Tun da WireGuard Na gaba Linux 5.6 kwaya, Na yanke shawarar ganin yadda mafi kyau don haɗa wannan VPN tare da na .
Kayan aiki
- Rasberi Pi 3 tare da tsarin LTE da IP na jama'a. Za a sami uwar garken VPN (nan gaba ana kiranta da mai takawa)
- Wayar Android wacce dole ne ta yi amfani da VPN don duk sadarwa
- Laptop ɗin Linux wanda ke buƙatar amfani da VPN a cikin hanyar sadarwa kawai
Duk na'urar da ta haɗu da VPN dole ne ta iya haɗawa da kowace na'ura. Misali, waya yakamata ta iya haɗawa da sabar gidan yanar gizo akan kwamfutar tafi-da-gidanka idan na'urorin biyu suna cikin hanyar sadarwar VPN. Idan saitin yana da sauƙi, to, zaku iya tunani game da haɗawa zuwa VPN da tebur (ta hanyar Ethernet).
La'akari da cewa hanyoyin haɗin waya da mara waya ba su da aminci cikin lokaci (, и ), Ina matukar yin la'akari da amfani da WireGuard don duk na'urori na, komai yanayin da suke ciki.
Shigar software
WireGuard yana bayarwa don yawancin rarrabawar Linux, Windows da macOS. Aikace-aikace don Android da iOS ana isar da su ta hanyar kasidar app.
Ina da sabuwar Fedora Linux 31 kuma na yi kasala don karanta littafin kafin shigarwa. Kawai nemo fakitin wireguard-tools, shigar da su, sannan ya kasa gano dalilin da yasa babu abin da ke aiki. Binciken da aka yi ya nuna cewa ban shigar da kunshin ba wireguard-dkms (tare da direba na cibiyar sadarwa), kuma ba a cikin ma'ajiyar rarraba ta.
Idan na karanta umarnin, da na ɗauki matakan da suka dace:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools
Ina da rarraba Raspbian Buster akan Rasberi Pi na, an riga an sami kunshin wireguard, shigar da shi:
$ sudo apt install wireguardNa shigar da app akan wayar android daga kasida na hukuma na Google App Store.
Shigar da makullin
Don tantance nodes, Wireguard yana amfani da tsari mai sauƙi na sirri/maɓalli na jama'a don tantance nodes na VPN. Kuna iya ƙirƙirar maɓallan VPN cikin sauƙi tare da umarni mai zuwa:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.keyWannan yana ba mu nau'i-nau'i maɓalli uku (fayiloli shida). Ba za mu koma ga fayiloli a cikin saiti ba, amma kwafi abubuwan da ke ciki anan: kowane maɓalli layi ɗaya ne a cikin base64.
Ƙirƙirar Fayil na Kanfigareshan don Sabar VPN (Raspberry Pi)
Tsarin yana da sauƙi, Na ƙirƙiri fayil ɗin mai zuwa /etc/wireguard/wg0.conf:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32Bayanan kula guda biyu:
- A cikin wuraren da suka dace kuna buƙatar saka layin daga fayiloli tare da maɓallan
- VPN nawa yana amfani da kewayon ciki
10.200.200.0/24 - Don ƙungiyoyi
PostUp/PostDownIna da hanyar sadarwa ta waje wwan0, kuna iya samun wata daban (misali, eth0)
Ana kawo hanyar sadarwar VPN cikin sauƙi tare da umarni mai zuwa:
$ sudo wg-quick up wg0
Ƙananan dalla-dalla: azaman uwar garken DNS, na yi amfani da su dnsmasq an haɗa zuwa cibiyar sadarwa br0, Na kuma kara na'urori wg0 zuwa jerin na'urorin da aka yarda. A cikin dnsmasq, ana yin wannan ta ƙara sabon layi tare da hanyar sadarwa zuwa fayil ɗin sanyi /etc/dnsmasq.conf, alal misali:
interface=br0
interface=wg0Hakanan, Na ƙara ƙa'idar iptable don ba da damar zirga-zirga zuwa tashar tashar UDP mai sauraro (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPTYanzu da komai yana aiki, zamu iya yin rijistar ƙaddamar da rami ta atomatik na VPN:
$ sudo systemctl enable [email protected]Tsarin abokin ciniki na kwamfutar tafi-da-gidanka
A kan kwamfutar tafi-da-gidanka, ƙirƙiri fayil ɗin sanyi /etc/wireguard/wg0.conf tare da saitunan iri ɗaya:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820Bayanan kula:
- Maimakon Edgewalker, kana buƙatar saka IP na jama'a ko uwar garken uwar garken VPN
- Ta saitin
AllowedIPsa kan10.200.200.0/24, kawai muna amfani da VPN don samun damar hanyar sadarwar ciki. Traffic zuwa duk sauran adiresoshin IP / sabobin za su ci gaba da tafiya ta hanyar bude tashoshi na yau da kullun. Hakanan za a yi amfani da uwar garken DNS da aka riga aka tsara akan kwamfutar tafi-da-gidanka.
Don gwaji da ƙaddamarwa ta atomatik, muna amfani da umarni iri ɗaya wg-quick и systemd:
$ sudo wg-quick up wg0
$ sudo systemctl enable [email protected]Kafa abokin ciniki akan wayar Android
Don wayar Android, mun ƙirƙiri fayil ɗin daidaitawa iri ɗaya (bari mu kira shi mobile.conf):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820
Ba kamar tsarin kwamfutar tafi-da-gidanka ba, ya kamata wayar ta yi amfani da uwar garken VPN ɗinmu azaman uwar garken DNS (string DNS), da kuma wuce duk zirga-zirga ta hanyar rami na VPN (AllowedIPs = 0.0.0.0/0).
Maimakon kwafin fayil ɗin zuwa na'urar tafi da gidanka, zaku iya canza shi zuwa lambar QR:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.confZa a fitar da lambar QR zuwa na'ura wasan bidiyo azaman ASCII. Ana iya duba shi daga aikace-aikacen VPN na Android kuma saita rami na VPN ta atomatik.
ƙarshe
Saita WireGuard sihiri ne kawai idan aka kwatanta da OpenVPN.
source: www.habr.com