Jagorar WireGuard: Shigarwa-mataki-mataki da Kanfigareshan

Sauƙaƙan gine-gine da ɓoyewar zamani: maɓallan kowane-tsara da AllowedIPs don kewayawa.
Saurin shigarwa akan Linux da aikace-aikacen hukuma don tebur da wayar hannu.
Babban aiki zuwa IPsec/OpenVPN, tare da yawo da ƙarancin jinkiri.

Idan kana neman wani VPN wato sauri, amintacce kuma mai sauƙin turawa, WireGuard Shi ne mafi kyawun da za ku iya amfani da shi a yau. Tare da mafi ƙarancin ƙira da cryptography na zamani, yana da kyau ga masu amfani da gida, ƙwararru, da mahallin kamfanoni, duka akan kwamfutoci da na'urorin hannu da masu amfani da hanyar sadarwa.

A cikin wannan jagorar mai amfani za ku sami komai daga asali zuwa abubuwan Tsarin cigabaShigarwa akan Linux (Ubuntu / Debian / CentOS), maɓallai, uwar garken da fayilolin abokin ciniki, isar da IP, NAT/Firewall, aikace-aikace akan Windows/macOS/Android/iOS, raba rami, aiki, gyara matsala, da dacewa tare da dandamali kamar OPNsense, pfSense, QNAP, Mikrotik ko Teltonika.

Menene WireGuard kuma me yasa zabar shi?

WireGuard wata buɗaɗɗen tushen yarjejeniya ce da software da aka tsara don ƙirƙira L3 rufaffiyar tunnels akan UDP. Ya fito waje idan aka kwatanta da OpenVPN ko IPsec saboda sauƙi, aiki da ƙarancin latency, dogaro da algorithms na zamani kamar su. Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 da HKDF.

Tushen lambar sa ƙanƙanta ne (a kusa da dubban layi), wanda ke sauƙaƙe dubawa, rage kai hari da inganta kiyayewa. Hakanan an haɗa shi cikin kernel na Linux, yana ba da izini high canja wuri rates da kuma agile martani ko da a kan matsakaici hardware.

Yana da multiplatform: akwai aikace-aikacen hukuma don Windows, macOS, Linux, Android da iOS, da goyan bayan tsarin na'ura mai ba da hanya tsakanin hanyoyin sadarwa/Firewall-daidaitacce kamar OPNsense. Hakanan yana samuwa don mahalli kamar FreeBSD, OpenBSD, da NAS da dandamali na haɓakawa.

Yadda yake aiki a ciki

WireGuard yana kafa rami da aka ɓoye tsakanin takwarorinsu (takwarorina) gano ta maɓalli. Kowace na'ura tana haifar da maɓalli biyu (na sirri/jama'a) kuma suna raba nata kawai maɓallin jama'a tare da ɗayan ƙarshen; daga nan, duk zirga-zirga an ɓoye kuma an inganta su.

Umurni Izinin IPs Yana bayyana duka hanyoyin da ke fita (abin da zirga-zirga ya kamata ya bi ta cikin rami) da jerin ingantattun hanyoyin da takwarorinsu na nesa za su karɓa bayan nasarar lalata fakitin. An san wannan hanyar kamar Cryptokey Routing kuma yana sauƙaƙa manufofin zirga-zirga sosai.

WireGuard yana da kyau tare da yawo- Idan IP ɗin abokin cinikin ku ya canza (misali, kun yi tsalle daga Wi-Fi zuwa 4G/5G), an sake kafa zaman a bayyane kuma cikin sauri. Hakanan yana tallafawa kashe kashe don toshe zirga-zirga daga cikin rami idan VPN ya sauka.

Shigarwa akan Linux: Ubuntu/Debian/CentOS

A kan Ubuntu, ana samun WireGuard a cikin wurin ajiyar hukuma. Sabunta fakitin sannan shigar da software don samun samfura da kayan aikin. wg da wg-sauri.

apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguard

A cikin barga na Debian zaku iya dogara ga ma'ajin reshe marasa ƙarfi idan kuna buƙata, bin hanyar da aka ba da shawarar kuma tare da kulawa a cikin samarwa:

sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguard

A cikin CentOS 8.3 gudana yana kama da haka: kuna kunna EPEL/ElRepo repos idan ya cancanta sannan shigar da kunshin WireGuard da madaidaitan kayayyaki.

Keɓaɓɓen abun ciki - Danna nan Wanne ne mafi kyawun riga-kafi kyauta: Panda Free Antivirus ko Avast?

