- ʻO ka hoʻolālā maʻalahi a me ka hoʻopunipuni hou: nā kī per-peer a me nā AllowedIPs no ke ala ala.
- Hoʻokomo wikiwiki ma Linux a me nā polokalamu mana no ka pākaukau a me ka mobile.
- ʻOi aku ka maikaʻi o ka IPsec/OpenVPN, me ka roaming a me ka latency haʻahaʻa.
Ināʻoe eʻimi ana VPN ʻo ia ka wikiwiki, palekana a maʻalahi hoʻi e kau, ʻO WireGuard ʻO ia ka mea maikaʻi loa hiki iā ʻoe ke hoʻohana i kēia lā. Me kahi hoʻolālā liʻiliʻi a me ka cryptography hou, kūpono ia no nā mea hoʻohana home, ʻoihana, a me nā ʻoihana hui, ma nā kamepiula a ma nā polokalamu kelepona a me nā mea ala.
Ma kēia alakaʻi hoʻokō e ʻike ʻoe i nā mea āpau mai nā kumu kumu a hiki i ka Hoʻonohonoho kūʻauhau kiʻekiʻe: Hoʻokomo ʻia ma Linux (Ubuntu/Debian/CentOS), kī, server a me nā faila mea kūʻai aku, IP forwarding, NAT/Firewall, nā noi ma Windows/macOS/Android/iOS, kahe ana, hana, hoʻoponopono pilikia, a me ka launa pū me nā paepae e like me OPNsense, pfSense, QNAP, Mikrotik a i ʻole Teltonika.
He aha ka WireGuard a no ke aha e koho ai?
ʻO WireGuard ʻO kahi protocol VPN open source a me nā polokalamu i hoʻolālā ʻia e hana L3 i hoʻopunipuni ʻia ma luna o UDP. Kūlike ia i ka hoʻohālikelike ʻia me OpenVPN a i ʻole IPsec ma muli o kona maʻalahi, hana a me ka latency haʻahaʻa, e hilinaʻi ana i nā algorithms hou e like me Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 a me HKDF.
He liʻiliʻi loa kona kumu code (a puni mau tausani laina), ka mea e hoʻomaʻamaʻa i nā loiloi, hōʻemi i ka hoʻouka kaua a hoʻomaikaʻi i ka mālama. Hoʻohui pū ʻia i loko o ka Linux kernel, ʻae kiʻekiʻe o ka hoʻoili ʻana a me ka agile pane ʻoiai ma ka hāmeʻa haʻahaʻa.
He multiplatform: aia nā polokalamu mana no Windows, macOS, Linux, Android a me IOS, a me ke kākoʻo ʻana i nā ʻōnaehana hoʻonohonoho ʻana i ka router/firewall e like me OPNsense. Loaʻa iā ia no nā kaiapuni e like me FreeBSD, OpenBSD, a me NAS a me nā kahua virtualization.
Pehea ka hana o loko
Hoʻokumu ʻo WireGuard i kahi alahele i hoʻopili ʻia ma waena o nā hoa (nā hoapili) ʻike ʻia e nā kī. Hoʻopuka kēlā me kēia hāmeʻa i kahi pālua kī (kūʻokoʻa / lehulehu) a kaʻana wale i kāna kī nui me kekahi hopena; mai laila mai, hoʻopili ʻia a hōʻoia ʻia nā kaʻa a pau.
Kuhikuhi Nā IP i ʻae ʻia E wehewehe ana i ka hele ʻana i waho (he aha ke kaʻa e hele ai ma ka tunnel) a me ka papa inoa o nā kumu kūpono e ʻae ʻia e ka hoa mamao ma hope o ka wehe ʻana i kahi ʻeke. Ua ʻike ʻia kēia ʻano hana ʻO ke alahele Cryptokey a hoʻomaʻamaʻa nui i ke kulekele kaʻa.
He maikaʻi loa ʻo WireGuard me ka roaming- Inā hoʻololi ka IP o kāu mea kūʻai aku (e laʻa, lele ʻoe mai Wi-Fi a i 4G/5G), hoʻokumu hou ʻia ke kau me ka maopopo a me ka wikiwiki loa. Kākoʻo nō hoʻi kill switch e ālai i ke kaʻa ma waho o ka tunnel inā iho ka VPN.
