ProHoster > Блог > Maamulka > Sameynta VPN fudud oo leh WireGuard iyo Raspberry Pi oo ah server ahaan

Sameynta VPN fudud oo leh WireGuard iyo Raspberry Pi oo ah server ahaan

Tan iyo tan WireGuard qayb noqon doona xudunta mustaqbalka Linux 5.6, waxaan go'aansaday inaan arko sida ugu wanaagsan ee aan ugu dari karo VPN-kan aniga oo adeegsanaya Router-ka LTE/goobta gelitaanka ee Raspberry Pi.

Qalabka

  • Raspberry Pi 3 oo wata moduleka LTE iyo cinwaanka IP-ga dadweynaha. Waxaa jiri doona server VPN halkan (halkan ka dib qoraalka waxaa loogu yeeraa gees-socod)
  • Telefoonku waa diyaar Android, kaas oo u baahan VPN dhammaan isgaarsiinta
  • Laptop Linux, kaas oo ay tahay inuu isticmaalo oo keliya VPN gudaha shabakadda

Qalab kasta oo ku xidha VPN-ka waa inuu awood u leeyahay inuu ku xidho dhammaan aaladaha kale. Tusaale ahaan, telefoonku waa inuu awood u yeesho inuu ku xidho server-ka shabakadda ee laptop-ka haddii labada qalabba ay yihiin qayb ka mid ah shabakadda VPN. Haddii habayntu ay noqoto mid fudud, markaa waxaad ka fikiri kartaa inaad ku xidho desktop-ka VPN (iyada oo loo marayo Ethernet).

Iyadoo la tixgelinayo in isku xirka fiilooyinka iyo fiilooyinka ay sii yaraanayaan oo ay sii yaraanayaan waqti ka dib (weeraro lala beegsaday, KRACK WPA2 weerar dildilaac ah и Weerarka Dragonblood ee ka dhanka ah WPA3), Waxaan si dhab ah uga fiirsanayaa inaan isticmaalo WireGuard dhammaan aaladahayga, iyadoon loo eegin deegaanka ay ku shaqeeyaan.

Rakibaadda Software

WireGuard bixisaa baakadaha horay loo diyaariyey inta badan qaybinta Linux, Windows и macOSCodsiyada Android iyo iOS waxaa lagu bixiyaa dukaamada barnaamijyada.

Waxaan haystaa Fedora-kii ugu dambeeyay Linux 31, ka hor inta aanan rakibin, aad ayaan u caajisay si aan u akhriyo buug-gacmeedka. Waxaan hadda helay baakadaha. wireguard-tools, ku rakibay, ka dibna way garan kari waayeen sababta aanay waxba u shaqaynayn. Baadhitaano dheeraad ah ayaa muujiyay in aanan haysan xirmada la rakibay wireguard-dkms (oo leh darawal shabakad), laakiin kuma jirin kaydka qaybintayda.

Haddii aan akhrin lahaa tilmaamaha, waxaan qaadi lahaa tillaabooyinka saxda ah:

$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools

Waxaan haystaa qaybinta Raspbian Buster-ka oo lagu rakibay Raspberry Pi-ga, horeba baakad ayaa jirta wireguard, ku rakib:

$ sudo apt install wireguard

Taleefoonka Android Waxaan rakibay barnaamijka WireGuard VPN Laga soo bilaabo buugga rasmiga ah ee Google App Store.

Rakibaadda furayaasha

Si loo xaqiijiyo qanjidhada Wireguard Waxay isticmaashaa qorshe fudud oo gaar ah/dadweyne si loo xaqiijiyo qanjidhada VPN. Si fudud ayaad u abuuri kartaa furayaasha VPN adoo adeegsanaya amarkan soo socda:

$ wg genkey | tee wg-laptop-private.key |  wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key |  wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key |  wg pubkey > wg-mobile-public.key

Tani waxay ina siinaysaa saddex lamaane oo muhiim ah (lix fayl). Yaynaan tixraacin faylasha ku jira qaab-dhismeedka, laakiin ku koobi waxa ku jira halkan: fure kastaa waa hal xariiq oo ku yaal base64.