Mabuɗin tsara

Dole ne kowane takwarorinsu ya kasance yana da nasa na sirri/na jama'a maɓalli biyu. Aiwatar da umask don ƙuntata izini da samar da maɓalli don uwar garken da abokan ciniki.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Maimaita akan kowace na'ura. Kar a taba raba maɓalli na sirri da ajiye duka biyu lafiya. Idan ka fi so, ƙirƙiri fayiloli tare da sunaye daban-daban, misali uwar garken sirri y uwar garken jama'a.

Saitin uwar garke

Ƙirƙiri babban fayil a ciki /etc/wireguard/wg0.conf. Sanya cibiyar sadarwa ta VPN (ba a yi amfani da ita akan ainihin LAN ɗinku ba), tashar UDP kuma ƙara toshe [Tsara] kowane abokin ciniki mai izini.

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>

# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32

Hakanan zaka iya amfani da wani gidan yanar gizo, misali 192.168.2.0/24, kuma girma tare da takwarorinsu da yawa. Don saurin tura kayan aiki, yana da amfani don amfani wg-sauri tare da fayilolin wgN.conf.

Tsarin abokin ciniki

A kan abokin ciniki ƙirƙirar fayil, misali wg0-abokin ciniki.conf, tare da maɓalli na sirri, adireshin rami, DNS na zaɓi, da abokan uwar garken tare da ƙarshen jama'a da tashar jiragen ruwa.

[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Idan kun saka Izinin Izala = 0.0.0.0/0 Duk zirga-zirga za su bi ta hanyar VPN; idan kawai kuna son isa takamaiman cibiyoyin sadarwa na uwar garken, iyakance shi zuwa mahimman hanyoyin sadarwa kuma zaku rage latency da cin abinci.

IP Forwarding da NAT akan Sabar

Kunna turawa don abokan ciniki su sami damar Intanet ta uwar garken. Aiwatar da canje-canje akan tashi da sysctl.

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -p

Sanya NAT tare da iptables don rukunin yanar gizo na VPN, saita ƙirar WAN (misali, eth0):

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Ka sanya shi dagewa tare da fakitin da suka dace kuma adana dokokin da za a yi amfani da su akan sake kunna tsarin.

apt install -y iptables-persistent netfilter-persistent
netfilter-persistent save

Farawa da tabbatarwa

Kawo da dubawa kuma kunna sabis don farawa da tsarin. Wannan matakin yana haifar da ƙirar kama-da-wane kuma yana ƙarawa hanyoyi zama dole.

systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wg

con wg Za ku ga takwarorinsu, maɓallai, canja wuri, da lokutan musafaha na ƙarshe. Idan manufar Firewall ɗin ku tana da ƙuntatawa, ba da izinin shigarwa ta hanyar dubawa. wg0 da tashar tashar UDP na sabis:

iptables -I INPUT 1 -i wg0 -j ACCEPT

Aikace-aikacen hukuma: Windows, macOS, Android, da iOS

A kan tebur za ku iya shigo da a .conf fayil. A kan na'urorin hannu, ƙa'idar tana ba ku damar ƙirƙira abin dubawa daga a QR code dauke da tsari; yana da matukar dacewa ga abokan cinikin da ba fasaha ba.

Idan burin ku shine tona asirin ayyukan kai kamar Plex/Radarr/Sonarr Ta hanyar VPN ɗin ku, kawai sanya IPs a cikin gidan yanar gizon WireGuard kuma daidaita AllowedIPs don abokin ciniki ya isa wannan hanyar sadarwar; Ba kwa buƙatar buɗe ƙarin tashoshin jiragen ruwa zuwa waje idan duk damar ta hanyar rami.

Abvantbuwan amfãni da rashin amfani

WireGuard yana da sauri da sauƙi, amma yana da mahimmanci a yi la'akari da iyakokinta da ƙayyadaddun ƙayyadaddun sa dangane da yanayin amfani. Anan ga daidaiton bayyani na mafi yawan dace.