Hoʻokomo ʻia ma Linux: Ubuntu/Debian/CentOS
Ma Ubuntu, loaʻa ʻo WireGuard i nā repos mana. Hoʻohou i nā pūʻolo a laila hoʻokomo i ka polokalamu e kiʻi i ka module a me nā mea hana. wg a me wg-wikiwiki.
apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguardMa ka hale paʻa ʻo Debian hiki iā ʻoe ke hilinaʻi i nā repos paʻa ʻole inā pono ʻoe, e hahai ana i ke ʻano i ʻōlelo ʻia a me mālama i ka hana ʻana:
sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguardMa CentOS 8.3 ua like ke kahe: hoʻāla ʻoe i ka EPEL/ElRepo repos inā pono a laila hoʻokomo i ka pōʻai. ʻO WireGuard a me nā modula pili.
Hanau kī
Pono kēlā me kēia hoa i kāna pono'ī hui kī pilikino/ lehulehu. E hoʻopili i ka umask e hoʻopaʻa i nā ʻae a hana i nā kī no ke kikowaena a me nā mea kūʻai aku.
umask 077
wg genkey | tee privatekey | wg pubkey > publickeyE hana hou i kēlā me kēia mea hana. Mai kaʻana like i ka kī pilikino a e hoola ia laua me ka maluhia. Inā makemake ʻoe, e hana i nā faila me nā inoa like ʻole, no ka laʻana privatekeyserver y kīwīwīwī.
Hoʻonohonoho kikowaena
E hana i ka faila nui ma /etc/wireguard/wg0.conf. E hāʻawi i kahi subnet VPN (ʻaʻole i hoʻohana ʻia ma kāu LAN maoli), ke awa UDP a hoʻohui i kahi poloka [Nānā] no kēlā me kēia mea kūʻai aku i ʻae ʻia.
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>
# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32Hiki iā ʻoe ke hoʻohana i kahi subnet ʻē aʻe, no ka laʻana 192.168.2.0/24, a ulu pū me nā hoa lehulehu. No ka hoʻouka wikiwiki, maʻamau ka hoʻohana wg-wikiwiki me nā faila wgN.conf.
Nā hoʻonohonoho a nā mea kūʻai
Ma ka mea kūʻai aku e hana i kahi faila, no ka laʻana wg0-client.conf, me kāna kī pono'ī, ka helu tunnel, DNS koho, a me ka hoa o ke kikowaena me kona wahi hope a me kona awa.
[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Inā ʻoe e kau ʻAe ʻia nā IP = 0.0.0.0/0 E hele nā kaʻa a pau ma o ka VPN; inā makemake ʻoe e hiki i nā kikowaena kikowaena kikoʻī, e kaupalena iā ia i nā subnets pono a e hōʻemi ʻoe ʻālani a me ka ʻai ʻana.
IP Forwarding a me NAT ma ke kikowaena
E ʻae i ka hoʻouna ʻana i hiki i nā mea kūʻai ke komo i ka Pūnaewele ma o ke kikowaena. E noi i nā hoʻololi ma ka lele me sysctl.
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -pE hoʻonohonoho i ka NAT me nā iptables no ka subnet VPN, e hoʻonohonoho i ka interface WAN (no ka laʻana, eth0):
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADEE hoʻomau me nā pūʻolo kūpono a mālama i nā lula e hoʻohana ʻia ma ka reboot ʻōnaehana.
apt install -y iptables-persistent netfilter-persistent
netfilter-persistent saveHoʻomaka a hōʻoia
E lawe mai i ka interface a hiki i ka lawelawe ke hoʻomaka me ka ʻōnaehana. Hoʻokumu kēia ʻanuʻu i ka interface virtual a hoʻohui mau ala pono.
