IPv4 Forwarding is Enabled in your sysctl.conf

sysctl net.ipv4.ip_forward=1

  1. Create the Wireguard Interface and add the IP Address you saved from the configuration earlier.

ip link add dev wg0 type wireguard ip addr add 10.255.255.1/32 dev wg0

  1. Load the configuration into Wireguard

wg setconf wg0 cptc-wg.conf

  1. Bring up the interface and add finally add a route to the routing table

ip link set wg0 up ip route add 10.0.254.0/24 dev wg0

  1. Attempt to ping a system on the VPN 

All commands combined:

sysctl net.ipv4.ip_forward=1
ip link add dev wg0 type wireguard
ip addr add 10.255.255.1/32 dev wg0
wg setconf wg0 cptc-wg.conf
ip link set wg0 up
ip route add 10.0.254.0/24 dev wg0