How to setup a secure VPN based EOS.IO network

This week we started a new endeavor on the EOS BP Infrastructure telegram group to test secure ways to build our network and avoid possible DDoS attacks upon the EOS network launch.

To understand why this approach is useful to avoid DDoS attacks please read this article:
https://steemit.com/cryptocurrency/@eostribe/addressing-ddos-risks-at-eos-launch

This tutorial is made possible by collaboration with @cryptolions, @eluzgin, @xebb, @jemxpat, @eoscafe, @eosvibes

Let's break this down on the required steps to build a "very-secure" EOS network between trusted peers.

Requirements:

1. EOS.IO - DAWN-2018-04-27-ALPHA or newer
2. Wireguard

Install Wireguard on Ubuntu

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard

Wireguard key generation

WireGuard requires base64-encoded public and private keys. These can be generated using the wg(8) utility:

$ umask 077
$ wg genkey | tee privatekey | wg pubkey > publickey

Wireguard setup

Save the text code below on /etc/wireguard/wg0.conf

[Interface]
Address = 192.168.10.1/24
DNS = 1.1.1.1
SaveConfig = true
ListenPort = 5555
PrivateKey = CCIt1u.....

[Peer]
PublicKey = tIoYj42V.....
AllowedIPs = 192.168.10.2/32
Endpoint = peer-public-endpoint.com:port

[Peer]
PublicKey = tIoY5hsjc.....
AllowedIPs = 192.168.10.3/32
Endpoint = other-peer-public-endpoint.com:port

.
.
.

Modify wg0.conf to inform your private key contained on the privatekey file generated on the previous step and add the public key from all other peers in the network (on the [Peer] sections, repeat for each one)

Use wg-quick to enable wireguard

$ sudo wg-quick up wg0

If you need to add more peers just edit /etc/wireguard/wg0.conf and run:

$ sudo ip link del dev wg0 && sudo wg-quick up wg0

Test Wireguard

$ sudo wg show

You should see something like this:

EOS.IO Peer-key secure setup

To add another layer of security we can whitelist the connections allowed on the EOS node using the built-in peer-key feature.

Create a new key pair for peering purposes

$ cleos create key

Edit you config.ini file and add your peer key pair and the public key from other peers on peer-key (one line for each with double quotes)

allowed-connection = specified
peer-private-key = ["MY_PEER_PUBLIC_KEY","MY_PEER_PRIVATE_KEY"]

p2p-peer-address = 192.168.10.2:9876
peer-key = "PEER1_PUBLIC_KEY"
p2p-peer-address = 192.168.10.3:9876
peer-key = "PEER2_PUBLIC_KEY"
.
.
.

Launching

Launch the network without block production by setting enable-stale-production = false.
Only bios node should produce when he joins at the end of the meshing process.

Troubleshooting EOS.IO handshakes

If you see something similar to the message below on the logs it usually mean that the peer hasn't added the correct peer-private-key settings on the config.ini file

Peer xyz:9876 - 17cc856 sent a handshake with an unauthorized key: EOS1111111111111111111111111111111114T1Anm.

One can check the current peers connections in order to verify signatures on the /v1/net/connections api endpoint if the eosio::net_api_plugin is enabled.

Finally eosio boot node can join and jumpstart the chain. Those measures will allow the eosio node IP to be undisclosed until the final moment, drastically reducing the window for a DDOS attack on the boot node.

Bonus: You can still add HTTPS support using self-signed certificates by following our last tutorial here