Abuuritaanka faylka qaabeynta ee serverka VPN (Raspberry Pi)

Qaabayntu waa wax fudud, waxaan abuuray faylka soo socda /etc/wireguard/wg0.conf:

[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE

[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32

[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32

Qoraalo dhowr ah:

  • Meelaha ku habboon waxaad u baahan tahay inaad geliso khadadka faylasha leh furayaasha
  • VPN-kaygu waxa uu isticmaalayaa band gudaha ah 10.200.200.0/24
  • Kooxaha PostUp/PostDown Waxaan haystaa interneedka shabakadda dibadda wwan0, waxaa laga yaabaa inaad haysato mid ka duwan (tusaale, eth0)

Shabakadda VPN si sahal ah ayaa kor loogu qaadayaa amarka soo socda:

$ sudo wg-quick up wg0

Hal faahfaahin yar: sida server-ka DNS ee aan isticmaalay dnsmasq ku xidhan interface network br0, Waxaan sidoo kale ku daray qalab wg0 liiska qalabka la ogol yahay. dnsmasq tan waxaa lagu sameeyaa iyadoo lagu darayo khad is dhexgalka shabakada cusub faylka qaabeynta /etc/dnsmasq.conf, tusaale ahaan:

interface=br0
interface=wg0

Intaa waxaa dheer, waxaan ku daray qaanuunka iptable si aan ugu oggolaado taraafikada dekedda dhegeysiga UDP (51280):

$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPT

Hadda oo wax walba ay shaqeynayaan, waxaan dejin karnaa si toos ah furitaanka tunnelka VPN:

$ sudo systemctl enable wg-quick@wg0.service

Qaabeynta macmiilka ee laptop-ka

Ku samee faylka qaabeynta kumbuyuutarka /etc/wireguard/wg0.conf oo leh isla habayn:

[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>

[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820

Ogeysiis:

  • Halkii aad ka heli lahayd gees-socodka, waxaad u baahan tahay inaad qeexdo IP-ga dadweynaha ama martigeliyaha server-ka VPN
  • Isagoo rakibay AllowedIPs on 10.200.200.0/24, Waxaan kaliya u isticmaalnaa VPN si aan u galno shabakadda gudaha. Taraafikada dhammaan ciwaannada IP/servers-yada kale waxay sii wadi doontaa inay sii maraan kanaalada "caadiga ah" ee furan. Waxa kale oo ay isticmaali doontaa server-ka DNS ee horay loo habeeyay ee laptop-ka.

Imtixaanka iyo bilaabista tooska ah waxaan isticmaalnaa amarro isku mid ah wg-quick и systemd:

$ sudo wg-quick up wg0
$ sudo systemctl enable wg-quick@wg0.service

Dejinta macmiilka Android-taleefan

Wixii telefoonka Android Waxaan abuurnaa fayl habayn oo aad u la mid ah (aan ugu yeerno mobile.conf):

[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
        
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820

Si ka duwan qaabeynta laptop-ka, taleefanku waa inuu u istcimaalaa server-ka VPN-ka sida server-ka DNS (line DNS), iyo sidoo kale gudbi dhammaan taraafikada iyada oo loo marayo tunnel VPN (AllowedIPs = 0.0.0.0/0).

Intii aad ku koobi lahayd faylka qalabkaaga moobilka, waxaad u rogi kartaa koodka QR:

$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.conf

Koodhka QR-ka waxaa loo soo saari doonaa qalabka loo yaqaan ASCII. Waxaa laga sawiri karaa abka. Android VPN-ka oo si otomaatig ah u deji tunnel-ka VPN-ka.

gunaanad

sixitaanka WireGuard si fudud u sixir marka la barbar dhigo OpenVPN.

Source: www.habr.com

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster