VPN¶

To access most of our infrastructure, you'll need to connect to our VPN. For this, you'll need to install the Wireguard client on your machine.

You will need to generate a new key pair for each device you connect to our VPN.

VPN access is required to:

• Download anonymised database dumps from our S3 bucket.
• Connect to our Kubernetes cluster.

Install Wireguard¶

macOS¶

Install Wireguard from the App Store. To generate your private and public keys, you'll also need to install the Wireguard CLI.

This can be done by running:

brew install wireguard-tools

Linux¶

The Linux kernel should have Wireguard support built in. However, you may need to install the wg CLI tool.

On Fedora, this can be done by running:

sudo dnf install wireguard-tools

For other distributions, please refer to the Wireguard documentation.

Generate a new key pair¶

Wireguard uses a public/private key pair to encrypt your traffic.

To generate a new key pair, open a terminal and run the following commands:

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

You now have a privatekey and a publickey file.

You'll need to give the public key to a DevOps engineer, so they can add your device as a trusted peer. To do so, send a message in #devops on Slack with the content of the publickey file. They will send back a configuration file for your device.

A configuration file looks like this:

[Interface]
PrivateKey = <contents of privatekey file>
Address = 10.100.0.N/32
MTU = 1420

[Peer]
Public = ZJVehowgLjiGv7X9herZRdC6WMDNK4iI2Q+nKH2qP0g=
AllowedIPs = 10.0.0.0/8, 172.31.0.0/16
Endpoint = wg.carandclassic.net:51820

You will need to replace <contents of privatekey file> with the content of your privatekey file.