Sababtoo ah WireGuard ee Linux kernel 5.6 ee soo socda, waxaan go'aansaday inaan arko sida ugu wanaagsan ee VPN-kan loogu dhex dari karo kayga .
Qalabka
- Raspberry Pi 3 oo wata moduleka LTE iyo cinwaanka IP-ga dadweynaha. Waxaa jiri doona server VPN halkan (halkan ka dib qoraalka waxaa loogu yeeraa gees-socod)
- Telefoon Android ah oo ay tahay inuu VPN u isticmaalo dhammaan isgaarsiinta
- Laptop-ka Linux waa inuu isticmaalo VPN oo keliya gudaha shabakadda
Qalab kasta oo ku xidha VPN-ka waa inuu awood u leeyahay inuu ku xidho dhammaan aaladaha kale. Tusaale ahaan, telefoonku waa inuu awood u yeesho inuu ku xidho server-ka shabakadda ee laptop-ka haddii labada qalabba ay yihiin qayb ka mid ah shabakadda VPN. Haddii habayntu ay noqoto mid fudud, markaa waxaad ka fikiri kartaa inaad ku xidho desktop-ka VPN (iyada oo loo marayo Ethernet).
Iyadoo la tixgelinayo in isku xirka fiilooyinka iyo fiilooyinka ay sii yaraanayaan oo ay sii yaraanayaan waqti ka dib (, ΠΈ ), Waxaan si dhab ah uga fiirsanayaa isticmaalka WireGuard dhammaan aaladahayga, iyada oo aan loo eegin deegaan kasta oo ay ku jiraan.
Rakibaadda Software
WireGuard ayaa bixisa inta badan Linux, Windows iyo macOS qaybinta. Barnaamijyada Android iyo iOS waxa lagu keenaa hagaha abka.
Waxaan haystaa Fedora Linux 31 kii ugu dambeeyay, aadna waan uga caajisay inaan akhriyo buug-gacmeedka ka hor intaanan rakibin. Kaliya helay baakadaha wireguard-tools, ku rakibay, ka dibna way garan kari waayeen sababta aanay waxba u shaqaynayn. Baadhitaano dheeraad ah ayaa muujiyay in aanan haysan xirmada la rakibay wireguard-dkms (oo leh darawal shabakad), laakiin kuma jirin kaydka qaybintayda.
Haddii aan akhrin lahaa tilmaamaha, waxaan qaadi lahaa tillaabooyinka saxda ah:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools
Waxaan haystaa qaybinta Raspbian Buster-ka oo lagu rakibay Raspberry Pi-ga, horeba baakad ayaa jirta wireguard, ku rakib:
$ sudo apt install wireguardTaleefankayga Android ayaan ku rakibay codsiga Laga soo bilaabo buugga rasmiga ah ee Google App Store.
Rakibaadda furayaasha
Xaqiijinta asaagga, Wireguard waxay isticmaashaa nidaam furaha gaarka ah/guud ee fudud si loo xaqiijiyo asxaabta VPN. Waxaad si fudud u abuuri kartaa furayaasha VPN adoo isticmaalaya amarka soo socda:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.keyTani waxay ina siinaysaa saddex lamaane oo muhiim ah (lix fayl). Yaynaan tixraacin faylasha ku jira qaab-dhismeedka, laakiin ku koobi waxa ku jira halkan: fure kastaa waa hal xariiq oo ku yaal base64.
Abuuritaanka faylka qaabeynta ee serverka VPN (Raspberry Pi)
Qaabayntu waa wax fudud, waxaan abuuray faylka soo socda /etc/wireguard/wg0.conf:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32Qoraalo dhowr ah:
- Meelaha ku habboon waxaad u baahan tahay inaad geliso khadadka faylasha leh furayaasha
- VPN-kaygu waxa uu isticmaalayaa band gudaha ah
10.200.200.0/24 - Kooxaha
PostUp/PostDownWaxaan haystaa interneedka shabakadda dibadda wwan0, waxaa laga yaabaa inaad haysato mid ka duwan (tusaale, eth0)
Shabakadda VPN si sahal ah ayaa kor loogu qaadayaa amarka soo socda:
$ sudo wg-quick up wg0
Hal faahfaahin yar: sida server-ka DNS ee aan isticmaalay dnsmasq ku xidhan interface network br0, Waxaan sidoo kale ku daray qalab wg0 liiska qalabka la ogol yahay. dnsmasq tan waxaa lagu sameeyaa iyadoo lagu darayo khad is dhexgalka shabakada cusub faylka qaabeynta /etc/dnsmasq.conf, tusaale ahaan:
interface=br0
interface=wg0Intaa waxaa dheer, waxaan ku daray qaanuunka iptable si aan ugu oggolaado taraafikada dekedda dhegeysiga UDP (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPTHadda oo wax walba ay shaqeynayaan, waxaan dejin karnaa si toos ah furitaanka tunnelka VPN:
$ sudo systemctl enable [email protected]Qaabeynta macmiilka ee laptop-ka
Ku samee faylka qaabeynta kumbuyuutarka /etc/wireguard/wg0.conf oo leh isla habayn:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820Ogeysiis:
- Halkii aad ka heli lahayd gees-socodka, waxaad u baahan tahay inaad qeexdo IP-ga dadweynaha ama martigeliyaha server-ka VPN
- Isagoo rakibay
AllowedIPson10.200.200.0/24, Waxaan kaliya u isticmaalnaa VPN si aan u galno shabakadda gudaha. Taraafikada dhammaan ciwaannada IP/servers-yada kale waxay sii wadi doontaa inay sii maraan kanaalada "caadiga ah" ee furan. Waxa kale oo ay isticmaali doontaa server-ka DNS ee horay loo habeeyay ee laptop-ka.
Imtixaanka iyo bilaabista tooska ah waxaan isticmaalnaa amarro isku mid ah wg-quick ΠΈ systemd:
$ sudo wg-quick up wg0
$ sudo systemctl enable [email protected]Ku dejinta macmiilka taleefanka Android
Telefoonka Android-ka waxaanu u abuurnaa faylal qaabayn oo isku mid ah (aan wacno mobile.conf):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820
Si ka duwan qaabeynta laptop-ka, taleefanku waa inuu u istcimaalaa server-ka VPN-ka sida server-ka DNS (line DNS), iyo sidoo kale gudbi dhammaan taraafikada iyada oo loo marayo tunnel VPN (AllowedIPs = 0.0.0.0/0).
Intii aad ku koobi lahayd faylka qalabkaaga moobilka, waxaad u rogi kartaa koodka QR:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.confKoodhka QR wuxuu u soo saari doonaa console sida ASCII. Waa laga iskaankaran karaa abka Android VPN wuxuuna si toos ah u dejin doonaa tunnel-ka VPN.
gunaanad
Dejinta WireGuard si fudud waa sixir marka la barbar dhigo OpenVPN.
Source: www.habr.com