- Yooj yim architecture thiab niaj hnub encryption: ib-peer cov yawm sij thiab AllowedIPs rau routing.
- Kev teeb tsa ceev ceev ntawm Linux thiab official apps rau desktop thiab mobile.
- Kev ua tau zoo tshaj plaws rau IPsec / OpenVPN, nrog roaming thiab qis latency.
Yog tias koj tab tom nrhiav ib tus VPN uas yog ceev, ruaj ntseg thiab yooj yim rau deploy, WireGuard Nws yog qhov zoo tshaj plaws uas koj tuaj yeem siv hnub no. Nrog rau kev tsim qauv me me thiab niaj hnub crypto txiaj, nws zoo tagnrho rau cov neeg siv hauv tsev, cov kws tshaj lij, thiab cov chaw lag luam, ob qho tib si ntawm khoos phis tawj thiab ntawm cov khoom siv mobile thiab routers.
Hauv phau ntawv qhia tswv yim no koj yuav pom txhua yam los ntawm qhov pib mus rau qhov Kev teeb tsa siab: Kev teeb tsa ntawm Linux (Ubuntu / Debian / CentOS), cov yuam sij, server thiab cov neeg siv cov ntaub ntawv, IP xa mus, NAT / Firewall, kev siv ntawm Windows / macOS / Android / iOS, phua tunneling, kev ua tau zoo, kev daws teeb meem, thiab kev sib raug zoo nrog cov platforms xws li OPNsense, pfSense, QNAP, Mikrotik lossis Teltonika.
WireGuard yog dab tsi thiab vim li cas thiaj xaiv nws?
WireGuard yog qhov qhib VPN raws tu qauv thiab software tsim los tsim L3 encrypted tunnels dhau UDP. Nws sawv tawm piv rau OpenVPN lossis IPsec vim nws qhov yooj yim, kev ua tau zoo thiab qis dua latency, tso siab rau cov algorithms niaj hnub xws li Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 thiab HKDF.
Nws code puag yog me me heev (ib ncig txhiab kab), uas pab tswj kev tshuaj xyuas, txo qhov chaw nres thiab txhim kho kev txij nkawm. Nws kuj tau koom ua ke rau hauv Linux ntsiav, tso cai kev hloov pauv siab thiab agile teb txawm nyob rau me ntsis kho vajtse.
Nws yog multiplatform: muaj official apps rau Windows, macOS, Linux, Android thiab iOS, thiab kev txhawb nqa rau router / firewall-oriented systems zoo li OPNsense. Nws tseem muaj nyob rau ib puag ncig xws li FreeBSD, OpenBSD, thiab NAS thiab virtualization platforms.
Nws ua haujlwm li cas hauv
WireGuard tsim kom muaj qhov encrypted ntawm cov phooj ywg (phooj ywg) txheeb xyuas los ntawm cov yuam sij. Txhua lub cuab yeej tsim cov khub tseem ceeb (piv txwv / pej xeem) thiab sib koom nws nkaus xwb laj mej pej xeem nrog rau lwm qhov kawg; los ntawm qhov ntawd, tag nrho cov tsheb khiav yog encrypted thiab authenticated.
Qhia AllowedIPs Txhais tau hais tias ob qho tib si kev tawm mus (qhov kev khiav tsheb yuav tsum mus dhau ntawm lub qhov) thiab cov npe ntawm cov chaw siv tau uas cov phooj ywg nyob deb yuav lees txais tom qab ua tiav decrypting ib pob ntawv. Txoj kev no yog hu ua Cryptokey Routing thiab ua kom yooj yim rau txoj cai tsheb khiav ceev heev.
WireGuard zoo heev nrog rau roaming- Yog tias koj tus neeg siv khoom hloov pauv IP (piv txwv li, koj dhia ntawm Wi-nkaus mus rau 4G / 5G), qhov kev sib kho tau rov tsim dua pob tshab thiab sai heev. Nws kuj txhawb tua hloov los thaiv cov tsheb khiav tawm ntawm qhov av yog tias VPN nqis mus.
