Upangiri Wathunthu wa WireGuard: Kuyika, Makiyi, ndi Kusintha Kwapamwamba

Ngati mukufuna VPN ndiyofulumira, yotetezeka komanso yosavuta kugwiritsa ntchito, WireGuard Ndizo zabwino zomwe mungagwiritse ntchito lero. Ndi kamangidwe kakang'ono komanso kalembedwe kamakono, ndi koyenera kwa ogwiritsa ntchito kunyumba, akatswiri, ndi malo amakampani, pamakompyuta komanso pazida zam'manja ndi ma router.

Muupangiri wothandizawu mupeza chilichonse kuyambira pazoyambira mpaka Kusintha kwotsogola: Kuyika pa Linux (Ubuntu/Debian/CentOS), makiyi, seva ndi mafayilo a kasitomala, kutumiza kwa IP, NAT/Firewall, mapulogalamu pa Windows/macOS/Android/iOS, kupatukana kumayendetsa, machitidwe, kuthetsa mavuto, ndi kugwirizana ndi nsanja monga OPNsense, pfSense, QNAP, Mikrotik kapena Teltonika.

Kodi WireGuard ndi chiyani ndipo chifukwa chiyani amasankha?

WireGuard ndi pulogalamu yotseguka ya VPN ndi mapulogalamu opangidwa kuti apange L3 encrypted tunnel pa UDP. Imaonekera poyerekeza ndi OpenVPN kapena IPsec chifukwa cha kuphweka kwake, kachitidwe kake komanso kutsika pang'ono, kudalira njira zamakono monga. Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 and HKDF.

Ma code ake ndi ochepa kwambiri (mozungulira zikwi za mizere), yomwe imathandizira kuwunikira, imachepetsa kuukira ndikuwongolera kukonza. Imaphatikizidwanso mu Linux kernel, kulola mayendedwe apamwamba ndi kuyankha agile ngakhale pa hardware wodzichepetsa.

 

Ndi multiplatform: pali mapulogalamu ovomerezeka a Windows, macOS, Linux, Android ndi iOS, ndi chithandizo cha machitidwe a router/firewall monga OPNsense. Imapezekanso m'malo ngati FreeBSD, OpenBSD, ndi NAS komanso nsanja zowonera.

Momwe zimagwirira ntchito mkati

 

WireGuard imakhazikitsa njira yobisika pakati pa anzawo (anzanga) odziwika ndi makiyi. Chida chilichonse chimapanga makiyi awiri (zachinsinsi/pagulu) ndikugawana zake zokha kiyi pagulu ndi mapeto ena; kuchokera pamenepo, magalimoto onse amabisidwa ndikutsimikiziridwa.

Malangizo Ma IP ololedwa Imatanthawuza njira zonse zomwe zikutuluka (magalimoto otani ayenera kudutsa mumphangayo) ndi mndandanda wazinthu zovomerezeka zomwe anzawo akutali angavomereze atachotsa bwino paketi. Njirayi imadziwika kuti Cryptokey Routing ndipo imathandizira kwambiri malamulo apamsewu.

WireGuard ndiyabwino kwambiri ndi zungulirazungulira- Ngati IP ya kasitomala wanu ikusintha (mwachitsanzo, mumalumpha kuchokera pa Wi-Fi kupita ku 4G/5G), gawolo limakhazikitsidwanso mowonekera komanso mwachangu kwambiri. Imathandizanso kupha kusintha kuti aletse magalimoto kutuluka mumsewu ngati VPN ikutsika.

Kuyika pa Linux: Ubuntu/Debian/CentOS

Pa Ubuntu, WireGuard imapezeka m'malo ovomerezeka. Sinthani phukusi ndikuyika pulogalamuyo kuti mupeze gawo ndi zida. wg ndi wg-mwamsanga.

apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguard

Mu khola la Debian mutha kudalira ma repos osakhazikika anthambi ngati mukufuna, kutsatira njira yovomerezeka komanso ndi chisamaliro pakupanga:

sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguard

Mu CentOS 8.3 kuyenda kuli kofanana: mumatsegula EPEL/ElRepo repos ngati kuli kofunikira ndikuyika phukusi. WireGuard ndi ma module ofanana.

