Sababtoo ah WireGuard
Qalabka
- Raspberry Pi 3 oo wata moduleka LTE iyo cinwaanka IP-ga dadweynaha. Waxaa jiri doona server VPN halkan (halkan ka dib qoraalka waxaa loogu yeeraa gees-socod)
- Telefoon Android ah oo ay tahay inuu VPN u isticmaalo dhammaan isgaarsiinta
- Laptop-ka Linux waa inuu isticmaalo VPN oo keliya gudaha shabakadda
Qalab kasta oo ku xidha VPN-ka waa inuu awood u leeyahay inuu ku xidho dhammaan aaladaha kale. Tusaale ahaan, telefoonku waa inuu awood u yeesho inuu ku xidho server-ka shabakadda ee laptop-ka haddii labada qalabba ay yihiin qayb ka mid ah shabakadda VPN. Haddii habayntu ay noqoto mid fudud, markaa waxaad ka fikiri kartaa inaad ku xidho desktop-ka VPN (iyada oo loo marayo Ethernet).
Iyadoo la tixgelinayo in isku xirka fiilooyinka iyo fiilooyinka ay sii yaraanayaan oo ay sii yaraanayaan waqti ka dib (
Rakibaadda Software
WireGuard ayaa bixisa
Waxaan haystaa Fedora Linux 31 kii ugu dambeeyay, aadna waan uga caajisay inaan akhriyo buug-gacmeedka ka hor intaanan rakibin. Kaliya helay baakadaha wireguard-tools
, ku rakibay, ka dibna way garan kari waayeen sababta aanay waxba u shaqaynayn. Baadhitaano dheeraad ah ayaa muujiyay in aanan haysan xirmada la rakibay wireguard-dkms
(oo leh darawal shabakad), laakiin kuma jirin kaydka qaybintayda.
Haddii aan akhrin lahaa tilmaamaha, waxaan qaadi lahaa tillaabooyinka saxda ah:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools
Waxaan haystaa qaybinta Raspbian Buster-ka oo lagu rakibay Raspberry Pi-ga, horeba baakad ayaa jirta wireguard
, ku rakib:
$ sudo apt install wireguard
Taleefankayga Android ayaan ku rakibay codsiga
Rakibaadda furayaasha
Xaqiijinta asaagga, Wireguard waxay isticmaashaa nidaam furaha gaarka ah/guud ee fudud si loo xaqiijiyo asxaabta VPN. Waxaad si fudud u abuuri kartaa furayaasha VPN adoo isticmaalaya amarka soo socda:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.key
Tani waxay ina siinaysaa saddex lamaane oo muhiim ah (lix fayl). Yaynaan tixraacin faylasha ku jira qaab-dhismeedka, laakiin ku koobi waxa ku jira halkan: fure kastaa waa hal xariiq oo ku yaal base64.
Abuuritaanka faylka qaabeynta ee serverka VPN (Raspberry Pi)
Qaabayntu waa wax fudud, waxaan abuuray faylka soo socda /etc/wireguard/wg0.conf
:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32
Qoraalo dhowr ah:
- Meelaha ku habboon waxaad u baahan tahay inaad geliso khadadka faylasha leh furayaasha
- VPN-kaygu waxa uu isticmaalayaa band gudaha ah
10.200.200.0/24
- Kooxaha
PostUp
/PostDown
Waxaan haystaa interneedka shabakadda dibadda wwan0, waxaa laga yaabaa inaad haysato mid ka duwan (tusaale, eth0)
Shabakadda VPN si sahal ah ayaa kor loogu qaadayaa amarka soo socda:
$ sudo wg-quick up wg0
Hal faahfaahin yar: sida server-ka DNS ee aan isticmaalay dnsmasq
ku xidhan interface network br0
, Waxaan sidoo kale ku daray qalab wg0
liiska qalabka la ogol yahay. dnsmasq tan waxaa lagu sameeyaa iyadoo lagu darayo khad is dhexgalka shabakada cusub faylka qaabeynta /etc/dnsmasq.conf
, tusaale ahaan:
interface=br0
interface=wg0
Intaa waxaa dheer, waxaan ku daray qaanuunka iptable si aan ugu oggolaado taraafikada dekedda dhegeysiga UDP (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPT
Hadda oo wax walba ay shaqeynayaan, waxaan dejin karnaa si toos ah furitaanka tunnelka VPN:
$ sudo systemctl enable [email protected]
Qaabeynta macmiilka ee laptop-ka
Ku samee faylka qaabeynta kumbuyuutarka /etc/wireguard/wg0.conf
oo leh isla habayn:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820
Ogeysiis:
- Halkii aad ka heli lahayd gees-socodka, waxaad u baahan tahay inaad qeexdo IP-ga dadweynaha ama martigeliyaha server-ka VPN
- Isagoo rakibay
AllowedIPs
on10.200.200.0/24
, Waxaan kaliya u isticmaalnaa VPN si aan u galno shabakadda gudaha. Taraafikada dhammaan ciwaannada IP/servers-yada kale waxay sii wadi doontaa inay sii maraan kanaalada "caadiga ah" ee furan. Waxa kale oo ay isticmaali doontaa server-ka DNS ee horay loo habeeyay ee laptop-ka.
Imtixaanka iyo bilaabista tooska ah waxaan isticmaalnaa amarro isku mid ah wg-quick
ΠΈ systemd
:
$ sudo wg-quick up wg0
$ sudo systemctl enable [email protected]
Ku dejinta macmiilka taleefanka Android
Telefoonka Android-ka waxaanu u abuurnaa faylal qaabayn oo isku mid ah (aan wacno mobile.conf
):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820
Si ka duwan qaabeynta laptop-ka, taleefanku waa inuu u istcimaalaa server-ka VPN-ka sida server-ka DNS (line DNS
), iyo sidoo kale gudbi dhammaan taraafikada iyada oo loo marayo tunnel VPN (AllowedIPs = 0.0.0.0/0
).
Intii aad ku koobi lahayd faylka qalabkaaga moobilka, waxaad u rogi kartaa koodka QR:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.conf
Koodhka QR wuxuu u soo saari doonaa console sida ASCII. Waa laga iskaankaran karaa abka Android VPN wuxuuna si toos ah u dejin doonaa tunnel-ka VPN.
gunaanad
Dejinta WireGuard si fudud waa sixir marka la barbar dhigo OpenVPN.
Source: www.habr.com