Kev teeb tsa ntawm Linux: Ubuntu / Debian / CentOS
Ntawm Ubuntu, WireGuard muaj nyob rau hauv cov nom repos. Hloov kho cov pob khoom thiab tom qab ntawd nruab cov software kom tau txais cov module thiab cov cuab yeej. wg i wg.
apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguardHauv Debian ruaj khov koj tuaj yeem tso siab rau cov ceg tsis ruaj khov yog tias koj xav tau, ua raws li txoj kev pom zoo thiab nrog saib xyuas hauv kev tsim khoom:
sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguardHauv CentOS 8.3 qhov ntws zoo ib yam: koj qhib EPEL / ElRepo repos yog tias tsim nyog thiab tom qab ntawd nruab pob WireGuard thiab coj modules.
Tseem ceeb tiam
Txhua tus phooj ywg yuav tsum muaj nws tus kheej private/public key pair. Thov umask txwv kev tso cai thiab tsim cov yuam sij rau server thiab cov neeg siv khoom.
umask 077
wg genkey | tee privatekey | wg pubkey > publickeyRov ua dua ntawm txhua lub cuab yeej. Tsis txhob share tus yuam sij ntiag tug thiab txuag tau ob qho tib si nyab xeeb. Yog tias koj xav tau, tsim cov ntaub ntawv nrog cov npe sib txawv, piv txwv li privatekeyserver y publicserverkey.
Kev teeb tsa ntawm neeg rau zaub mov
Tsim cov ntaub ntawv tseem ceeb hauv /etc/wireguard/wg0.conf. Muab lub VPN subnet (tsis siv ntawm koj lub LAN tiag), UDP chaw nres nkoj thiab ntxiv ib qho thaiv [Cov phooj ywg] rau cov neeg siv khoom tau tso cai.
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>
# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32Koj tuaj yeem siv lwm subnet, piv txwv li 192.168.2.0/24, thiab loj hlob nrog ntau tus phooj ywg. Rau kev xa tawm sai, nws yog ib txwm siv wg e qu nrog wgN.conf cov ntaub ntawv.
Neeg teeb tsa
Ntawm tus neeg siv khoom tsim cov ntaub ntawv, piv txwv li wg0-client.conf ib, nrog nws tus yuam sij ntiag tug, qhov chaw nyob, xaiv DNS, thiab tus neeg rau zaub mov cov phooj ywg nrog nws qhov kawg ntawm pej xeem thiab chaw nres nkoj.
[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Yog koj tso AllowedIPs = 0.0.0.0/0 Tag nrho cov tsheb yuav dhau los ntawm VPN; yog tias koj tsuas xav mus cuag cov servers tshwj xeeb, txwv nws rau cov subnets tsim nyog thiab koj yuav txo latency thiab noj.
IP Forwarding thiab NAT ntawm Server
Pab kom xa mus kom cov neeg siv tuaj yeem nkag tau hauv Is Taws Nem los ntawm lub server. Siv cov kev hloov ntawm ya nrog sysctl.
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -pConfigure NAT nrog iptables rau VPN subnet, teeb tsa WAN interface (piv txwv li, eth0):
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADEUa kom tsis tu ncua nrog rau cov pob tsim nyog thiab txuag cov cai yuav tsum tau siv rau ntawm qhov system reboot.
apt install -y iptables-persistent netfilter-persistent
netfilter-persistent savePib thiab ua pov thawj
Nqa lub interface thiab pab kom cov kev pabcuam pib nrog lub system. Cov kauj ruam no tsim lub virtual interface thiab ntxiv txoj kev tsim nyog.