Mbadwo wofunikira

Mnzake aliyense ayenera kukhala ndi zake makiyi achinsinsi/pagulu. Ikani umask kuti muletse zilolezo ndikupanga makiyi a seva ndi makasitomala.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Bwerezani pa chipangizo chilichonse. Osagawana nawo kiyi yachinsinsi ndi kupulumutsa onse awiri bwino. Ngati mukufuna, pangani mafayilo okhala ndi mayina osiyanasiyana, mwachitsanzo Privatekeyserver y publicserverkey.

Kukhazikitsa kwa seva

Pangani fayilo yayikulu mu /etc/wireguard/wg0.conf. Perekani subnet ya VPN (yosagwiritsidwa ntchito pa LAN yanu yeniyeni), doko la UDP ndikuwonjezera chipika [Mnzake] pa kasitomala wovomerezeka.

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>

# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32

Mukhozanso kugwiritsa ntchito subnet ina, mwachitsanzo 192.168.2.0/24, ndikukula ndi anzanu angapo. Kutumiza mwachangu, ndizofala kugwiritsa ntchito wg-mwamsanga ndi mafayilo a wgN.conf.

Kasinthidwe kasitomala

Pa kasitomala pangani fayilo, mwachitsanzo wg0-client.conf, ndi kiyi yake yachinsinsi, adilesi ya tunnel, DNS yosankha, ndi mnzake wa seva yokhala ndi mathero ake onse ndi doko.

[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Ngati muyika AllowedIPs = 0.0.0.0/0 Magalimoto onse adzadutsa VPN; ngati mukufuna kungofikira ma seva enieni, chepetsani ma subnets ofunikira ndipo mudzachepetsa latency ndi kumwa.

IP Forwarding ndi NAT pa Seva

Yambitsani kutumiza kuti makasitomala athe kugwiritsa ntchito intaneti kudzera pa seva. Ikani zosintha pa ntchentche ndi sysctl.

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -p

Konzani NAT ndi ma iptables a VPN subnet, kukhazikitsa mawonekedwe a WAN (mwachitsanzo, eth0):

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Lipangitseni kulimbikira ndi phukusi loyenera ndikusunga malamulo oti agwiritsidwe ntchito pakuyambiranso dongosolo.

apt install -y iptables-persistent netfilter-persistent
netfilter-persistent save

Kuyamba ndi kutsimikizira

Bweretsani mawonekedwe ndikuthandizira kuti ntchitoyi iyambe ndi dongosolo. Sitepe iyi imapanga mawonekedwe enieni ndikuwonjezera njira zofunikira.

systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wg

Con wg Mudzawona anzanu, makiyi, kusamutsa, ndi nthawi yomaliza yogwirana chanza. Ngati ndondomeko yanu ya firewall ndi yoletsa, lolani kulowa kudzera mu mawonekedwe. wg0 ndi doko la UDP la ntchitoyi:

iptables -I INPUT 1 -i wg0 -j ACCEPT

Mapulogalamu ovomerezeka: Windows, macOS, Android, ndi iOS

Pa desktop mutha kuitanitsa a .conf wapamwamba. Pazida zam'manja, pulogalamuyi imakulolani kuti mupange mawonekedwe kuchokera ku a QR code lili ndi kasinthidwe; ndizothandiza kwambiri kwa makasitomala omwe si aukadaulo.

Ngati cholinga chanu ndi kuwulula mautumiki odzichitira nokha monga Plex/Radarr/Sonarr Kupyolera mu VPN yanu, ingoperekani ma IP mu subnet ya WireGuard ndikusintha AllowedIPs kuti kasitomala athe kufika pa intaneti; simuyenera kutsegula madoko owonjezera kunja ngati mwayi wonse ukudutsa msewu.

