Debian

Secure Debian Bastion: Setting Up with Warpgate

HomeDebianSecure Debian Bastion: Setting Up with Warpgate

Setting up a bastion server is crucial for maintaining the security and accessibility of computer networks. A bastion server acts as a proxy or load balancer for applications, allowing access to servers located in DMZ networks. One modern solution for setting up a bastion server is Warpgate, a Rust-based tool that provides a web-based administration dashboard. In this tutorial, we will guide you through the process of setting up a bastion server for SSH and MySQL/MariaDB connections on a Debian 11 server using Warpgate.

Prerequisites

Before we dive into the installation process, let’s make sure we have all the necessary prerequisites in place:

  • A Linux server running Debian 11: For this tutorial, we’ll be using a server with the hostname ‘warpgate-debian’ and IP address ‘192.168.5.10’.
  • A non-root user with sudo/root administrator privileges: This will ensure that you have the necessary permissions to carry out the installation and configuration steps.

Download Warpgate Binary File

To begin the installation, we need to download the Warpgate binary file from the official GitHub repository. Open your terminal and run the following command to download the binary file:

wget -q https://github.com/warp-tech/warpgate/releases/download/v0.7.0/warpgate-v0.7.0-x86_64-linux

Once the download is complete, move the binary file to the ‘bin’ directory using the following commands:

mv warpgate-v0.7.0-x86_64-linux /usr/local/bin/warpgate
sudo chmod +x /usr/local/bin/warpgate

After moving the binary file, verify the Warpgate version and check the available parameters by running the following commands:

warpgate version
warpgate --help

Configuring Warpgate as Bastion Server

Now that we have the Warpgate binary file, let’s proceed with the configuration process. Run the following command to configure Warpgate as the bastion server:

warpgate setup

During the configuration process, you’ll be prompted to make several choices:

  1. Warpgate Data Storage: You can leave the default option to store Warpgate data in the ‘/var/lib/warpgate’ directory.
  2. Warpgate Web Administration Dashboard: You can leave the default option to run Warpgate on your internal/public IP address with port 8888.
  3. SSH Connections: Input ‘yes’ to enable Warpgate as the SSH bastion server.
  4. SSH Bastion Server Endpoint: You can leave the default option to run the SSH bastion server on the internal/public IP address with port 2222.
  5. MySQL Connections: Input ‘yes’ to enable Warpgate as a MySQL bastion server.
  6. MySQL Bastion Server Endpoint: You can leave the default option to use port 33306.
  7. User Session Logging: Input ‘yes’ to enable user session logging.
  8. Default User Admin Password: Set up a password for the default user ‘admin’.

After completing the setup process, you can view the Warpgate configuration file ‘/etc/warpgate.yaml’ and the data directory ‘/var/lib/warpgate’ using the following commands:

cat /etc/warpgate.yaml
ls /var/lib/warpgate

To start the Warpgate bastion server, run the following command:

warpgate --config /etc/warpgate.yaml run

Open your web browser and visit the Warpgate IP address with port 8888 (e.g.,https://192.168.5.10:8888/). You should see the Warpgate login page. Press Ctrl+C in the terminal to terminate the Warpgate process.

Running Warpgate as a Systemd Service

To run Warpgate as a systemd service, we need to create a new systemd unit file. Open a text editor and create the file ‘/etc/systemd/system/warpgate.service’ with the following content:

[Unit]
Description=Warpgate
After=network.target
StartLimitIntervalSec=0

[Service]
Type=notify
Restart=always
RestartSec=5
ExecStart=/usr/local/bin/warpgate --config /etc/warpgate.yaml run

[Install]
WantedBy=multi-user.target

Save the file and reload the systemd manager to apply the changes:

sudo systemctl daemon-reload

Start and enable the Warpgate service by running the following commands:

sudo systemctl start warpgate
sudo systemctl enable warpgate

Verify the status of the Warpgate service to ensure that it is running:

sudo systemctl status warpgate

If the service is active, you should see a message indicating that Warpgate is running.

Setting up UFW

In this section, we will install and configure UFW (Uncomplicated Firewall) to secure our Debian server and allow access to the necessary ports used by Warpgate.

To install UFW, run the following command:

sudo apt install ufw

Once UFW is installed, open the necessary ports by running the following commands:

sudo ufw allow OpenSSH
sudo ufw allow 8888/tcp
sudo ufw allow 2222/tcp
sudo ufw allow 33306/tcp

After opening the ports, start and enable UFW using the following command:

sudo ufw enable

Verify the UFW status to ensure that the necessary ports are added:

sudo ufw status

Logging into Warpgate

With Warpgate running as a systemd service and UFW enabled, we can now log in to the Warpgate installation.

Open your web browser and visit the server IP address followed by port 8888 (e.g., https://192.168.5.10:8888/). You will see the Warpgate login page. Log in using the default username ‘admin’ and the password you set during the configuration process.

Once logged in as ‘admin’, click on the menu ‘Manage Warpgate’ to access the Warpgate user dashboard.

Congratulations! You have successfully installed and configured Warpgate as a bastion server for SSH and MySQL/MariaDB connections. Now let’s proceed to add the target servers to Warpgate.

