Ua maʻalahi ʻo WireGuard: hana i kāu VPN ponoʻī i 15 mau minuke

Ke ʻimi nei ʻoe i kahi VPN wikiwiki, palekana, a ʻaʻole e hoʻonāukiuki iā ʻoe me nā hoʻonohonoho pau ʻole? ʻO WireGuard ʻO ia kekahi o nā koho maikaʻi loa. Hoʻokumu mua kēia protocol hou i ka maʻalahi a me ka cryptography kiʻekiʻe, e maʻalahi i ka poʻe e hoʻonohonoho i kahi tunnel paʻa.

Ma waho aʻe o ka pale ʻana iā ʻoe ma nā pūnaewele lehulehu a hiki iā ʻoe ke komo i kou home a i ʻole ka ʻoihana pūnaewele, Kōkua ka VPN i ka pale ʻana i nā geo-blocks a me ka censorshipMe WireGuard, hiki mai kēlā pilikino a me ka hana me kahi kaʻina hana hoʻonohonoho maʻalahi, ma nā kamepiula a me nā polokalamu kelepona.

ʻO WireGuard ma kahi pōkole

ʻO WireGuard kahi vpn lako polokalamu ʻO ke kumu hāmama e pili ana i ka papa 3 (L3) kēlā Hoʻohana ia i ka UDP wale nō a me ka cryptography hou ma ke ʻano maʻamau.ʻO kāna pono nui he hoʻolālā minimalist me nā laina liʻiliʻi o ke code, e hoʻomaʻamaʻa i nā loiloi, hoʻemi i ka ʻili hoʻouka, a hoʻomaikaʻi i ka hana.

ʻAʻole like me nā mea VPN ʻē aʻe e hāʻawi nei, ma aneʻi ʻaʻole ʻoe e koho i ka nui o nā algorithms a i ʻole nā ​​​​pae; Ua wehewehe ʻo WireGuard i kahi "puke" cryptographic koʻikoʻi.Inā hoʻopau ʻia kahi algorithm, hoʻokuʻu ʻia kahi mana hou a kūkākūkā nā mea kūʻai / server i ka hoʻonui ʻana me ka maopopo.

Ke hana mau nei kēia protocol ma ke ʻano tunnel, a Kākoʻo ia iā IPv4 a me IPv6 (e hoʻopili ana i kekahi i loko o kekahi inā pono)No ka hoʻohana ʻana, pono ʻoe e wehe i kahi awa UDP (hiki ke hoʻonohonoho ʻia) ma kāu kelepona i kāu kikowaena.

Hoʻohui a me ke kākoʻo

I ka honua o nā pā ahi, Hoʻohui ʻo OPNsense i ka WireGuard i loko o ka kernel e hoonui i ka mama. Ua loaʻa i ka pfSense kona mau piʻi a me lalo: ua ʻike ʻia ma ka mana 2.5.0, ua wehe ʻia ma 2.5.1 ma muli o nā ʻike palekana, a I kēia lā hiki ke hoʻokomo ʻia ma ke ʻano he pūʻolo mālama ʻia mai ka ʻaoʻao pūnaewele.

 

Hoʻohana ʻia ka cryptography

Ke hilinaʻi nei ʻo WireGuard i kahi pūʻulu o nā algorithms hou a loiloi loa: Noise Protocol Framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash a me HKDFHoʻohana ka hoʻopunipuni ʻikepili i ka ChaCha20-Poly1305 (AEAD), me ka hoʻololi ʻana o ECDH ma Curve25519 a me ke kiʻi derivation me HKDF.

Hōʻalo kēia ala i ka hui ʻana i nā suites ʻokoʻa a me hōʻemi i nā hewa hoʻonohonohoHe mea maʻalahi hoʻi ia i ka hoʻoponopono pilikia, no ka mea, ʻōlelo nā node a pau i ka ʻōlelo cryptographic hoʻokahi.