Keɓaɓɓen abun ciki - Danna nan FanControl ba zai fara akan Windows ba: jagorar ƙarshe don gyara shi

Abũbuwan amfãni	disadvantages
Tsari mai tsabta da gajere, manufa don sarrafa kansa	Ba ya haɗa da toshe hanyoyin zirga-zirga na asali
Babban aiki da ƙarancin jinkiri har ma a ciki wayar hannu	A wasu mahalli na gado akwai ƙananan zaɓuɓɓukan ci gaba
Rubutun rubutun zamani da ƙaramin lambar da ke sauƙaƙa shi duba	Keɓantawa: Ƙungiyar maɓalli na IP/jama'a na iya zama mai mahimmanci dangane da manufofi
Yawo da kisa babu sumul akan abokan ciniki	Daidaituwar ɓangare na uku ba koyaushe yana kama da juna ba

Rarraba rami: jagora kawai abin da ya dace

Rarraba rami yana ba ku damar aika zirga-zirgar zirga-zirgar da kuke buƙata ta hanyar VPN. Tare da Izinin IPs Ka yanke shawarar ko za a yi cikakken ko zaɓin juyar da kai zuwa ɗaya ko fiye da gidajen yanar gizo.

# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0

# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24

Akwai bambance-bambancen karatu kamar juyi tsaga rami, tace ta URL ko ta aikace-aikace (ta takamaiman kari / abokan ciniki), kodayake tushen asali a cikin WireGuard yana sarrafa ta IP da prefixes.

Daidaituwa da tsarin muhalli

An haifi WireGuard don kernel na Linux, amma a yau shine dandamaliOPNsense ya haɗa shi ta asali; An dakatar da pfSense na ɗan lokaci don tantancewa, kuma daga baya an bayar da shi azaman fakitin zaɓi dangane da sigar.

Akan NAS kamar QNAP zaku iya hawa ta ta hanyar QVPN ko injunan kama-da-wane, cin gajiyar 10GbE NICs zuwa high gudunAllolin na'ura mai ba da hanya tsakanin hanyoyin sadarwa MikroTik sun haɗa tallafin WireGuard tun daga RouterOS 7.x; a farkon abubuwan da ya fara, yana cikin beta kuma ba a ba da shawarar samarwa ba, amma yana ba da damar ramukan P2P tsakanin na'urori har ma da ƙarshen abokan ciniki.

Masu kera kamar Teltonika suna da kunshin don ƙara WireGuard zuwa masu amfani da su; idan kuna buƙatar kayan aiki, zaku iya siyan su a shop.davantel.com kuma bi ƙa'idodin masana'anta don shigarwa fakitoci karin.

Performance da latency

Godiya ga ƙarancin ƙira da zaɓin ingantaccen algorithms, WireGuard yana samun saurin gudu sosai kuma ƙananan latencies, gabaɗaya ya fi L2TP/IPsec da OpenVPN. A cikin gwaje-gwajen gida tare da kayan aiki mai ƙarfi, ainihin ƙimar sau da yawa sau biyu na madadin, yana mai da shi manufa don streaming, wasanni ko VoIP.

Aiwatar da kamfani da aikin wayar tarho

A cikin kasuwancin, WireGuard ya dace don ƙirƙirar ramuka tsakanin ofisoshi, samun damar ma'aikaci mai nisa, da amintaccen haɗi tsakanin CPD da girgije (misali, don madadin). Takaitaccen tsarinsa yana sa siga da sarrafa kansa cikin sauƙi.

Yana haɗawa da kundayen adireshi kamar LDAP/AD ta amfani da mafita na tsaka-tsaki kuma yana iya zama tare da dandamali na IDS/IPS ko NAC. Shahararren zaɓi shine Fakitin Fence (bude tushen), wanda ke ba ka damar tabbatar da matsayin kayan aiki kafin ba da damar shiga da sarrafa BYOD.

Windows/macOS: Bayanan kula da Tukwici

Aikace-aikacen Windows na hukuma yawanci yana aiki ba tare da matsala ba, amma a wasu sigogin Windows 10 an sami batutuwa yayin amfani Izinin Izala = 0.0.0.0/0 saboda rigingimun hanya. A matsayin madadin wucin gadi, wasu masu amfani sun zaɓi abokan ciniki na tushen WireGuard kamar TunSafe ko iyakance AllowedIPs zuwa takamaiman rukunin gidajen yanar gizo.

Jagoran Fara Saurin Debian tare da Maɓallan Misali

Ƙirƙirar maɓalli don uwar garken da abokin ciniki a ciki /etc/wireguard/ kuma ƙirƙirar haɗin wg0. Tabbatar cewa IPs na VPN ba su dace da kowane IP na cibiyar sadarwar ku ko abokan cinikin ku ba.

cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1

wg0.conf uwar garken tare da subnet 192.168.2.0/24 da tashar jiragen ruwa 51820. Kunna PostUp/PostDown idan kuna son sarrafa kansa NAT tare da iptables lokacin kawowa / kawo saukar da dubawa.

