Category Archives: Security

Configure apache to log the real client IP instead of cloudflare IP in http access logs (WordPress)

If you are running a WordPress site and you have cloudflare setup, you may have noticed that the http access logs log the IP of cloudflare instead of the actual client IP. This is a guide to enable logging of the real client IP instead of the cloudflare IP in the apache2 logs. This was tested on a Ubuntu 20.04 machine + apache2 and traffic is proxied from cloudflare.

Install Prerequisites:

sudo apt-get install apache2-dev libtool git

Git clone the mod_clouflare repo from cloulflare:

cd ~/
git clone https://github.com/cloudflare/mod_cloudflare.git
cd mod_cloudflare

Use the Apache extension tool to convert the .c file into a module:

apxs -a -i -c mod_cloudflare.c

Restart Apache:

sudo apachectl restart

Verify that the module is active:

apache2ctl -M|grep cloudflare

The output should show “cloudflare_module (shared)

Now your apache logs should show the real client IP instead of the cloudflare IPs.

tail -f /var/log/apache2/access.log

-Below is screenshot of access log that shows the real client IP(right click and open image in new lab for high res image):

access.log screenshot

Sources/Credits/References:

Cloudflare
Noirth Security

Setup Wireguard VPN Server and Client in Ubuntu 20.04

This a guide on how to setup Wireguard VPN on Ubuntu and setting up a Wireguard client.

Requirements:

1. Ubuntu Server 20.04 used in my lab. (20.04 or higher is required for Policy routing)

2. Ubuntu Client (Ubuntu 20.04)

3. Root access to the server.

4. Network Access

Note: This should also work on Linux Mint 20.04

Setting up the Wireguard Server

Login to the In my lab, I have set up a EC2 instance and below is the current IP configuration before setting up Wireguard.

root@ip-172-31-20-229:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:ca:92:5f:0e:80 brd ff:ff:ff:ff:ff:ff
    inet 172.31.20.229/20 brd 172.31.31.255 scope global dynamic eth0
       valid_lft 2617sec preferred_lft 2617sec
    inet6 fe80::ca:92ff:fe5f:e80/64 scope link 
       valid_lft forever preferred_lft forever

From above, I have a single interface with IP 172.31.20.229 assigned to eth0.

sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y

-Switch to root and run the following:

sudo su –

Below are the default permissions on the wireguard dir:

root@ip-172-31-20-229:~# ls -l /etc/ | grep wireguard
drwx------ 2 root root       4096 Aug  4  2020 wireguard

-You could set permissions to the directory as follows:

chmod 0700 /etc/wireguard/
root@ip-172-31-20-229:~# ls -l /etc/ | grep wireguard
drwx------ 2 root root       4096 Aug  4  2020 wireguard

To check the version of Wireguard installed:

root@ip-172-31-20-229:/etc/wireguard# wg --version
wireguard-tools v1.0.20200513 - https://git.zx2c4.com/wireguard-tools/

-Generate public and private key pairs:

cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey

This should generate the private and the public key:

root@ip-172-31-20-229:/etc/wireguard# ls -l
total 8
-rw------- 1 root root 45 Jun 30 20:23 privatekey
-rw------- 1 root root 45 Jun 30 20:23 publickey

-Take a note of the private key “privatekeycat privatekey . You will need to add this to the WG server’s conf file.

Setting up the Wireguard Server’s configuration file

vim /etc/wireguard/wg0.conf

Add below content. (Here, I chose the IP as 192.168.6.1 which is the new VPN private address that will be assigned to the interface)

[Interface]
## My VPN server private IP address ##
Address = 192.168.6.1
 
## My VPN server port ##
ListenPort = 41194
 
## VPN server's private key i.e. string from /etc/wireguard/privatekey ##
PrivateKey = ADD_PRIVATE_KEY_HERE

-Allow the port in the Server’s Firewall:

root@ip-172-31-20-229:~# sudo ufw allow 41194/udp
Rules updated
Rules updated (v6)

-To check the status:

sudo ufw status

– Enable wireguard service on boot on the server and start the service:

ubuntu@ip-172-31-20-229:~$ sudo systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected].

ubuntu@ip-172-31-20-229:~$ sudo systemctl start wg-quick@wg0

To check the status of the wireguard service, use the following:

root@ip-172-31-20-229:~# sudo systemctl status wg-quick@wg0
[email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (exited) since Thu 2022-06-30 21:29:01 UTC; 8min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 2230 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 2230 (code=exited, status=0/SUCCESS)

Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: [email protected]: Succeeded.
Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.
Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] ip link add wg0 type wireguard
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] wg setconf wg0 /dev/fd/63
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] ip -4 address add 192.168.6.1/24 dev wg0
Jun 30 21:29:01 ip-172-31-20-229 wg-quick[2230]: [#] ip link set mtu 8921 up dev wg0
Jun 30 21:29:01 ip-172-31-20-229 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Checking the ifconfig output, you would see a new interface wg0 is created automatically which is expected.

root@ip-172-31-20-229:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:ca:92:5f:0e:80 brd ff:ff:ff:ff:ff:ff
    inet 172.31.20.229/20 brd 172.31.31.255 scope global dynamic eth0
       valid_lft 2235sec preferred_lft 2235sec
    inet6 fe80::ca:92ff:fe5f:e80/64 scope link 
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.6.1/24 scope global wg0
       valid_lft forever preferred_lft forever

– You can check wireguard information/stats using the below command:

ubuntu@ip-172-31-20-229:~$ sudo wg
interface: wg0
  public key: pHrkGojLiNZy2GwshmdEXMaaOmowXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 41194

Configuring the VPN Client

  • Login to the client and install Wireguard.
sudo apt install wireguard -y

– Create the configuration file

root@wg-client:~# sudo sh -c 'umask 077; touch /etc/wireguard/wg0.conf'

root@wg-client:~# ls -l /etc/wireguard/wg0.conf 
-rw------- 1 root root 0 Jun 30 20:58 /etc/wireguard/wg0.conf
  • Create a key pair in the client

– In the client machine, create a key pair:

root@wg-client:~# cd /etc/wireguard/

root@wg-client:/etc/wireguard# umask 077; wg genkey | tee privatekey | wg pubkey > publickey

root@wg-client:/etc/wireguard# ls -l 
total 8
-rw------- 1 root root 45 Jun 30 21:01 privatekey
-rw------- 1 root root 45 Jun 30 21:01 publickey
-rw------- 1 root root  0 Jun 30 20:58 wg0.conf
root@wg-client:/etc/wireguard# 

– Take a note of the client’s public key. (This will be added in the server’s config later)

-Take a note of the private key from the client. This will be added in its own config file.

cat privatekey

– On the client, create the wireguard config file as below:

[Interface]
## Add the client's private key which is from /etc/wireguard/publickey ##
PrivateKey = CLIENT_PRIVATE_KEY_HERE
 
## Client ip address that will be set by this Client ##
Address = 192.168.6.2/24
  
[Peer]
## Ubuntu 20.04 server public key ##
PublicKey = SERVER_PUBLIC_KEY_HERE
 
## set ACL ##
AllowedIPs = 192.168.2.0/24
  
## Your Ubuntu 20.04 LTS server's public IPv4/IPv6 address and port ##
Endpoint = PUBLIC_IP_OF_YOUR_WIREGUARD_SERVER:41194
   
##  Key connection alive ##
PersistentKeepalive = 15

-On the client, enable and start the Wireguard service:

root@wg-client:/etc/wireguard# sudo systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] -> /lib/systemd/system/[email protected].

root@wg-client:/etc/wireguard# sudo systemctl start wg-quick@wg0

– Check the status of the service in the client:

root@wg-client:~# sudo systemctl status wg-quick@wg0
* [email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (exited) since Thu 2022-06-30 21:35:17 UTC; 5min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 123 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 123 (code=exited, status=0/SUCCESS)
        CPU: 28ms

Jun 30 21:35:17 wg-client systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Jun 30 21:35:17 wg-client wg-quick[123]: [#] ip link add wg0 type wireguard
Jun 30 21:35:17 wg-client wg-quick[123]: [#] wg setconf wg0 /dev/fd/63
Jun 30 21:35:17 wg-client wg-quick[123]: [#] ip -4 address add 192.168.6.2/24 dev wg0
Jun 30 21:35:17 wg-client wg-quick[123]: [#] ip link set mtu 1420 up dev wg0
Jun 30 21:35:17 wg-client systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

-From the above output, we can see that the wireguard service has created the interface wg0 and assigned the IP 192.168.6.2/24 to it. You could also verify this by checking by checking the device ip conf as below:

root@wg-client:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if114: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether aa:3c:37:57:21:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.143/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 86010sec preferred_lft 86010sec
    inet6 fe80::a83c:37ff:fe57:218a/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.6.2/24 scope global wg0
       valid_lft forever preferred_lft forever

So far, we can configured the client to talk to the server. But the Server does not know about the client. So, next we need to update the Server’s Wireguard configuration file with the details of the wireguard client.