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wgcon wg Koj yuav pom cov phooj ywg, cov yuam sij, hloov chaw, thiab zaum kawg tuav tes. Yog tias koj txoj cai firewall txwv, tso cai nkag los ntawm lub interface. wg0 thiab UDP chaw nres nkoj ntawm kev pabcuam:
iptables -I INPUT 1 -i wg0 -j ACCEPT
Official apps: Windows, macOS, Android, thiab iOS
Ntawm lub desktop koj tuaj yeem import a .conf cov ntaub ntawv. Ntawm mobile pab kiag li lawm, lub app tso cai rau koj los tsim lub interface los ntawm a QR code muaj cov configuration; nws yog qhov yooj yim heev rau cov neeg siv khoom tsis yog kev siv tshuab.
Yog tias koj lub hom phiaj yog nthuav tawm cov kev pabcuam tus kheej xws li Plex / Radarr / Sonarr Los ntawm koj lub VPN, tsuas yog muab IPs hauv WireGuard subnet thiab kho AllowedIPs kom tus neeg siv khoom tuaj yeem ncav cuag lub network ntawd; koj tsis tas yuav qhib cov chaw nres nkoj ntxiv rau sab nraud yog tias txhua qhov nkag tau los ntawm qhov av.
Qhov zoo thiab qhov tsis zoo
WireGuard yog qhov nrawm heev thiab yooj yim, tab sis nws tseem ceeb heev uas yuav tsum xav txog nws cov kev txwv thiab qhov tshwj xeeb nyob ntawm qhov kev siv. Ntawm no yog ib tug balanced txheej txheem cej luam ntawm feem ntau yam.
| Zoo | Disadvantages |
|---|---|
| Clear thiab luv configuration, zoo tagnrho rau automation | Tsis suav nrog cov neeg tsav tsheb obfuscation |
| Kev ua haujlwm siab thiab qis latency txawm nyob hauv mobile | Hauv qee qhov chaw qub txeeg qub teg muaj tsawg dua kev xaiv |
| Niaj hnub nimno cryptography thiab me me code uas ua rau nws yooj yim tshawb xyuas | Tsis pub twg paub: IP/public tseem ceeb koom haum tej zaum yuav rhiab nyob ntawm txoj cai |
| Seamless roaming thiab tua hloov muaj rau cov neeg siv khoom | Thib peb-tog compatibility tsis yog ib txwm homogeneous |
Split tunneling: directing tsuas yog qhov tsim nyog
Split tunneling tso cai rau koj xa tsuas yog cov tsheb khiav koj xav tau los ntawm VPN. Nrog AllowedIPs Koj txiav txim siab seb puas yuav ua tag nrho lossis xaiv redirection rau ib lossis ntau lub subnets.
# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24Muaj ntau yam xws li thim rov qab sib cais tunneling, lim los ntawm URL los yog los ntawm daim ntawv thov (los ntawm kev txuas ntxiv / cov neeg siv khoom), txawm hais tias lub hauv paus ib txwm nyob hauv WireGuard yog tswj los ntawm IP thiab prefixes.
Compatibility thiab ecosystem
WireGuard tau yug los rau Linux ntsiav, tab sis hnub no nws yog multiplatformOPNsense integrates nws natively; pfSense tau txiav tawm ib ntus rau kev tshuaj xyuas, thiab tom qab ntawd nws tau muab los ua ib qho kev xaiv pob nyob ntawm qhov version.
Ntawm NAS zoo li QNAP koj tuaj yeem nruab nws ntawm QVPN lossis cov tshuab virtual, ua kom zoo dua 10GbE NICs rau ceev ceevMikroTik router boards tau koom nrog WireGuard kev txhawb nqa txij li RouterOS 7.x; nyob rau hauv nws cov iterations thaum ntxov, nws yog nyob rau hauv beta thiab tsis pom zoo rau kev tsim khoom, tab sis nws tso cai rau P2P qhov ntawm cov khoom siv thiab txawm tias cov neeg siv khoom kawg.
