Ngoba WireGuard
Izinsiza
- I-Raspberry Pi 3 enemojuli ye-LTE nekheli le-IP lomphakathi. Kuzoba neseva ye-VPN lapha (ngemuva kwalokhu embhalweni ebizwa ngokuthi i-edgewalker)
- Ifoni ye-Android okufanele isebenzise i-VPN kukho konke ukuxhumana
- I-laptop ye-Linux okufanele isebenzise i-VPN ngaphakathi kwenethiwekhi kuphela
Yonke idivayisi exhuma ku-VPN kufanele ikwazi ukuxhuma kuwo wonke amanye amadivayisi. Isibonelo, ifoni kufanele ikwazi ukuxhuma kuseva yewebhu kukhompuyutha ephathekayo uma womabili amadivaysi eyingxenye yenethiwekhi ye-VPN. Uma ukusetha kuvela kulula kakhulu, ungacabanga ngokuxhuma ideskithophu ku-VPN (nge-Ethernet).
Uma kucatshangelwa ukuthi uxhumo olunezintambo nolwezintambo luya ngokuya luvikeleka kancane ngokuhamba kwesikhathi (
Ukufakwa kwesoftware
I-WireGuard ihlinzeka
Ngine-Fedora Linux 31 yakamuva, futhi bengivilapha kakhulu ukufunda imanuwali ngaphambi kokuyifaka. Ngisanda kuthola amaphakheji wireguard-tools
, bazifakile, base bengakwazi ukuthola ukuthi kungani kungekho lutho olusebenzayo. Uphenyo olwengeziwe luveze ukuthi anginalo iphakethe elifakiwe wireguard-dkms
(nomshayeli wenethiwekhi), kodwa ibingekho endaweni yokugcina yokusabalalisa kwami.
Ukube ngifunde imiyalelo, bengizothatha izinyathelo ezifanele:
$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools
Nginokusabalalisa kwe-Raspbian Buster efakwe ku-Raspberry Pi yami, sekuvele kunephakheji lapho wireguard
, yifake:
$ sudo apt install wireguard
Efonini yami ye-Android ngifake uhlelo lokusebenza
Ukufakwa kokhiye
Ukufakazela ubuqiniso kontanga, i-Wireguard isebenzisa isikimu esilula sokhiye oyimfihlo/osesidlangalaleni ukuze uqinisekise ontanga ye-VPN. Ungakha kalula okhiye be-VPN usebenzisa umyalo olandelayo:
$ wg genkey | tee wg-laptop-private.key | wg pubkey > wg-laptop-public.key
$ wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
$ wg genkey | tee wg-mobile-private.key | wg pubkey > wg-mobile-public.key
Lokhu kusinika amapheya amathathu okhiye (amafayela ayisithupha). Ngeke sibhekisele kumafayela kuzilungiselelo, kodwa kopisha okuqukethwe lapha: ukhiye ngamunye uwumugqa owodwa ku-base64.
Ukudala ifayela lokucushwa leseva ye-VPN (Raspberry Pi)
Ukucushwa kulula, ngidale ifayela elilandelayo /etc/wireguard/wg0.conf
:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <copy private key from wg-server-private.key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wwan0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <copy public key from wg-laptop-public.key>
AllowedIPs = 10.200.200.2/32
[Peer]
# mobile phone
PublicKey = <copy public key from wg-mobile-public.key>
AllowedIPs = 10.200.200.3/32
Amanothi ambalwa:
- Ezindaweni ezifanele udinga ukufaka imigqa esuka kumafayela ngokhiye
- I-VPN yami isebenzisa ibhendi yangaphakathi
10.200.200.0/24
- Okwamaqembu
PostUp
/PostDown
Nginesixhumi esibonakalayo senethiwekhi yangaphandle i-wwan0, ungase ube nehlukile (isibonelo, i-eth0)
Inethiwekhi ye-VPN iphakanyiswa kalula ngomyalo olandelayo:
$ sudo wg-quick up wg0
Umniningwane owodwa omncane: njengeseva ye-DNS engangiyisebenzisa dnsmasq
iboshelwe esibonakalayo senethiwekhi br0
, ngingeze nezisetshenziswa wg0
ohlwini lwamadivayisi avunyelwe. Ku-dnsmasq lokhu kwenziwa ngokwengeza umugqa wokuxhumana wenethiwekhi omusha kufayela lokumisa /etc/dnsmasq.conf
isibonelo:
interface=br0
interface=wg0
Ukwengeza, ngengeze umthetho we-iptable ukuvumela ithrafikhi embobeni yokulalela ye-UDP (51280):
$ sudo iptables -I INPUT -p udp --dport 51820 -j ACCEPT
Manje njengoba yonke into isisebenza, singasetha ukwethulwa okuzenzakalelayo komhubhe we-VPN:
$ sudo systemctl enable [email protected]
Ukucushwa kweklayenti kukhompuyutha ephathekayo
Dala ifayela lokumisa kukhompuyutha ephathekayo /etc/wireguard/wg0.conf
ngezilungiselelo ezifanayo:
[Interface]
Address = 10.200.200.2/24
PrivateKey = <copy private key from wg-laptop-private.key>
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 10.200.200.0/24
Endpoint = edgewalker:51820
Amanothi:
- Esikhundleni se-edgewalker udinga ukucacisa i-IP yomphakathi noma iseva ye-VPN
- Ngokubeka
AllowedIPs
on10.200.200.0/24
, sisebenzisa kuphela i-VPN ukuze sifinyelele inethiwekhi yangaphakathi. Ithrafikhi eya kuwo wonke amanye amakheli/amaseva e-IP izoqhubeka nokudlula eziteshini ezivuliwe “ezivamile”. Izophinda isebenzise iseva ye-DNS emiswe ngaphambilini kukhompuyutha ephathekayo.
Ukuze sihlole futhi siqalise ngokuzenzakalelayo sisebenzisa imiyalo efanayo wg-quick
и systemd
:
$ sudo wg-quick up wg0
$ sudo systemctl enable [email protected]
Ukusetha iklayenti kufoni ye-Android
Ocingweni lwe-Android sakha ifayela lokumisa elicishe lifane (ake silibize mobile.conf
):
[Interface]
Address = 10.200.200.3/24
PrivateKey = <copy private key from wg-mobile-private.key>
DNS = 10.200.200.1
[Peer]
PublicKey = <copy public key from wg-server-public.key>
AllowedIPs = 0.0.0.0/0
Endpoint = edgewalker:51820
Ngokungafani nokucushwa kwekhompyutha ephathekayo, ifoni kufanele isebenzise iseva yethu ye-VPN njengeseva ye-DNS (umugqa DNS
), futhi iphinde idlule yonke ithrafikhi emhubheni we-VPN (AllowedIPs = 0.0.0.0/0
).
Esikhundleni sokukopisha ifayela kudivayisi yakho yeselula, ungaliguqulela kukhodi ye-QR:
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < mobile.conf
Ikhodi ye-QR izophumela kukhonsoli njenge-ASCII. Ingaskenwa ohlelweni lokusebenza lwe-Android VPN futhi izosetha ngokuzenzakalelayo umhubhe we-VPN.
isiphetho
Ukusetha i-WireGuard kuwumlingo uma kuqhathaniswa ne-OpenVPN.
Source: www.habr.com