-Login to the Wireguard Server and add the below block to the server’s wireguard conf:

[Peer]
## Desktop/client VPN public key ##
PublicKey = CLIENT_PUB_KEY_HERE

## client VPN IP address (note  the /32 subnet) ##
AllowedIPs = 192.168.6.2/32

-So, your Wireguard server’s configuration file will be as follows:

[Interface]
## My VPN server private IP address ##
Address = 192.168.6.1
 
## My VPN server port ##
ListenPort = 41194
 
## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = ADD_PRIVATE_KEY_HERE

[Peer]
## Desktop/client VPN public key ##
PublicKey = CLIENT_PUB_KEY_HERE

## client VPN IP address (note  the /32 subnet) ##
AllowedIPs = 192.168.6.2/32

– Start the service again on the server:

sudo systemctl start wg-quick@wg0

Verify connectivity from the client => server:

– If the server is in the cloud, then update the security groups tallow the port.

– From the client, ping the server 192.168.6.1

root@wg-client:~# ping 192.168.6.1
PING 192.168.6.1 (192.168.6.1) 56(84) bytes of data.
64 bytes from 192.168.6.1: icmp_seq=1 ttl=64 time=81.9 ms
64 bytes from 192.168.6.1: icmp_seq=2 ttl=64 time=82.5 ms
^C
--- 192.168.6.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 81.886/82.172/82.458/0.286 ms

Checking active connections from Wireguard server:

– To see which clients are connected to the server and the statistics, you can run the below:

root@ip-172-31-20-229:~# sudo wg
interface: wg0
  public key: pHrkGojLiNZy2GwshmdEXMaaOmowXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 41194

peer: 8Zp7Cji5Aseew3L0P3c35sUzJNIPYYYYYYYYYYYYYYY=
  endpoint: 1.2.3.4:33395
  allowed ips: 192.168.6.2/32
  latest handshake: 1 minute, 12 seconds ago
  transfer: 3.94 KiB received, 1.47 KiB sent

 

Additional Information:

For debugging issue with wireguard, you could check the logs:

sudo journalctl -eu wg-quick@wg0

Here is a little cronjob to monitor the tunnel via ping and restart tunnel: (Credits to linuxbabe)

sudo crontab -e

-Add the below:

SHELL=/bin/bash
* * * * * for ((i=1; i<=6; i++)) do (ping -c9 192.168.6.1 > /dev/null || systemctl restart wg-quick@wg0) done

Hope this helps! Cheers!

Sources/References:

https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/

Set Up Your Own WireGuard VPN Server on Ubuntu 24.04/22.04/20.04

Hexadecimal basics using basic Linux utilities

This is short guide on how to convert strings and decimal values to hexadecimal and vice-versa using simple Linux utilities such as xxd and printf.

  1. To convert a string to hexadecimal, you can use xxd in Linux.

For example: To convert a string “kali” to hexadecimal, you can use the below format.

extr3me@op3n:~$ echo -n kali | xxd
00000000: 6b61 6c69 kali

To group and display the output a single character at a time, use -c  flag with argument 1.

extr3me@op3n:~$ echo -n kali | xxd -c1
00000000: 6b k
00000001: 61 a
00000002: 6c l
00000003: 69 i

This means the following:

00000000: 6b k <- k is a single character and its hexadecimal value is 6b
00000001: 61 a <- a is a single character and its hexadecimal value is 61
00000002: 6c l <- l is a single character and its hexadecimal value is 6c
00000003: 69 i <- i is a single character and its hexadecimal value is 69

2. Convert Hexadecimal value back to string:

extr3me@op3n:~$ echo -n "6b61 6c69" | xxd -r -p
kali

Dont worry about the spaces, it should still work.

extr3me@op3n:~$ echo -n "6b616c69" | xxd -r -p
kaliextr3me@op3n:~$

3. Convert decimal (number) to hexadecimal

-Lets say you want to convert number 12 to decimal value. To do so, you could use printf as shown below.

extr3me@op3n:~$ printf "%x\n" 12
c

From above output, the hexadecimal value for number 12 (aka decimal 12) is character c.

To find hexadecimal values for values from 1 to 255, you could run through it in a loop

for num in {1..255}; do printf "%x\n" $num ; done | less

Hope these help.

PS: Knowing hexadecimal does come in handy while learning/debugging different protocols.