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wgCon wg E ʻike ʻoe i nā hoa, nā kī, nā hoʻololi, a me nā manawa lulu lima hope. Inā kaohi kāu kulekele pā ahi, e ʻae i ke komo ʻana ma o ka interface. wg0 a me ke awa UDP o ka lawelawe:
iptables -I INPUT 1 -i wg0 -j ACCEPT
Nā polokalamu mana: Windows, macOS, Android, a me iOS
Ma ka pākaukau hiki iā ʻoe ke hoʻokomo i kahi .conf waihona. Ma nā polokalamu kelepona, ʻae ka app iā ʻoe e hana i ka interface mai a QR code aia ka hoʻonohonoho; he mea maʻalahi loa ia no nā mea kūʻai aku ʻole.
Inā ʻo kāu pahuhopu ka hōʻike ʻana i nā lawelawe hoʻokipa ponoʻī e like me Plex/Radarr/Sonarr Ma o kāu VPN, e hāʻawi wale i nā IP ma ka subnet WireGuard a hoʻoponopono i nā AllowedIP i hiki i ka mea kūʻai ke hiki i kēlā pūnaewele; ʻAʻole pono ʻoe e wehe i nā awa hou aʻe i waho inā loaʻa nā mea āpau ma o ka ʻia.
Nā pōmaikaʻi a me nā meaʻinoʻole
He wikiwiki a maʻalahi ka WireGuard, akā he mea nui e noʻonoʻo i kona mau palena a me nā kikoʻī e pili ana i ka hihia hoʻohana. Eia ka ʻike kaulike o nā mea nui loa pili.
| Nā pōmaikaʻi | drawbacks |
|---|---|
| Māmā a pōkole hoʻonohonoho, kūpono no ka automation | ʻAʻole hoʻokomo i ka obfuscation kaʻa maoli |
| ʻO ka hana kiʻekiʻe a me ka latency haʻahaʻa i loko 'ōpili | I kekahi mau kaiapuni hoʻoilina, he ʻuʻuku nā koho holomua |
| ʻO nā cryptography hou a me nā code liʻiliʻi e maʻalahi ia ʻike | Palekana: Hiki ke maʻalahi ka IP/hui kī lehulehu ma muli o nā kulekele |
| Loaʻa i nā mea kūʻai aku ka holo ʻana a me ka pepehi kanaka | ʻAʻole like like ka launa pū ʻana o nā ʻaoʻao ʻekolu |
Hoʻokaʻawale ʻia: kuhikuhi wale i nā mea e pono ai
Hiki iā ʻoe ke hoʻouna wale i nā kaʻa āu e pono ai ma o ka VPN. Me Nā IP i ʻae ʻia Hoʻoholo ʻoe inā e hana i ka hoʻihoʻi hou ʻana i hoʻokahi a i ʻole nā subnets.
# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24Aia nā ʻano like ʻole e like me ka reverse split tunneling, kānana ʻia e URL a i ʻole ma ka noi (ma o nā hoʻonui kikoʻī / nā mea kūʻai aku), ʻoiai ʻo ke kumu maoli ma WireGuard ka mana e IP a me nā prefixes.
Hoʻolikelike a me ka kaiaola
Ua hānau ʻia ʻo WireGuard no ka Linux kernel, akā i kēia lā ka nuiHoʻohui ʻo OPNsense iā ia ma ke ʻano maoli; Ua hoʻopau iki ʻia ka pfSense no ka loiloi, a ua hāʻawi ʻia ma ke ʻano he pūʻolo koho ma muli o ka mana.
Ma NAS e like me QNAP hiki iā ʻoe ke kau iā ia ma o QVPN a i ʻole nā mīkini virtual, e hoʻohana ana i ka 10GbE NICs i nā māmā holo kiʻekiʻeUa hoʻokomo nā papa router MikroTik i ke kākoʻo WireGuard mai ka RouterOS 7.x; i kona mau hoʻomaka mua ʻana, aia ma ka beta a ʻaʻole i ʻōlelo ʻia no ka hana ʻana, akā ʻae ia i nā tunnels P2P ma waena o nā polokalamu a me nā mea kūʻai aku hoʻopau.
Loaʻa i nā mea hana e like me Teltonika kahi pūʻolo e hoʻohui iā WireGuard i kā lākou mau mea ala; inā makemake ʻoe i nā lako, hiki iā ʻoe ke kūʻai iā lākou ma shop.davantel.com a hahai i nā kuhikuhi a ka mea hana no ke kau ʻana nā pākeke keu.
