2. Phases
2. Phases
← Prerequisites | Index | Next →
Phase Overview
| Phase | Name | Outcome |
|---|---|---|
| 1 | Plan VPN addressing | WG subnet and per-host IPs defined |
| 2 | Install and configure WireGuard | wg0 configured on each host |
| 3 | Establish peer connectivity | Hosts can reach each other over WG |
| 4 | Enforce WG-only ingress | Public/LAN ingress blocked; WG ingress allowed |
| 5 | Operational validation | Documented checks pass |
Phase 1: Plan VPN Addressing
Tasks
| Task | Description | Outcome |
|---|---|---|
| 1.1 | Select WG subnet | RFC-level subnet assigned (e.g., 10.50.0.0/24) |
| 1.2 | Assign WG IPs | Each host has a unique WG IP |
| 1.3 | Select endpoints | Each host endpoint IP recorded |
Test
| Verification | Method | Expected Result |
|---|---|---|
| Address plan exists | Review plan | Unique WG IPs and endpoints defined |
Iterate
| Checkpoint | Proceed If | Rollback If |
|---|---|---|
| All addresses unique | No conflicts | Duplicate WG IPs found |
Rollback
| Step | Action |
|---|---|
| 1.R1 | Reassign conflicting WG IPs |
Phase 2: Install and Configure WireGuard
Tasks
| Task | Description | Outcome |
|---|---|---|
| 2.1 | Install WireGuard packages | WireGuard present on each host |
| 2.2 | Generate keys | Public/private keys stored on each host |
| 2.3 | Create wg0 configs | Each host has wg0 configuration |
Test
| Verification | Method | Expected Result |
|---|---|---|
| Config files present | File check | wg0 config exists on all hosts |
Iterate
| Checkpoint | Proceed If | Rollback If |
|---|---|---|
| Keys and configs valid | Peer entries complete | Missing keys or peer entries |
Rollback
| Step | Action |
|---|---|
| 2.R1 | Regenerate keys |
| 2.R2 | Rebuild wg0 configs |
Phase 3: Establish Peer Connectivity
Tasks
| Task | Description | Outcome |
|---|---|---|
| 3.1 | Bring up wg0 | WireGuard interface is active |
| 3.2 | Verify peer handshake | Peers show recent handshake |
| 3.3 | Verify WG routing | Traffic routes via wg0 |
Test
| Verification | Method | Expected Result |
|---|---|---|
| Peer handshake | WG status check | Recent handshake timestamps |
| WG reachability | ICMP over WG | Peers reachable via WG IP |
Iterate
| Checkpoint | Proceed If | Rollback If |
|---|---|---|
| WG connectivity stable | No packet loss | Handshake absent or unstable |
Rollback
| Step | Action |
|---|---|
| 3.R1 | Recheck endpoints and firewall |
| 3.R2 | Restart wg0 on affected hosts |
Phase 4: Enforce WG-Only Ingress
Tasks
| Task | Description | Outcome |
|---|---|---|
| 4.1 | Set UFW defaults | Default deny inbound, allow outbound |
| 4.2 | Allow WG interface | WG ingress permitted |
| 4.3 | Restrict public/LAN ingress | Public/LAN ingress blocked except required ports |
Test
| Verification | Method | Expected Result |
|---|---|---|
| WG ingress allowed | Firewall policy review | wg0 ingress allowed |
| Public ingress blocked | External check | Service ports not reachable on public/LAN |
Iterate
| Checkpoint | Proceed If | Rollback If |
|---|---|---|
| WG-only behavior | WG reachable; public blocked | Public access still possible |
Rollback
| Step | Action |
|---|---|
| 4.R1 | Revert firewall rules |
| 4.R2 | Re-apply ruleset with corrections |
Phase 5: Operational Validation
Tasks
| Task | Description | Outcome |
|---|---|---|
| 5.1 | Validate encryption | WG traffic shows active handshakes |
| 5.2 | Validate service reachability | WG peers can access services |
| 5.3 | Validate public isolation | Public/LAN cannot access services |
Test
| Verification | Method | Expected Result |
|---|---|---|
| WG encryption | WG status review | Active handshakes and data transfer |
| Service access | Reachability checks | Services reachable via WG IP |
| Public isolation | Public access checks | Services not reachable on public/LAN |
Iterate
| Checkpoint | Proceed If | Rollback If |
|---|---|---|
| All validations pass | Stable and consistent | Any failed validation |
Rollback
| Step | Action |
|---|---|
| 5.R1 | Re-run phases 3–4 checks |
End of Phases — RFC-WG-0001