Tun da WireGuard zuciyar gaba Linux 5.6, Na yanke shawarar ganin yadda zan fi dacewa in haɗa wannan VPN da nawa .
Kayan aiki
- Rasberi Pi 3 tare da tsarin LTE da IP na jama'a. Za a sami uwar garken VPN (nan gaba ana kiranta da mai takawa)
- Waya a kunne Android, wanda dole ne ya yi amfani da VPN don duk sadarwa
- Kwamfutacciyar Linuxwanda ya kamata ya yi amfani da VPN kawai a cikin hanyar sadarwa
Duk na'urar da ta haɗu da VPN dole ne ta iya haɗawa da kowace na'ura. Misali, waya yakamata ta iya haɗawa da sabar gidan yanar gizo akan kwamfutar tafi-da-gidanka idan na'urorin biyu suna cikin hanyar sadarwar VPN. Idan saitin yana da sauƙi, to, zaku iya tunani game da haɗawa zuwa VPN da tebur (ta hanyar Ethernet).
La'akari da cewa hanyoyin haɗin waya da mara waya ba su da aminci cikin lokaci (, и ), Ina da ra'ayin yin amfani da shi sosai WireGuard ga dukkan na'urori na, komai yanayin da suke amfani da shi.
Shigar software
WireGuard bayar da don yawancin rarrabawa Linux, Windows и macOSAikace-aikace don Android kuma ana isar da iOS ta hanyar shagunan manhajoji.
Ina da sabuwar Fedora Linux 31, kuma kafin na saka, na yi kasala wajen karanta littafin jagorar. Na sami fakitin. wireguard-tools, shigar da su, sannan ya kasa gano dalilin da yasa babu abin da ke aiki. Binciken da aka yi ya nuna cewa ban shigar da kunshin ba wireguard-dkms (tare da direba na cibiyar sadarwa), kuma ba a cikin ma'ajiyar rarraba ta.
Idan na karanta umarnin, da na ɗauki matakan da suka dace:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools Ina da rarraba Raspbian Buster akan Rasberi Pi na, an riga an sami kunshin wireguard, shigar da shi:
$ sudo apt install wireguardA waya Android Na shigar da manhajar daga kasida na hukuma na Google App Store.
Shigar da makullin
Don tabbatar da nodes Wireguard Yana amfani da tsarin maɓallan sirri/na jama'a mai sauƙi don tabbatar da maɓallan VPN. Kuna iya ƙirƙirar maɓallan VPN cikin sauƙi tare da umarni mai zuwa:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.keyWannan yana ba mu nau'i-nau'i maɓalli uku (fayiloli shida). Ba za mu koma ga fayiloli a cikin saiti ba, amma kwafi abubuwan da ke ciki anan: kowane maɓalli layi ɗaya ne a cikin base64.
Ƙirƙirar Fayil na Kanfigareshan don Sabar VPN (Raspberry Pi)
Tsarin yana da sauƙi, Na ƙirƙiri fayil ɗin mai zuwa /etc/wireguard/wg0.conf:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32Bayanan kula guda biyu:
- A cikin wuraren da suka dace kuna buƙatar saka layin daga fayiloli tare da maɓallan
- VPN nawa yana amfani da kewayon ciki
10.200.200.0/24 - Don ƙungiyoyi
PostUp/PostDownIna da hanyar sadarwa ta waje wwan0, kuna iya samun wata daban (misali, eth0)
Ana kawo hanyar sadarwar VPN cikin sauƙi tare da umarni mai zuwa:
$ sudo wg-quick up wg0 Ƙananan dalla-dalla: azaman uwar garken DNS, na yi amfani da su dnsmasq an haɗa zuwa cibiyar sadarwa br0, Na kuma kara na'urori wg0 zuwa jerin na'urorin da aka yarda. A cikin dnsmasq, ana yin wannan ta ƙara sabon layi tare da hanyar sadarwa zuwa fayil ɗin sanyi /etc/dnsmasq.conf, alal misali:
interface=br0
interface=wg0Hakanan, Na ƙara ƙa'idar iptable don ba da damar zirga-zirga zuwa tashar tashar UDP mai sauraro (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPTYanzu da komai yana aiki, zamu iya yin rijistar ƙaddamar da rami ta atomatik na VPN:
$ sudo systemctl enable wg-quick@wg0.serviceTsarin abokin ciniki na kwamfutar tafi-da-gidanka
A kan kwamfutar tafi-da-gidanka, ƙirƙiri fayil ɗin sanyi /etc/wireguard/wg0.conf tare da saitunan iri ɗaya:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820Bayanan kula:
- Maimakon Edgewalker, kana buƙatar saka IP na jama'a ko uwar garken uwar garken VPN
- Ta saitin
AllowedIPsa kan10.200.200.0/24, kawai muna amfani da VPN don samun damar hanyar sadarwar ciki. Traffic zuwa duk sauran adiresoshin IP / sabobin za su ci gaba da tafiya ta hanyar bude tashoshi na yau da kullun. Hakanan za a yi amfani da uwar garken DNS da aka riga aka tsara akan kwamfutar tafi-da-gidanka.
Don gwaji da ƙaddamarwa ta atomatik, muna amfani da umarni iri ɗaya wg-quick и systemd:
$ sudo wg-quick up wg0
$ sudo systemctl enable wg-quick@wg0.serviceSaita abokin ciniki don Android-waya
Don wayar Android Mun ƙirƙiri fayil ɗin tsari iri ɗaya (bari mu kira shi mobile.conf):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820 Ba kamar tsarin kwamfutar tafi-da-gidanka ba, ya kamata wayar ta yi amfani da uwar garken VPN ɗinmu azaman uwar garken DNS (string DNS), da kuma wuce duk zirga-zirga ta hanyar rami na VPN (AllowedIPs = 0.0.0.0/0).
Maimakon kwafin fayil ɗin zuwa na'urar tafi da gidanka, zaku iya canza shi zuwa lambar QR:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.confZa a fitar da lambar QR zuwa na'urar wasan bidiyo a matsayin ASCII. Ana iya duba ta daga manhajar. Android VPN kuma saita ramin VPN ta atomatik.
ƙarshe
gyara WireGuard kawai sihiri idan aka kwatanta da OpenVPN.
source: www.habr.com