Ka hana a me ka lōʻihi

ʻAe ka hoʻokō minimalist a me ka hoʻohui haʻahaʻa haʻahaʻa nā wikiwiki kiʻekiʻe a me nā latencies haʻahaʻa loaI nā hoʻohālikelike honua maoli e kūʻē iā L2TP/IPsec a me OpenVPN, ʻo WireGuard maʻamau e puka mai ma luna, pinepine pālua i ka throughput ma ka lako like.

Ma nā pūnaewele paʻa ʻole a paʻa paha, He wikiwiki ka hoʻihoʻi ʻana o ke kau A ʻaʻole ʻike ʻia ka hoʻohui hou ʻana ma hope o ka hoʻololi ʻana o ka pūnaewele (roaming). Ma nā polokalamu me nā kumuwaiwai liʻiliʻi (nā alahele, nā mea IoT), ʻo kāna hoʻohana haʻahaʻa haʻahaʻa e hoʻololi i nā ʻokoʻa āpau, mālama i ka CPU a me ka mana pākaukau.

Hoʻokomo wikiwiki ma Linux

I nā hoʻolaha hou, ua loaʻa ʻo WireGuard i nā hale waihona paʻa. Ma Debian/Ubuntu, e hoʻokomo wale iā ia. hoʻohou a hoʻokomo i ka pūʻolo kūheluI nā mea ʻē aʻe, pono ʻoe e hoʻohui i nā waihona a i ʻole e hoʻāla i ka module kernel.

sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y
sudo modprobe wireguard

Inā ʻoe e hoʻohana i kahi lālā i loaʻa ʻole i ka "stable", hiki iā ʻoe ke huli i nā waihona "unstable/testing" ma lalo o ka mana mua, ʻoiai. ʻO ke kūpono, pono ʻoe e huki iā ia mai ka waihona paʻa. o kāu distro ke loaʻa.

Hanau kī

Pono kēlā me kēia mea hana (server a me ka mea kūʻai aku) i kāna mau kī ponoʻī. Paʻa ka lumi pilikino. a kaʻana like i ka lehulehu me ka hoa.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Hiki iā ʻoe ke hana hou i ke kaʻina hana no kēlā me kēia mea kūʻai aku a mālama i ka inoa. pale i ka huikau ma waena o nā hoa ke ulu nei kāu hoʻolaha.

Hoʻonohonoho kikowaena

ʻO ka faila maʻamau /etc/wireguard/wg0.confMa kēia ʻāpana, wehewehe ʻoe i ka helu IP VPN, kī pilikino, a me ke awa UDP. Ma kēlā me kēia ʻāpana, hoʻohui ʻoe i kahi mea kūʻai aku, e ʻae ana i kāna kī ākea a me nā helu IP ʻae ʻia.

Address = 192.168.2.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>
# Ejemplo de NAT automátizado con PostUp/PostDown, si lo necesitas
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


PublicKey = <clave_publica_cliente1>
AllowedIPs = 192.168.2.2/32

# Añade más peers según necesites
#
#PublicKey = <clave_publica_cliente2>
#AllowedIPs = 192.168.2.3/32

Inā makemake ʻoe e ʻae i ka IP mea kūʻai aku a mālama i nā ala kaʻawale, hiki iā ʻoe ke hoʻohana ʻAe ʻia nā IP = 0.0.0.0/0 Ma nā kaiapuni peer, akā i nā kaiapuni i hoʻomalu ʻia ʻoi aku ka maikaʻi o ka hāʻawi ʻana i /32 i kēlā me kēia mea kūʻai aku no ka traceability.

Nā hoʻonohonoho a nā mea kūʻai

La ʻāpana Lawe ia i ke kī pilikino a me kāna IP i ka VPN; ke kī lehulehu o ke kikowaena, kona wahi hope, a me ke kulekele hoʻokele.

PrivateKey = <clave_privada_cliente>
Address = 192.168.2.2/32
DNS = 1.1.1.1


PublicKey = <clave_publica_servidor>
Endpoint = <IP_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

El HoʻomauKeepalive (25) Kōkua kēia inā aia ka mea kūʻai ma hope o NAT/firewalls e ālai ana i nā palapala ʻāina ʻole. Hōʻike ʻo AllowedIPs inā ʻoe e hele i nā kaʻa āpau ma o ka VPN (0.0.0.0/0) a i ʻole nā ​​subnet kikoʻī wale nō.