Ka hana a me ka lōʻihi
Mahalo i kāna hoʻolālā liʻiliʻi a me ke koho ʻana i nā algorithms kūpono, loaʻa ʻo WireGuard i nā wikiwiki kiʻekiʻe loa a haʻahaʻa latencies, ʻoi aku ka maikaʻi ma mua o L2TP/IPsec a me OpenVPN. Ma nā hoʻokolohua kūloko me nā lako ikaika, ʻoi aku ka pālua o ka helu maoli ma mua o nā mea ʻē aʻe, e kūpono ia no streaming, pāʻani a i ʻole VoIP.
Hoʻokō ʻoihana a me ka hana kelepona
I ka ʻoihana, kūpono ʻo WireGuard no ka hana ʻana i nā tunnels ma waena o nā keʻena, ke komo ʻana o nā limahana mamao, a me nā pilina paʻa ma waena CPD a me ke ao (no ka laʻana, no nā waihona). ʻO kāna syntax pōkole e maʻalahi ka hoʻololi a me ka automation.
Hoʻohui ia me nā papa kuhikuhi e like me LDAP/AD me ka hoʻohana ʻana i nā hoʻonā waena a hiki ke noho pū me nā kahua IDS/IPS a i ʻole NAC. ʻO kahi koho kaulana PacketFence (open source), kahi e hiki ai iā ʻoe ke hōʻoia i ke kūlana o nā mea hana ma mua o ka hāʻawi ʻana i ke komo a me ka hoʻokele BYOD.
Windows/macOS: Nā memo a me nā manaʻo kōkua
Hoʻohana pinepine ka Windows app me ka pilikia ʻole, akā i kekahi mau mana o Windows 10 aia nā pilikia i ka wā e hoʻohana ai ʻAe ʻia nā IP = 0.0.0.0/0 ma muli o nā paio ala. Ma ke ʻano he manawa pōkole, koho kekahi mau mea hoʻohana i nā mea kūʻai mai WireGuard e like me TunSafe a i ʻole ka palena ʻana i nā AllowedIP i nā subnets kikoʻī.
ʻO ke alakaʻi hoʻomaka wikiwiki ʻo Debian me nā kī hoʻohālike
E hana i nā kī no ke kikowaena a me ka mea kūʻai aku ma /etc/wireguard/ a hana i ka wg0 interface. E hōʻoia i ka pili ʻole o nā IP VPN i nā IP ʻē aʻe ma kāu pūnaewele kūloko a i ʻole kāu mea kūʻai aku.
cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1wg0.conf server me subnet 192.168.2.0/24 a me ka awa 51820. E hoʻā i ka PostUp/PostDown inā makemake ʻoe e hoʻokaʻawale NAT me nā iptables i ka wā e lawe mai ai / lawe mai i lalo i ka interface.
[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0Mea kūʻai aku me ka helu 192.168.2.2, e kuhikuhi ana i ka palena o ka lehulehu a me mālama pono koho inā loaʻa ka NAT waena.
[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32
[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25Huki i ka interface a nānā e like me ka MTU, nā kaha ala, a fwmark a me nā lula kulekele hoʻokele. E nānā i ka wg‑wikiwiki puka a me ke kūlana me wg hōʻike.
ʻO Mikrotik: ke alahele ma waena o RouterOS 7.x
Ua kākoʻo ʻo MikroTik iā WireGuard mai ka RouterOS 7.x. E hana i kahi interface WireGuard ma kēlā me kēia router, e hoʻopili iā ia, a e hana ʻia ia. nā kī. E hāʻawi i nā IP iā Ether2 ma ke ʻano he WAN a me wireguard1 ma ke ʻano he ala tunnel.
E hoʻonohonoho i nā hoa ma ka hele ʻana i ke kī ākea o ke kikowaena ma ka ʻaoʻao o ka mea kūʻai aku a ʻo ia hoʻi, e wehewehe i ka Allowed Address/AllowedIPs (no ka laʻana. 0.0.0.0/0 inā makemake ʻoe e ʻae i kekahi kumu/kumu ma o ka tunnel) a hoʻonohonoho i ka hopena mamao me kāna awa. ʻO ka ping i ka IP tunnel mamao e hōʻoia i ka kūʻokoʻa.
