Kuba WireGuard
Izixhobo
- I-Raspberry Pi 3 enemodyuli ye-LTE kunye nedilesi ye-IP yoluntu. Kuya kubakho iseva yeVPN apha (emva koku kumbhalo obizwa ngokuba yi edgewalker)
- Ifowuni ye-Android ekufuneka isebenzise iVPN kulo lonke unxibelelwano
- Ilaptop yeLinux ekufuneka isebenzise kuphela iVPN ngaphakathi kwenethiwekhi
Zonke izixhobo eziqhagamshela kwi-VPN kufuneka zikwazi ukuqhagamshela kuzo zonke ezinye izixhobo. Umzekelo, ifowuni kufuneka ikwazi ukuqhagamshela kwiseva yewebhu kwilaptop ukuba zombini izixhobo ziyinxalenye yenethiwekhi yeVPN. Ukuba ucwangciso lujika lube lula, ngoko unokucinga ngokuqhagamshela i-desktop kwi-VPN (nge-Ethernet).
Uthathela ingqalelo ukuba unxibelelwano lweengcingo kunye neengcingo luya luncipha kwaye lukhuseleka kancinci ekuhambeni kwexesha (
Ukufakwa kwesoftware
I-WireGuard ibonelela
NdineFedora Linux 31 yamva nje, kwaye ndonqena ukufunda incwadi ngaphambi kokuyifaka. Ndisandula ukufumana iipakethe wireguard-tools
, bazifakile, kwaye emva koko abakwazanga ukuqonda ukuba kutheni kungekho nto isebenzayo. Uphando olungaphaya luveze ukuba andinayo iphakheji efakiweyo wireguard-dkms
(nomqhubi womnatha), kodwa ibingekho kwindawo yokugcina unikezelo lwam.
Ukuba bendiyifundile imiyalelo, ngendithathe amanyathelo achanekileyo:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools
Ndinokusasazwa kwe-Raspbian Buster efakwe kwi-Raspberry Pi yam, sele kukho ipakethe apho wireguard
, yifake:
$ sudo apt install wireguard
Kwifowuni yam ye-Android ndifake isicelo
Ukufakwa kwezitshixo
Ukuqinisekiswa koontanga, i-Wireguard isebenzisa isikimu esilula sabucala / sikawonke-wonke sokuqinisekisa oontanga be-VPN. Unokwenza ngokulula izitshixo zeVPN usebenzisa lo myalelo ulandelayo:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.key
Oku kusinika izibini ezingundoqo ezintathu (iifayile ezintandathu). Asiyi kubhekisela kwiifayile kwi-configs, kodwa kopisha imixholo apha: isitshixo ngasinye ngumgca omnye kwi-base64.
Ukwenza ifayile yoqwalaselo yeseva yeVPN (Raspberry Pi)
Uqwalaselo lulula kakhulu, ndidale le fayile ilandelayo /etc/wireguard/wg0.conf
:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32
Amanqaku ambalwa:
- Kwiindawo ezifanelekileyo kufuneka ufake imigca kwiifayile ezinezitshixo
- I-VPN yam isebenzisa ibhendi yangaphakathi
10.200.200.0/24
- Amaqela
PostUp
/PostDown
Ndinojongano lomsebenzi womnatha wangaphandle wwan0, unokuba nenye eyahlukileyo (umzekelo, eth0)
Inethiwekhi yeVPN iphakanyiswa ngokulula ngalo myalelo ulandelayo:
$ sudo wg-quick up wg0
Inkcukacha enye encinci: njengeseva ye-DNS endiyisebenzisileyo dnsmasq
ibotshelelwe kujongano lwenethiwekhi br0
, ndongeze izixhobo wg0
kuluhlu lwezixhobo ezivumelekileyo. Kwi-dnsmasq oku kwenziwa ngokongeza umgca wojongano lomsebenzi womnatha omtsha kwifayile yoqwalaselo /etc/dnsmasq.conf
, umzekelo:
interface=br0
interface=wg0
Ukongezelela, ndongeze umgaqo we-iptable ukuvumela i-traffic kwi-port ye-UDP yokumamela (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPT
Ngoku ukuba yonke into isebenza, sinokuseta ukuqaliswa ngokuzenzekelayo kwetonela yeVPN:
$ sudo systemctl enable [email protected]
Ubume bomthengi kwilaptop
Yenza ifayile yoqwalaselo kwilaptop /etc/wireguard/wg0.conf
ngoseto olufanayo:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820
Amanqaku:
- Esikhundleni se-edgewalker kufuneka uchaze i-IP yoluntu okanye i-server ye-VPN host
- Ngokumisela
AllowedIPs
phezu10.200.200.0/24
, sisebenzisa kuphela i-VPN ukufikelela kwinethiwekhi yangaphakathi. I-Traffic kuzo zonke ezinye iidilesi ze-IP / iiseva ziya kuqhubeka zihamba ngeendlela ezivulekileyo "eziqhelekileyo". Iya kusebenzisa iseva ye-DNS esele iqwalaselwe kwilaptop.
Ukuvavanya kunye nokuqalisa ngokuzenzekelayo sisebenzisa imiyalelo efanayo wg-quick
ΠΈ systemd
:
$ sudo wg-quick up wg0
$ sudo systemctl enable [email protected]
Ukumisela umxhasi kwifowuni ye-Android
Kwifowuni ye-Android senza ifayile yoqwalaselo efana kakhulu (masiyibize mobile.conf
):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820
Ngokungafaniyo noqwalaselo kwilaptop, ifowuni kufuneka isebenzise iseva yethu yeVPN njengeseva yeDNS (umgca DNS
), kwaye ugqithise zonke iitrafikhi kwitonela yeVPN (AllowedIPs = 0.0.0.0/0
).
Endaweni yokukopa ifayile kwisixhobo sakho esiphathwayo, unokuyiguqulela kwikhowudi ye-QR:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.conf
Ikhowudi ye-QR iya kukhupha kwi-console njenge-ASCII. Inokuskenwa kwi-app ye-VPN ye-Android kwaye iya kuseka ngokuzenzekelayo itonela ye-VPN.
isiphelo
Ukuseta i-WireGuard ngumlingo ngokulula xa kuthelekiswa ne-OpenVPN.
umthombo: www.habr.com