Ubwino ndi zoyipa

WireGuard ndiyothamanga kwambiri komanso yosavuta, koma ndikofunikira kuganizira zoperewera zake komanso zomwe zimafunikira kutengera momwe mungagwiritsire ntchito. Pano pali mwachidule mwachidule za ambiri zogwirizana.

Phindu	kuipa
Zomveka bwino komanso zazifupi, zoyenera kuchita zokha	Simaphatikizira kusokonezeka kwamagalimoto
Kuchita kwakukulu komanso kuchepa kwa latency ngakhale mu zovuta	M'madera ena obadwa nawo pali zosankha zochepa
cryptography yamakono ndi code yaying'ono yomwe imapangitsa kuti ikhale yosavuta zofufuza	Zazinsinsi: IP/Public key association ikhoza kukhala yovuta kutengera ndondomeko
Kusintha kosasunthika ndi kupha komwe kumapezeka pamakasitomala	Kugwirizana kwa chipani chachitatu sinthawi zonse kumakhala kofanana

 

Kung'amba tunnel: kuwongolera zomwe ndizofunikira

Kugawanitsa kumakupatsani mwayi wotumiza kuchuluka komwe mukufuna kudzera pa VPN. Ndi Ma IP ololedwa Mumasankha kuchita zonse kapena mwasankha kupita ku subnet imodzi kapena zingapo.

# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0

# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24

Pali zosinthika monga reverse split tunneling, zosefedwa ndi ulalo kapena pogwiritsa ntchito (kudzera zowonjezera/makasitomala), ngakhale maziko a WireGuard amayendetsedwa ndi IP ndi ma prefixes.

Kugwirizana ndi chilengedwe

WireGuard adabadwira kernel ya Linux, koma lero ndi mtanda nsanjaOPNsense imayiphatikiza mwachibadwa; pfSense idayimitsidwa kwakanthawi kuti iwunikidwe, ndipo idaperekedwa ngati phukusi losasankha kutengera mtunduwo.

Pa NAS ngati QNAP mutha kuyiyika kudzera pa QVPN kapena makina enieni, kugwiritsa ntchito mwayi wa 10GbE NICs kuthamanga kwambiriMa board a rauta a MikroTik aphatikiza chithandizo cha WireGuard kuyambira RouterOS 7.x; m'mawu ake oyambirira, inali mu beta ndipo sinavomerezedwe kuti ipangidwe, koma imalola ma tunnel a P2P pakati pa zipangizo komanso makasitomala otsiriza.

Opanga ngati Teltonika ali ndi phukusi kuti awonjezere WireGuard kwa ma routers awo; ngati mukufuna zida, mukhoza kugula izo pa shop.davantel.com ndi kutsatira malangizo opanga kukhazikitsa phukusi zoonjezera.

Kuchita ndi latency

Chifukwa cha kapangidwe kake kocheperako komanso kusankha kwa ma aligorivimu oyenera, WireGuard imakwaniritsa kuthamanga kwambiri komanso otsika latencies, nthawi zambiri kuposa L2TP/IPsec ndi OpenVPN. M'mayesero am'deralo ndi zida zamphamvu, mlingo weniweniwo nthawi zambiri umakhala wowirikiza kawiri wa njira zina, zomwe zimapangitsa kuti zikhale zoyenera kusindikiza, kusewera kapena VoIP.

Kukhazikitsa kwamakampani ndi telework

Mubizinesi, WireGuard ndiyoyenera kupanga ngalande pakati pa maofesi, mwayi wogwira ntchito kutali, ndi kulumikizana kotetezeka pakati pawo. CPD ndi mtambo (mwachitsanzo, zosunga zobwezeretsera). Kalankhulidwe kake kachidule kamapangitsa kuti kusinthika ndi kusinthika kukhala kosavuta.

