VPN & Remote Access

🔥 Vibe Prompt

"Set up WireGuard VPN for remote access to internal services."

WireGuard Setup

# Install
sudo apt install wireguard

# Generate keys
wg genkey | tee private.key | wg pubkey > public.key

# Server config: /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server-private-key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32

# Start
wg-quick up wg0
systemctl enable wg-quick@wg0

Client Config

[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
DNS = 10.0.0.1

[Peer]
PublicKey = <server-public-key>
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/24, 172.16.0.0/12, 192.168.0.0/16
PersistentKeepalive = 25

WireGuard vs OpenVPN

| Feature | WireGuard | OpenVPN | |---------|-----------|---------| | Speed | Fast (kernel) | Slower (userspace) | | Setup | Simple (2 files) | Complex (PKI) | | Security | Modern (Noise) | OpenSSL | | Roaming | Excellent | Good | | UDP only | Yes | TCP+UDP |

SSH Tunneling (Quick Access)

# Local port forward (access internal DB via bastion)
ssh -L 5432:internal-db:5432 bastion.example.com
# Now connect to localhost:5432 → internal-db:5432

# Dynamic SOCKS proxy
ssh -D 1080 bastion.example.com
# Configure browser SOCKS proxy localhost:1080

# Jump host
ssh -J bastion.example.com internal-server

Teleport (Modern Access)

tsh login --proxy=teleport.example.com --auth=okta
tsh ssh server-name
tsh db connect postgres
tsh app start grafana

Best Practices

  • Use WireGuard (modern, fast, simple)
  • MFA for VPN auth (e.g., OTP)
  • Just-in-time access (approve per session)
  • Audit all VPN access
  • Disconnect idle sessions
  • Use bastion/jump host pattern

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


VPN:穿越網際網路的加密隧道

VPN(Virtual Private Network)在公開的網際網路上建立一條加密的隧道——你在咖啡廳連公共 Wi-Fi 時,所有流量都經過 VPN 加密保護。

VPN 的類型

| 類型 | 適合 | 協定 | |:----|:----|:----| | Site-to-Site VPN | 分公司連回總部 | IPsec | | Remote Access VPN | 員工在家連公司 | WireGuard、OpenVPN | | Client VPN | AWS VPC 連線 | AWS Client VPN |

下一章預告:防火牆與入侵偵測

VPN 解決的是遠端存取的安全。下一章的防火牆與入侵偵測系統管理的是進出流量的控制。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!