NAT, hoʻouna a me ka pā ahi

No ka ʻae ʻana i nā mea kūʻai aku e komo i ka pūnaewele ma o ke kikowaena, pono ʻoe hiki ke hoʻouna IP a hoʻopili iā NAT ma ka WAN interface.

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

sudo iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Inā kaohi kāu kulekele pā ahi, hiki i ke kaʻa ma ka wg0 interface a wehe i ke awa UDP i koho ʻia ma ka pā ahi/NAT router.

sudo iptables -I INPUT 1 -i wg0 -j ACCEPT

No ka lawe ʻana i ka interface a hiki i ka lawelawe ma ka hoʻomaka: wg-wikiwiki a me systemd Waiho lākou iā ʻoe ma ka autopilot.

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Roaming, Kill-Switch a me ka mobility

Hoʻolālā ʻia ʻo WireGuard no ka hoʻohana kelepona ʻana i kēlā me kēia lā: Inā hoʻololi ʻoe mai Wi-Fi a i 4G/5G, hoʻokumu hou ʻia ka tunnel i kahi uila.ʻAʻole ʻoe e ʻike i nā pilikia koʻikoʻi ke hoʻololi i nā pūnaewele.

Eia hou, hiki iā ʻoe ke hoʻohana i ka a hoʻololi pepehi (e pili ana i ka paepae a i ʻole ka app) no laila, inā e iho ka VPN, hoʻopaʻa ka ʻōnaehana i ke kaʻa a hiki i ka hoʻihoʻi ʻia ʻana, e pale ana i nā leaks ulia.

Māhele-tunneling

Hiki iā ʻoe ke hoʻoholo i ka tunnel māhele He aha ka huakaʻi hele ma o ka VPN a he aha ka hele pololei i waho?Maikaʻi no ka mālama ʻana i ka latency haʻahaʻa i loko pāʻani a kelepona wikiō ʻoiai ke komo ʻana i nā kumuwaiwai kūloko ma o ka tunnel.

ʻElua laʻana hoʻonohonoho maʻamau ma ka mea kūʻai aku, me ka hoʻohana ʻana i ke kuhikuhi AllowedIPs:

# Redirección total por la VPN

PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <IP_publica_servidor>:51820

# Solo la LAN remota (por ejemplo, 192.168.1.0/24) a través de la VPN

PublicKey = <clave_publica_servidor>
AllowedIPs = 192.168.1.0/24
Endpoint = <IP_publica_servidor>:51820

Hoʻemi kēia i ka hopena i ka wikiwiki / latency a Hoʻonui ʻoe i ka ʻike no ka mea e pono ai ke pale aku.

Nā pōmaikaʻi a me nā pōʻino o WireGuard

• I KA ALOHA: ka wikiwiki, ka haʻahaʻa haʻahaʻa, ka maʻalahi, ka cryptography hou, ka hoʻemi ʻana i ka waiwai, a me kahi codebase liʻiliʻi e hoʻomaʻamaʻa i nā loiloi.
• KUE: ʻO ke kākoʻo ʻana i kekahi mau ʻōnaehana kaiaola hoʻoilina ʻoi aku ka liʻiliʻi ma mua o IPsec/OpenVPN, ʻoi aku ka palena o nā hiʻohiʻona kiʻekiʻe (nā palapala a me nā ʻōiwi maoli), a me nā noʻonoʻo pilikino no ka mea pili nā kī lehulehu me nā IP tunnel kūloko.

Kākoʻo no nā pā ahi, NAS a me QNAP

I loko o nā ʻano mea hana pā ahi, Hoʻohui ʻo OPNsense iā WireGuard me ka wikiwiki o ka kernel. Ma pfSense, ke kali nei i ka hoʻohui paʻa, hiki iā ʻoe ke hoʻokomo i ka pōʻai a mālama pono iā ia mai ka GUI.

