Ona o le WireGuard
Meafaigaluega
- Raspberry Pi 3 ma le LTE module ma le tuatusi IP lautele. O le ai ai se VPN server iinei (o loʻo mulimuli mai i le tusitusiga e taʻua tagata fa'atauva'a)
- O se telefoni Android e tatau ona faʻaogaina se VPN mo fesoʻotaʻiga uma
- Linux komepiuta feaveai e tatau ona faʻaaogaina se VPN i totonu ole fesoʻotaiga
O masini uma e fesoʻotaʻi i le VPN e tatau ona mafai ona faʻafesoʻotaʻi i isi masini uma. Mo se faʻataʻitaʻiga, e tatau ona mafai e se telefoni ona faʻafesoʻotaʻi i se upega tafaʻilagi i luga o se komepiuta pe afai o masini uma e lua o se vaega o le VPN network. Afai o le seti e foliga mai e faigofie tele, ona mafai lea ona e mafaufau e faʻafesoʻotaʻi le laulau i le VPN (e ala i Ethernet).
Mafaufau o feso'ota'iga uaea ma uaealesi ua fa'aitiitia ma fa'aitiitia le saogalemu i le aluga o taimi (
Polokalame faʻapipiʻi
Ua saunia e WireGuard
O loʻo ia te aʻu le Fedora Linux 31 lata mai, ma sa ou paie e faitau le tusi lesona aʻo leʻi faʻapipiʻi. Faatoa maua lava afifi wireguard-tools
, fa'apipi'i, ona le mafai lea ona iloa pe aisea na leai ai se mea o galue. O nisi su'esu'ega na iloa ai e le'i fa'apipi'iina le afifi wireguard-dkms
(faatasi ai ma se avetaʻavale fesoʻotaʻiga), ae e leʻi i totonu o le fale teu oloa o laʻu tufatufaga.
Ana ou faitau i faatonuga, semanu ou te faia laasaga sao:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools
O loʻo i ai laʻu faʻasalalauga Raspbian Buster faʻapipiʻi i luga o laʻu Raspberry Pi, ua uma ona i ai se afifi iina wireguard
, fa'apipi'i:
$ sudo apt install wireguard
I luga o laʻu telefoni Android na ou faʻapipiʻiina le talosaga
Fa'apipi'i o ki
Mo le faʻamaoniga a tupulaga, e faʻaogaina e le Wireguard se faʻataʻitaʻiga faʻapitoa / faʻapitoa lautele e faʻamaonia ai a latou uo VPN. E faigofie ona e fatuina ki VPN e faʻaaoga ai le poloaiga lenei:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.key
O le mea lea e maua mai ai taitoalua autu e tolu (ono faila). Matou te le faʻasino i faila i totonu o le configs, ae kopi mea o loʻo i ai iinei: o ki taʻitasi e tasi le laina i base64.
Fausiaina o se faila fetuutuunai mo le VPN server (Raspberry Pi)
O le faʻatulagaga e faigofie tele, na ou fatuina le faila lea /etc/wireguard/wg0.conf
:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32
O nai faʻamatalaga:
- I nofoaga talafeagai e te manaʻomia e faʻapipiʻi laina mai faila ma ki
- O lo'o fa'aogaina e la'u VPN le fa'aili totonu
10.200.200.0/24
- Mo 'au
PostUp
/PostDown
O loʻo ia te aʻu le fesoʻotaʻiga fesoʻotaʻiga i fafo wwan0, atonu e iai sau mea ese (mo se faʻataʻitaʻiga, eth0)
Ole fesoʻotaʻiga VPN e faigofie ona faʻatupuina ile faʻatonuga lea:
$ sudo wg-quick up wg0
Tasi faʻamatalaga laiti: pei o le DNS server na ou faʻaaogaina dnsmasq
nonoa i se feso'otaiga feso'ota'iga br0
, sa ou faaopoopo foi masini wg0
i le lisi o masini faatagaina. I le dnsmasq e faia lenei mea e ala i le faʻaopoopoina o se laina fesoʻotaʻiga fesoʻotaʻiga fou i le faila faila /etc/dnsmasq.conf
, mo se faataitaiga:
interface=br0
interface=wg0
E le gata i lea, na ou faʻaopoopoina se tulafono iptable e faʻatagaina ai fefaʻatauaiga i le UDP faʻalogo uafu (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPT
I le taimi nei o loʻo galue mea uma, e mafai ona matou faʻatulagaina le faʻalauiloaina otometi o le VPN tunnel:
$ sudo systemctl enable [email protected]
Fetufa'aiga tagata fa'atau ile komepiuta feavea'i
Fausia se faila seti i luga o se komepiuta feaveai /etc/wireguard/wg0.conf
ma tulaga tutusa:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820
Faamatalaga:
- Nai lo le edgewalker e tatau ona e faʻamaonia le IP lautele poʻo le VPN server host
- E ala i le setiina
AllowedIPs
i10.200.200.0/24
, matou te faʻaaogaina VPN e maua ai le fesoʻotaʻiga i totonu. Fefa'ataua'iga i isi tuatusi IP uma / 'au'aunaga o le a fa'aauau pea ona alu i ala "masani" tatala. O le a faʻaaogaina foi le DNS server na faʻapipiʻiina i luga o le komepiuta.
Mo le suʻega ma le faʻalauiloaina otometi matou te faʻaogaina tulafono tutusa wg-quick
и systemd
:
$ sudo wg-quick up wg0
$ sudo systemctl enable [email protected]
Fa'atulaga se tagata fa'atau ile telefoni Android
Mo se telefoni Android matou te fatuina se faila faʻatulagaina tutusa (tatou taʻua mobile.conf
):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820
E le pei o le faʻatulagaina i luga o le komepiuta, e tatau i le telefoni ona faʻaogaina la matou VPN server e avea ma DNS server (line DNS
), ma pasia uma feoaiga i totonu o le VPN tunnel (AllowedIPs = 0.0.0.0/0
).
Nai lo le kopiina o le faila i lau masini feaveaʻi, e mafai ona e faaliliuina i se QR code:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.conf
O le QR code o le a faʻaalia i le faʻamafanafanaga e pei o le ASCII. E mafai ona suʻeina mai le Android VPN app ma o le a otometi lava ona faʻatutuina se VPN tunnel.
iʻuga
O le setiina o le WireGuard e faigofie lava pe a faʻatusatusa i le OpenVPN.
puna: www.habr.com