Adding SSH Target Server

In this section, we will add a Linux server with the IP address ‘192.168.5.25’ and hostname ‘node1’ as a target server in Warpgate for SSH connections.

To add the SSH target server, we need to copy the Warpgate SSH public key from the Warpgate dashboard. Follow these steps:

  1. Log in to the Warpgate web administration dashboard.
  2. Click on the ‘SSH’ menu.
  3. Copy the Warpgate SSH public key.

Next, log in to the target server and create a new directory ‘~/.ssh’ if it doesn’t exist. Then, create the file ‘authorized_keys’ using the following command:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys

Paste the Warpgate SSH public key into the ‘authorized_keys’ file and save it.

Now, go back to the Warpgate dashboard and click the ‘Config’ menu. Select ‘Add a target’ and provide the hostname and type as ‘SSH’. Click ‘Create target’ to proceed.

Make sure to change the target server IP address and the user details according to your setup. Select ‘Warpgate’s private keys’ for authentication and enable the ‘warpgate:admin’ role. Click ‘Update configurations’ to save the changes.

With the SSH target server added, you can now connect to it via the Warpgate bastion server. Use the following command to establish an SSH connection:

ssh 'test@example.com' -p 2222

When prompted, enter the password for the ‘admin’ user of the bastion server. If the connection is successful, you will be logged in to the target server via the Warpgate SSH bastion server.

Adding MySQL/MariaDB Target Server

In this section, we will add a MySQL/MariaDB server to Warpgate as a target server. Before adding it to Warpgate, we need to configure the MySQL/MariaDB server and create a new user for remote connections.

First, log in to the MySQL/MariaDB server and open the configuration file ‘/etc/mysql/mariadb.conf.d/50-server.cnf’ using the following command:

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Uncomment the ‘bind-address’ parameter and change the value to the internal IP address of the server (e.g., ‘192.168.5.25’). Save the file and restart the MySQL/MariaDB service to apply the changes:

sudo systemctl restart mariadb

Next, log in to the MariaDB shell as the root user and create a new user for remote connections. Run the following commands:

sudo mariadb -u root -p
CREATE USER 'appuser'@'%' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON*.* TO 'appuser'@'%' IDENTIFIED BY 'yourpassword';
FLUSH PRIVILEGES;
EXIT;

Now, install the MariaDB client package on the machine from which you want to connect to the MariaDB server:

sudo apt install mariadb-client

Switch back to the Warpgate server, navigate to the ‘/var/lib/warpgate’ directory, and copy the Warpgate TLS certificates to the MariaDB client machine:

cd /var/lib/warpgate/
sudo scp tls.certificate.pem tls.key.pem test@example.com: /etc/mysql/

On the MariaDB client machine, open the MariaDB client configuration file ‘/etc/mysql/mariadb.conf.d/50-client.cnf’ using the following command:

sudo nano /etc/mysql/mariadb.conf.d/50-client.cnf

Add the following configurations to the ‘[client]’ section to enable a secure client connection:

[client]
...
ssl-cert=/etc/mysql/tls.certificate.pem
ssl-key=/etc/mysql/tls.key.pem

Save the file and restart the MariaDB service on the client machine:

sudo systemctl restart mariadb

Return to the Warpgate dashboard and click the ‘Config’ menu. Select ‘Add a target’ and provide the MariaDB server details. Choose the type as ‘MySQL’ and set the appropriate host, user, and password. Disable the ‘Verify certificate’ option if you are using default TLS certificates. Enable the ‘warpgate:admin’ role and click ‘Update configuration’ to save the changes.

With the MariaDB server added to Warpgate, you can now connect to it via the Warpgate MySQL/MariaDB Bastion server. Use the following command:

mysql -u 'admin#mysql1' --host '192.168.5.10' --port 33306 --ssl -p

Enter the password for the Warpgate admin user when prompted. If the connection is successful, you will be logged in to the MariaDB server via the Warpgate MySQL/MariaDB Bastion server.

Conclusion

In this tutorial, we have walked through the process of setting up a bastion server with Warpgate on Debian 11. We started by downloading the Warpgate binary file and configuring it as a bastion server for SSH and MySQL/MariaDB connections. We then set up Warpgate to run as a systemd service and enabled UFW to secure our server. Finally, we added SSH and MySQL/MariaDB target servers to Warpgate and demonstrated how to connect to them via the bastion server.

Setting up a bastion server is essential for enhancing the security and accessibility of your network infrastructure. By centralizing user connections and using a tool like Warpgate, you can streamline and manage access to your servers more effectively.

If you are looking for reliable hosting services, consider Shape.host. They offer Linux SSD VPS solutions that can meet your hosting needs. Visit Shape.host to learn more about their services.

Now that you have learned how to set up a bastion server with Warpgate, you can enhance the security of your network infrastructure and manage user access more efficiently. Happy server management!

Tags:
Christian Wells

Older Post

How to Easily Install Sensu Monitoring Solution on Rocky Linux 9

Next Post

Optimize Your Database: Step-by-Step PostgreSQL Installation on AlmaLinux 9

Related Product

How to Install Plane.so on Debian 12 with Docker Compose

How to Install Supabase with Docker on Debian 12