Ma QNAP NAS, ma o QVPN 2, Hiki iā ʻoe ke hoʻonohonoho i nā kikowaena L2TP/IPsec, OpenVPN, a me WireGuard.... a hiki i ka virtualize Debian inā makemake ʻoe e hoʻololi iā OpenVPN me AES-GCM a i ʻole ana me iperf3. I nā hoʻāʻo ʻana me nā lako ikaika (e like me QNAP me Ryzen 7 a me 10GbE) a me kahi mea kūʻai aku 10GbE, Ua pāpālua ʻo WireGuard i ka hana kū'ē iā L2TP/IPsec a i ʻole OpenVPN ma kahi kaiapuni like.

ʻO WireGuard ma ke kelepona: nā ikaika a me nā nāwaliwali

Ma IOS a me Android, maʻalahi ka hoʻololi ʻana ma waena o nā pūnaewele me ka maʻalahi. ʻO kahi pōmaikaʻi nui: Huli palekana ma ka Wi-Fi lehulehu mai nā hōkele a i ʻole nā ​​mokulele a hūnā i kāu huakaʻi mai kāu ISP. Eia kekahi, inā hoʻonohonoho ʻoe i kāu kikowaena ponoʻī, hiki iā ʻoe ke komo i kou home a i ʻole ʻoihana me he mea lā aia ʻoe ma laila.

ʻO ka mea pili pono Hoʻohui ʻia kekahi latency a hāʻule iki ka wikiwikiʻoi aku inā hoʻohuli hou ʻoe i nā kaʻa a pau. Eia nō naʻe, ʻo WireGuard kekahi o nā protocols maikaʻi loa i ka pākaukau a me ka hana. E nānā pū i nā ʻōlelo paipai no Android inā kelepona kāu hihia.

E hoʻouka a hoʻohana ma nā kahua ʻē aʻe

Ma macOS, Windows, Android, a me iOS, loaʻa iā ʻoe nā polokalamu mana; ʻO nā mea a pau āu e hana ai e hoʻokomo i ka faila .conf a i ʻole ka scan QR code hana ʻia mai kāu mana hoʻonohonoho. Ua like like ke kaʻina hana me Linux.

Inā ʻoe e hoʻonohonoho iā VPS, e hoʻomanaʻo i nā hana maikaʻi: hōʻano hou i ka ʻōnaehana, hoʻā i ka pā ahiE kaupalena i ka awa WireGuard UDP i ʻae ʻia nā IP inā hiki a hoʻololi i nā kī ke koi ʻia e kāu kulekele.

Ka hōʻoia a me ka hōʻoia

No ka hōʻoia i ka pololei o nā mea a pau, hilinaʻi wg a me wg-wikiwikiE ʻike ʻoe i nā lulu lima, nā byte i hoʻoili ʻia, a me nā manawa mai ka hoʻololi hope ʻana.

wg
wg show

Inā ʻaʻohe pilina, e nānā: nā ala ʻōnaehana, NAT, wehe i ke awa UDP ma ke alalai a ua pololei ka Endpoint a me nā kī no kēlā me kēia hoa. ʻO ka ping i ka IP address o ka server ma ka VPN ka mea maʻamau ka hoʻāʻo pono mua.

Me kahi ala maʻalahi, cryptography hou, a me ka hana ʻike ʻia, Ua loaʻa iā WireGuard kona wahi e like me ka VPN makemake No nā mea hoʻohana home a me nā ʻoihana. Maikaʻi ka hoʻonohonoho ʻana, maʻalahi ka hoʻokele ʻana, a ʻo kona ʻano o ka hoʻohana ʻana (kahi mamao, kahua-i-site, ka neʻe paʻa ʻana, a i ʻole ka hoʻokaʻawale-tunneling) kūpono i kēlā me kēia hiʻohiʻona. Hoʻohui i nā hana palekana maikaʻi, kahi pā ahi i hoʻopaʻa ʻia, a me ka nānā ʻana, a e loaʻa iā ʻoe kahi tunnel wikiwiki, paʻa, a paʻakikī loa e wāwahi.