Oracle Free Tier + Wirehole + Ansible + Terraform = Amazing
Intro
A couple weeks ago, Devin Stokes (follow him on GitHub or Twitter) posted a project called Wirehole, which I found really interesting. It combines Wireguard VPN, Pi-Hole ad-blocker and Unbound DNS server in Docker containers and runs them for free FOREVER on Oracle Cloud.
First, lets address that last line. It seems in an attempt to get in the game and draw in the nerd types to learn their cloud platform, Oracle has provided a very generous Free Forever tier which includes 2 1cpu/1gb ram instances for free forever. The catch is they are assigned to a specific zone in you chose “home” region, which caused some minor issues as we will see later. In any event, go get yourself an Oracle Cloud Infrastructure (OCI) account now.
The Project
This project deploys a number of Docker containers that you can use to create your own Wireguard based VPN service, network level ad blocking with Pi-hole and DNS over TLS connection in Unbound to help ramp up your network security. These pieces together were dubbed “Wirehole”. Let’s talk about each of these pieces.
Wireguard
Website: https://www.wireguard.com/
WireGuard is a free and open-source software application and communication protocol that implements virtual private network (VPN) techniques to create secure point-to-point connections in routed or bridged configurations.
There are Wireguard clients for all major systems including mobile, so getting allowing your systems to communicate even when in geographically different locations becomes a cinch.
Pi-hole
Website: https://pi-hole.net/
Pi-hole is a network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
Think of it as a browser ad-blocker on steroids. It can protect any device that has the Pi-hole set as it’s DHCP server including IoT and other ‘Smart’ devices in your home.
Unbound
Website: https://nlnetlabs.nl/projects/unbound/about/
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
What this means is that it will help speed up your DNS by efficiently looking up all of your DNS traffic as well as caching entries for faster resolution. An added bonus is that in this implementation, we leverage Cloudflares super fast 1.1.1.1 DNS and obfuscate our DNS queries from preying ISP eyes by leveraging DNS over TLS (DoT). Don’t want your ISP to know how many times your browser requests Pinterest.com? DNS over TLS has you covered.
The Technology
This is a big one, as we leverage a number of technologies to achieve this deployment. I am not going to spend time going over every one, but I have listed them all below so you can go check it out yourself.
Prerequisites
In order to run Terraform and Ansible that is included in this deployment, you will need to install Terraform and Ansible on your deployment system of choice. As you may be using any flavor of Linux, Windows or MacOS, I am only linking below to the general install instructions for each technology.
Also, you will need to go get some information from your Oracle Cloud account (which you set up earlier, right?)
Install Terraform: https://learn.hashicorp.com/tutorials/terraform/install-cli
Install Ansible: https://docs.ansible.com/ansible/latest/installation_guide/
Gather Info From OCI: https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm
- Oracle API signing key
- User OCID
- Tenancy OCID
- Oracle Free Tier Availability Domain (This is important as the default AD chosen may not be where your free OCI servers are.)
Installation
Now that we have all the prep done, let’s launch right into the install.
-
Clone this repo to your deployment machine (where you installed Terraform and Ansible)
1 2 3
git clone https://github.com/mjtechguy/oci-wirehole cd oci-wirehole terraform init
-
Copy the
terraform.tfvars.example
file toterraform.tfvars
-
Update ALL of the values above the Optional section at the bottom
-
Run
terraform plan
and if this completes without any errors, proceed to the next step -
Run
terraform apply --auto-approve
and wait for the deployment to finish. When it is complete you should see a newinventory
file in theansible
directory -
Change into the
ansible
directory by runningcd ansible
-
Copy the
ansible.cfg.example
toansible.cfg
. The default values provided will work, but feel free to update to your liking if you are familiar with Ansible -
Run
ansible all -m ping
and make sure it returns apong
confirming your connectivity. If there are no errors, move the the next step. -
Run
anible-playbook main.yml
and it will run through all of the provisioning steps and reboot the Wirehole host once to install updates. -
If everything went well, look in the
ansible
,files
,wg_client_configs
directory and you should find 10 configuration files for 10 Wireguard peers (Peer1 - Peer10) -
Install Wireguard on your desired devices: https://www.wireguard.com/install/
-
(a) Copy the config from
Peer1/peer1.conf
to your client.
- (Recommended) If you only want DNS traffic to be passed to your Wirehole deployment, change the
Allowed IPs
to be10.2.0.0/24
. Update your local DNS one the client to have10.2.0.100
and the first DNS server and another (such as1.1.1.1
) as your secondary.1 2 3 4 5 6 7 8 9 10
[Interface] Address = 10.6.0.2 PrivateKey = ABCDEFGHIJK1234567890ABCDEFGHIJK1234567890 ListenPort = 51820 DNS = 10.2.0.100 [Peer] PublicKey = ABCDEFGHIJK1234567890ABCDEFGHIJK1234567890 Endpoint = WIREHOLIP:51820 AllowedIPs = 10.2.0.0/24
- If you want all traffic to flow through through the VPN (there is a 10TB monthly limit on OCI free tier, so be aware) then you do not need to update the
Allowed IPs
, but you will still want to update your client DNS.1 2 3 4 5 6 7 8 9 10
[Interface] Address = 10.6.0.2 PrivateKey = ABCDEFGHIJK1234567890ABCDEFGHIJK1234567890 ListenPort = 51820 DNS = 10.2.0.100 [Peer] PublicKey = ABCDEFGHIJK1234567890ABCDEFGHIJK1234567890 Endpoint = WIREHOLIP:51820 AllowedIPs = 0.0.0.0/0, ::/0
- (b) If you are using mobile, you can scan the .png file that is included in the peer*/ folder to easily load that config. Once scanned, you can modify the allowed IPs the same way as shown above if you like.
- Start your Wireguard client and navigate to
http://10.2.0.100/admin
in your browser to reach the Pi-Hole admin panel. If you can reach it, everything should be working as expected.
Closing
Thanks again to Devin Stokes for the initial project and to the creators of Pi-Hole, Wireguard and Unbound.
There are a few other tasks that you should do such as:
- Secure port 22 on your OCI Wirehole instance to only allow access from your IP address or change the SSH port AND secure for extra security.
- Backup your terraform.state file regularly or move the backend Terraform state storage to S3 for easy state management from multiple machines. Don’t forget to enable versioning on the bucket.
- Add more clients to the network using the additional Peer configuration files
- Add more blocklists to your Pi-Hole for more effective ad blocking. Good collection of lists here: https://firebog.net/
- Regularly running your Ansible playbook to make sure that your system and docker-containers are up to date.
- Other regular management tasks
Follow Me
You can follow me on social media at the following:
Twitter: https://twitter.com/mjtechguy
GitHub: https://github.com/mjtechguy
Youtube: https://www.youtube.com/channel/UCjrGJ7W90ZT2Cw9oLrEFztA