feat: add site 2 site blog post

src/routes/blog/site2sitewireguard/+page.md

@@ -0,0 +1,62 @@
+---
+created: '2022-09-27'
+title: 'Site 2 Site Wireguard VPN with a Mikrotik Router and a Cloud'
+description: ''
+keywords:
+  - cloud
+  - mikrotik
+  - site 2 site
+  - wireguard
+  - vpn
+---
+
+<script>
+import architecture from "./images/_architecture.drawio.png?width=360;720;1280;1920&webp&metadata"
+import peer from "./images/mikrotik_peer.png?width=360;720;1280;1920&webp&metadata"
+
+import Image from "$components/Image.svelte"
+</script>
+
+My network consists out of a server located in country A. Since the largest ISP in country
+B does have terrible peering with the ISP in country A, I thought of setting up a small
+proxy server in country A. This way, I should be able to bypass bad peering, since the
+cloud provider probably organizes good routing to both sides. Since I meant to try out
+Oracles free tier anyway, it seemed like a good opportunity to learn ansible properly and
+develop with IaC scripts to setup a reverse proxy in the cloud.
+
+<Image meta={architecture} />
+
+1. Create a Wireguard keys. If the CLI is not an option [this website](https://www.wireguardconfig.com/) is cool too (keys are clientsided generated)
+2. Since I want to have dedicated monitoring for what traffic is flowing between the proxy and my server, I create a new wireguard interface in my mikrotik router. Remember to use the previously generated keypairs.
+3. Create a new peer as follows. Important is the entry to allow the IP address of the cloud wg endpoint, otherwise the cloud cant ping back home.
+<div style="max-width:600px">
+    <Image meta={peer} />
+</div>
+4. I had to adjust the firewall rules to allow communication with the tunnel network.
+5. On the proxy server we use similiar settings. Interestingly enough, the Mikrotik wg endpoint grabs the network address of the 10.222.0.0/30 network. Meaning, 10.222.0.1 is unallocated.
+
+```
+[Interface]
+PrivateKey = REDACTED
+Address = 10.222.0.2/30
+ListenPort = 23xxx
+
+[Peer]
+PublicKey = REDACTED
+AllowedIPs = 10.10.0.0/16,10.222.0.0/32
+Endpoint = alphard.abc.de:23xxx
+```
+
+6. Next, we need to create a DDNS updater to keep our A record in sync with the publicly
+   assigned IP address of the cloud provider (unless you wanna pay for a static address of
+   course). I found [this](https://hub.docker.com/r/oznu/cloudflare-ddns/) Docker
+   container to be convenient.
+7. Finally, we need to update the IP address of the peer in the Mikrotik router. For that
+   we use a Mikrotik script, which I stole from [Uli
+   Koehler](https://techoverflow.net/2021/12/29/how-to-update-wireguard-peer-endpoint-address-using-dns-on-mikrotik-routeros/). Remember to add a scheduler to the script.
+
+```
+:if ([interface wireguard peers get number=[find comment=belka] value-name=endpoint-address] != [resolve belka.abc.de]) do={
+    interface wireguard peers set number=[find comment=belka] endpoint-address=[/resolve belka.abc.de]
+}
+```

src/routes/blog/site2sitewireguard/images/_architecture.drawio

@@ -0,0 +1 @@
+<mxfile host="app.diagrams.net" modified="2022-09-27T07:11:23.142Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" etag="JhHq6ExYqPGjoCL905Eo" version="20.3.6" type="device"><diagram id="2ggv1CMDZh1z1ZRIJ1y9" name="Page-1">5VnbcpswEP0aPyaDENfHOJc2M2naaaZp+yiDDNQyooqI7X59V0Fgg7DTtDhxk4lnIh0JrThnd1nECJ/Ol+8EKdIPPKZsZFvxcoTPRraN7BDDP4WsKsS33ApIRBbrSWvgJvtFNWhptMxieteaKDlnMivaYMTznEayhREh+KI9bcpZ22pBEmoANxFhJvo1i2VaoYFrrfH3NEvS2jKy9Mic1JM1cJeSmC82IHw+wqeCc1m15stTyhR5NS/VdRdbRpuNCZrLP7ngy2VwcTsjNl4mV0dpYX2+uh4f6VXuCSv1DY9sj8F64wIaiWrUwKQLTDkYhvuSK02W97Pk9cDR3YOUJzABOcWyukyP1wu953MK4zmVCy5mjR3RNQT3VNka2D6yjuEHf2BAkbfTGsAGA4Bt0GS3NmMD++Ck0BmD8oUCI8ZLEGO8SDNJbwoSKXABcQNYKucMeqhZ6Z4KSZdbtUaNB0HoUSBSihVM0Rd42ud00NmB7i/WLoxDjaUb7ouxBokOm6RZeu1Z0NDO9QRHs//B0e4Kkv+T0B8FiZhytUqBXY5W2RrYfuVllZ85jxj7r/wsQAfnaO5WRytrCj9kM8FlNlN7OvmkNhE1UpcN0famUKXhpYCWWzURvMxjqrZpPa6D8iL94EOO6meMnXLGxcNaeDqlXhSpvUnBZ3RjJPbDiWUNo6RjtZV0sKkkwj1KIntfSnqGkosE7ZXq2KVB7PRRHdgT7HnDUO3WJZCm2rVNqt0epvdGtG8QDQkL7EHKMvmG+5ZtUttk5TynHWY1RFiW5Co9AU8U8LFiMYNS60QPzLM4VmZ6VWzr3BVyiAjAHVmQa8ji9aWyfcmCAjPXx1Cc6i4XMuUJzwk7X6MdmtZzrjgvtF4/qJQrTR4pJW+rSZeZ/LbR/q6WOnZ172ypV37orHaqoTa7Wwu4N16KiO4gQXMgiUio3EWW3y+uoIzI7L69kcGlCowIojKl4jVmK8dxXjZbhQbXhBUpEfExmUTHMX1DGasrDQ4NaUL3OTOW9Xjx1dTit9eXr7SW8r2Dq6WQ+aK/SKy9cv086cnH/mEVU8h8022qKfvt5CY/fLya8p81N4UvWU3VJdMLV1MI/xflVL3Ndj31GtPVi1dTyDGonlA2I2+umOomrL5iKnjWhNV3krU1ANDTA6AtXEynpGRyGDJdt10BubaZ/VHfuSDaG5vmaVLzWFbnstjMLgfn6uEw4njo0A46zAOowb7xXCoFciq3ft3p1gR/e5reDsVtsTW8mm7QyVvIfKI07xWbcgZPlxO66++VD2MbX33x+W8=</diagram></mxfile>