Cov neeg tsim khoom zoo li Teltonika muaj ib pob ntxiv WireGuard rau lawv cov routers; Yog tias koj xav tau cov khoom siv, koj tuaj yeem yuav lawv ntawm shop.davantel.com thiab ua raws li cov chaw tsim khoom cov lus qhia rau kev teeb tsa pob ntxiv.
Kev ua tau zoo thiab latency
Ua tsaug rau nws cov qauv tsim me me thiab kev xaiv ntawm cov txheej txheem ua haujlwm tau zoo, WireGuard ua tiav qhov nrawm heev thiab qis latencies, feem ntau superior rau L2TP/IPsec thiab OpenVPN. Hauv kev sim hauv zos nrog cov cuab yeej muaj zog, tus nqi tiag tiag feem ntau yog ob npaug ntawm cov kev xaiv, ua rau nws zoo tagnrho rau streaming, gaming lossis VoIP.
Kev ua lag luam thiab kev siv xov tooj
Hauv kev lag luam, WireGuard yog qhov tsim nyog rau kev tsim tunnels ntawm cov chaw ua haujlwm, cov neeg ua haujlwm nyob deb, thiab kev sib txuas ruaj ntseg ntawm CPD thiab huab (e.g., rau backups). Nws cov ntsiab lus syntax ua rau versioning thiab automation yooj yim.
Nws koom nrog cov npe xws li LDAP / AD siv cov kev daws teeb meem nruab nrab thiab tuaj yeem koom nrog IDS / IPS lossis NAC platforms. Ib qho kev xaiv nrov yog Pob NtawvFF (qhib qhov chaw), uas tso cai rau koj txheeb xyuas cov xwm txheej ntawm cov cuab yeej ua ntej tso cai nkag mus thiab tswj BYOD.
Windows/macOS: Lus Cim thiab Cov Lus Qhia
Cov nom Windows app feem ntau ua haujlwm yam tsis muaj teeb meem, tab sis hauv qee qhov versions ntawm Windows 10 muaj teeb meem thaum siv AllowedIPs = 0.0.0.0/0 vim txoj kev tsis sib haum xeeb. Raws li kev xaiv ib ntus, qee cov neeg siv xaiv rau WireGuard-raws li cov neeg siv khoom xws li TunSafe lossis txwv AllowedIPs rau cov subnets tshwj xeeb.
Debian Quick Start Guide with Example Keys
Tsim cov yuam sij rau server thiab cov neeg siv khoom hauv /etc/wireguard/ thiab tsim wg0 interface. Xyuas kom tseeb tias VPN IPs tsis phim lwm tus IPs ntawm koj lub network hauv zos lossis koj cov neeg siv khoom.
cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1wg0.conf neeg rau zaub mov nrog subnet 192.168.2.0/24 thiab chaw nres nkoj 51820. Pab kom PostUp/PostDown yog tias koj xav tau automate Neej nrog iptables thaum nqa / nqa tawm lub interface.
[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0Client nrog qhov chaw nyob 192.168.2.2, taw tes rau tus neeg rau zaub mov qhov kawg ntawm pej xeem thiab nrog ceev xaiv tau yog tias muaj NAT nruab nrab.
[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32
[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25Rub lub interface thiab saib raws li MTU, cov cim qhia, thiab ua fwmark thiab routing txoj cai. Tshawb xyuas cov zis wg-ceev thiab cov xwm txheej nrog wg kev.
Mikrotik: qhov nruab nrab ntawm RouterOS 7.x
MikroTik tau txhawb WireGuard txij li RouterOS 7.x. Tsim WireGuard interface ntawm txhua lub router, siv nws, thiab nws yuav raug tsim tawm. yawm sij. Muab IPs rau Ether2 li WAN thiab wireguard1 ua qhov txuas txuas.