Inā hoʻopili ʻoe i nā kelepona paʻalima a i ʻole kamepiula i ka tunnel Mikrotik, hoʻoponopono maikaʻi i nā pūnaewele i ʻae ʻia i ʻole e wehe ʻia ma mua o ka pono; Hoʻoholo ʻo WireGuard i ke kahe o nā ʻeke e pili ana i kāu ʻO ke alahele Cryptokey, no laila he mea nui e hoʻohālikelike i nā kumu a me nā wahi e hele ai.
Hoʻohana ʻia ka cryptography
Hoʻohana ʻo WireGuard i kahi pūʻulu hou o: Noise ma ke ʻano he kiʻi, Curve25519 no ECDH, ChaCha20 no ka hoʻopiʻi symmetric i hōʻoia ʻia me Poly1305, BLAKE2 no ka hashing, SipHash24 no nā papa hash a me HKDF no ka loaʻa ʻana o nā kīInā hoʻopau ʻia kahi algorithm, hiki ke hoʻololi ʻia ka protocol e neʻe maʻalahi.
Nā pono a me nā pōʻino ma ke kelepona paʻalima
ʻO ka hoʻohana ʻana iā ia ma nā kelepona hiki iā ʻoe ke mākaʻikaʻi me ka palekana Wi‑Fi lehulehu, hūnā i nā kaʻa mai kāu ISP, a hoʻopili i kāu pūnaewele home no ke komo ʻana i ka NAS, home automation, a i ʻole pāʻani. Ma IOS/Android, hoʻololi i nā pūnaewele ʻaʻole ia e hoʻopau i ka tunnel, kahi e hoʻomaikaʻi ai i ka ʻike.
E like me ka cons, ke kau nei ʻoe i kahi nalowale o ka wikiwiki a me ka latency ʻoi aku ka nui ma mua o ka hoʻopuka pololei ʻana, a ke hilinaʻi nei ʻoe i ke kikowaena mau. loaʻa. Eia naʻe, ke hoʻohālikelike ʻia me IPsec/OpenVPN ʻoi aku ka haʻahaʻa o ka hoʻopaʻi.
Hoʻohui ʻo WireGuard i ka maʻalahi, ka wikiwiki, a me ka palekana maoli me kahi pihi aʻo haʻahaʻa: hoʻokomo iā ia, hana i nā kī, wehewehe i nā AllowedIP, a ua mākaukau ʻoe e hele. Hoʻohui i ka hoʻouna ʻana IP, NAT i hoʻokō maikaʻi ʻia, nā polokalamu mana me nā code QR, a me ka launa pū me nā kaiaola e like me OPNsense, Mikrotik, a i ʻole Teltonika. he VPN hou ʻaneʻane no kēlā me kēia hiʻohiʻona, mai ka hoʻopaʻa ʻana i nā pūnaewele lehulehu i ka hoʻopili ʻana i ke keʻena nui a me ke komo ʻana i kāu mau lawelawe home me ka ʻole o ke poʻo.
He loea ka Lunahooponopono i ka ʻenehana a me nā pilikia pūnaewele me ka ʻoi aku o ka ʻumi makahiki o ka ʻike ma nā pāpaho kikohoʻe like ʻole. Ua hana au ma ke ʻano he mea hoʻoponopono a me ka mea hana maʻiʻo no ka e-commerce, kamaʻilio, ke kūʻai aku pūnaewele a me nā hui hoʻolaha. Ua kākau pū wau ma nā pūnaewele ʻoihana waiwai, kālā a me nā ʻāpana ʻē aʻe. ʻO kaʻu hana hoʻi koʻu makemake. I kēia manawa, ma o kaʻu mau ʻatikala ma Tecnobits, Ke ho'āʻo nei au e ʻimi i nā nūhou a me nā manawa hou a ka honua o ka ʻenehana i hāʻawi mai iā mākou i kēlā me kēia lā e hoʻomaikaʻi i ko mākou ola.