[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0

Abokin ciniki mai adireshin 192.168.2.2, yana nuni zuwa ƙarshen jama'a na uwar garken kuma tare da mai kiyayewa na zaɓi idan akwai matsakaicin NAT.

[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32

[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25

Ja sama da ke dubawa kuma duba azaman MTU, alamar hanya, da fwmark da ka'idojin tsarin tafiyar da hanya. Yi nazarin fitowar wg-sauri da matsayi tare da nuna wg.

Keɓaɓɓen abun ciki - Danna nan Menene Ƙananan Snitch Network Control?

Mikrotik: rami tsakanin RouterOS 7.x

MikroTik ya goyi bayan WireGuard tun RouterOS 7.x. Ƙirƙirar hanyar sadarwa ta WireGuard akan kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa, yi amfani da shi, kuma za a ƙirƙira ta ta atomatik. makullin. Sanya IPs zuwa Ether2 azaman WAN da waya guard1 azaman hanyar tunnel.

Tsara takwarorinsu ta hanyar ketare maɓallin jama'a na uwar garken a gefen abokin ciniki kuma akasin haka, ayyana Adireshin Izinin Izinin/AllowedIPs (misali 0.0.0.0/0 idan kuna son ba da izinin kowane tushe / makoma ta hanyar rami) kuma saita ƙarshen ƙarshen nesa tare da tashar jiragen ruwa. ping zuwa rami mai nisa IP zai tabbatar da musafiha.

Idan kun haɗa wayoyin hannu ko kwamfutoci zuwa ramin Mikrotik, daidaita hanyoyin sadarwar da aka yarda don kar a buɗe fiye da larura; WireGuard yana yanke shawarar kwararar fakiti bisa ga naka Cryptokey Routing, don haka yana da mahimmanci a daidaita asali da inda ake nufi.

Ana amfani da Cryptography

WireGuard yana amfani da saitin zamani na: Surutu a matsayin tsarin, Curve25519 don ECDH, ChaCha20 don ingantacciyar ɓoyayyen simmetric tare da Poly1305, BLAKE2 don hashing, SipHash24 don tebur ɗin zanta da HKDF don samowa makullinIdan an soke algorithm, za a iya siffanta ƙa'idar don yin ƙaura ba tare da wata matsala ba.

Ribobi da rashin amfani akan wayar hannu

Yin amfani da shi akan wayoyin hannu yana ba ku damar yin lilo cikin aminci Wi-Fi na jama'a, Ɓoye zirga-zirga daga ISP ɗinku, kuma haɗa zuwa cibiyar sadarwar gidan ku don samun damar NAS, aikin gida, ko wasa. A kan iOS/Android, canza hanyoyin sadarwa ba sa saukar da rami, wanda ke inganta gwaninta.

A matsayin fursunoni, kuna jawo wasu asarar saurin gudu da latency mafi girma idan aka kwatanta da fitarwa kai tsaye, kuma kun dogara ga uwar garken koyaushe yana kasancewa. samuwa. Koyaya, idan aka kwatanta da IPsec/OpenVPN hukuncin yawanci yana ƙasa.

WireGuard ya haɗu da sauƙi, saurin gudu, da tsaro na gaske tare da tausasa tsarin ilmantarwa: shigar da shi, samar da maɓalli, ayyana AllowedIPs, kuma kuna shirye don tafiya. Ƙara tura IP, NAT da aka aiwatar da kyau, ƙa'idodi na hukuma tare da lambobin QR, da dacewa tare da tsarin halittu kamar OPNsense, Mikrotik, ko Teltonika. VPN na zamani kusan kowane yanayi, daga amintaccen cibiyoyin sadarwar jama'a zuwa haɗa hedkwata da samun damar ayyukan gidan ku ba tare da ciwon kai ba.

Daniel Terrasa

Edita ya ƙware a fannin fasaha da al'amuran intanet tare da gogewa fiye da shekaru goma a cikin kafofin watsa labaru na dijital daban-daban. Na yi aiki a matsayin edita da mahaliccin abun ciki don kasuwancin e-commerce, sadarwa, tallan kan layi da kamfanonin talla. Na kuma yi rubutu a shafukan yanar gizo na tattalin arziki, kudi da sauran fannoni. Aikina kuma shine sha'awata. Yanzu, ta hanyar labarai na a ciki Tecnobits, Ina ƙoƙarin bincika duk labarai da sababbin damar da duniyar fasahar ke ba mu kowace rana don inganta rayuwarmu.