Txhim kho cov phooj ywg los ntawm kev hla tus neeg rau zaub mov tus yuam sij rau pej xeem ntawm tus neeg siv khoom thiab rov ua dua, txhais Chaw Nyob Tso Cai / AllowedIPs (piv txwv li 0.0.0.0/0 yog tias koj xav tso cai rau txhua qhov chaw / qhov chaw los ntawm lub qhov) thiab teeb tsa qhov chaw nyob deb nrog nws qhov chaw nres nkoj. Ib tug ping mus rau tej thaj chaw deb qhov IP yuav paub meej tias qhov sib tuav tes.
Yog tias koj txuas cov xov tooj ntawm tes lossis khoos phis tawj mus rau Mikrotik qhov, ua kom zoo rau cov kev sib txuas uas tau tso cai kom tsis txhob qhib ntau tshaj qhov tsim nyog; WireGuard txiav txim siab qhov ntws ntawm pob ntawv raws li koj li Cryptokey Routing, yog li nws yog ib qho tseem ceeb kom phim lub hauv paus chiv keeb thiab cov hom phiaj.
Cryptography siv
WireGuard ntiav cov txheej txheem niaj hnub no: suab nrov raws li lub moj khaum, Curve25519 rau ECDH, ChaCha20 rau authenticated symmetric encryption nrog Poly1305, BLAKE2 rau hashing, SipHash24 rau hash ntxhuav thiab HKDF rau derivation ntawm yawm sijYog hais tias ib qho algorithm yog deprecated, cov txheej txheem tuaj yeem hloov kho kom txav mus tau yooj yim.
Pros thiab cons ntawm mobile
Siv nws ntawm smartphones tso cai rau koj mus saib yam xyuam xim rau Public Wi-Fi, zais kev khiav tsheb los ntawm koj lub ISP, thiab txuas rau koj lub network hauv tsev kom nkag mus rau NAS, kev siv hluav taws xob hauv tsev, lossis kev ua si. Hauv iOS / Android, kev sib txuas sib txuas tsis cuam tshuam rau hauv qhov, uas txhim kho qhov kev paub dhau los.
Raws li cons, koj rub qee qhov poob ntawm qhov nrawm thiab ntau dua latency piv rau cov zis ncaj qha, thiab koj nyob ntawm tus neeg rau zaub mov ib txwm ua. disponible. Txawm li cas los xij, piv rau IPsec / OpenVPN qhov kev nplua feem ntau qis dua.
WireGuard muab kev yooj yim, ceev, thiab kev ruaj ntseg tiag tiag nrog kev kawm nkhaus yooj yim: nruab nws, tsim cov yuam sij, txhais AllowedIPs, thiab koj npaj mus. Ntxiv IP xa mus, ua haujlwm zoo NAT, cov ntawv thov raug cai nrog QR cov lej, thiab kev sib raug zoo nrog ecosystems xws li OPNsense, Mikrotik, lossis Teltonika. VPN niaj hnub yuav luag txhua qhov xwm txheej, los ntawm kev ruaj ntseg rau pej xeem kev sib txuas mus rau kev sib txuas hauv tsev hauv paus thiab nkag mus rau koj cov kev pabcuam hauv tsev yam tsis muaj mob taub hau.
Tus kws kho tshwj xeeb hauv kev siv thev naus laus zis thiab teeb meem hauv internet nrog ntau tshaj kaum xyoo ntawm kev paub hauv cov xov xwm sib txawv. Kuv tau ua haujlwm ua tus editor thiab tus tsim cov ntsiab lus rau e-lag luam, kev sib txuas lus, kev lag luam online thiab cov tuam txhab tshaj tawm. Kuv kuj tau sau rau ntawm kev lag luam, nyiaj txiag thiab lwm cov vev xaib. Kuv txoj hauj lwm kuj yog kuv lub siab nyiam. Tam sim no, dhau ntawm kuv cov ntawv hauv Tecnobits, Kuv sim tshawb nrhiav txhua yam xov xwm thiab lub cib fim tshiab uas lub ntiaj teb kev siv tshuab muab rau peb txhua hnub los txhim kho peb lub neej.