Zimaphatikizana ndi zolemba monga LDAP/AD pogwiritsa ntchito njira zapakatikati ndipo zimatha kukhala limodzi ndi nsanja za IDS/IPS kapena NAC. Njira yotchuka ndi PaketiFence (gwero lotseguka), lomwe limakupatsani mwayi wotsimikizira momwe zida ziliri musanapereke mwayi ndi kuwongolera BYOD.

Windows/macOS: Zolemba ndi Malangizo

Pulogalamu yovomerezeka ya Windows nthawi zambiri imagwira ntchito popanda mavuto, koma m'mitundu ina ya Windows 10 pakhala pali zovuta mukamagwiritsa ntchito AllowedIPs = 0.0.0.0/0 chifukwa cha mikangano yanjira. Monga njira ina kwakanthawi, ogwiritsa ntchito ena amasankha makasitomala a WireGuard ngati TunSafe kapena kuchepetsa AllowedIPs kumagulu enaake.

Debian Quick Start Guide yokhala ndi Makiyi Achitsanzo

Pangani makiyi a seva ndi kasitomala mu /etc/wireguard/ ndi kupanga mawonekedwe a wg0. Onetsetsani kuti ma IP a VPN sakufanana ndi ma IP ena pamanetiweki amdera lanu kapena makasitomala anu.

cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1

wg0.conf seva yokhala ndi subnet 192.168.2.0/24 ndi port 51820. Yambitsani PostUp/PostDown ngati mukufuna kupanga makina NAT ndi iptables pobweretsa / kutsitsa mawonekedwe.

[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0

Makasitomala omwe ali ndi adilesi 192.168.2.2, akulozera kumapeto kwa seva komanso kusunga ngati pali NAT yapakatikati.

[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32

[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25

Kokani mawonekedwe ndikuwona ngati MTU, zolembera, ndi fwmark ndi ndondomeko ya ndondomeko. Onaninso wg-kutulutsa mwachangu ndi mawonekedwe ndi wg chiwonetsero.

Mikrotik: ngalande pakati pa RouterOS 7.x

MikroTik yathandizira WireGuard kuyambira RouterOS 7.x. Pangani mawonekedwe a WireGuard pa rauta iliyonse, igwiritseni ntchito, ndipo idzapangidwa yokha. makiyi. Perekani ma IP ku Ether2 ngati WAN ndi wireguard1 ngati mawonekedwe a ngalande.

Konzani anzanu podutsa kiyi yapagulu ya seva kumbali ya kasitomala ndi mosemphanitsa, fotokozani Madilesi Ololedwa/Maloleni IP (mwachitsanzo. 0.0.0.0/0 ngati mukufuna kulola gwero lililonse / kopita kudzera mumsewu) ndikukhazikitsa kumapeto kwakutali ndi doko lake. A ping ku njira yakutali IP adzatsimikizira chingwe.

Ngati mulumikiza mafoni a m'manja kapena makompyuta ku tunnel ya Mikrotik, sungani bwino maukonde ololedwa kuti asatsegule kuposa kofunika; WireGuard imasankha kuyenda kwa mapaketi kutengera zanu Cryptokey Routing, kotero ndikofunikira kufananiza kochokera ndi kopita.

Ma Cryptography amagwiritsidwa ntchito

WireGuard amagwiritsa ntchito zida zamakono: phokoso monga chimango, Curve25519 ya ECDH, ChaCha20 ya kutsimikizika kofanana ndi Poly1305, BLAKE2 ya hashing, SipHash24 ya matebulo a hashi ndi HKDF yochokera ku makiyiNgati ma algorithm achotsedwa, protocol ikhoza kusinthidwa kuti isamuke mosasunthika.

Ubwino ndi kuipa pa mafoni

Kuyigwiritsa ntchito pa mafoni a m'manja kumakupatsani mwayi kuti musakatule mosatekeseka Wi-Fi yapagulu, bisani kuchuluka kwa magalimoto ku ISP yanu, ndikulumikizana ndi netiweki yanu yakunyumba kuti mupeze NAS, makina apanyumba, kapena masewera. Pa iOS/Android, kusintha ma netiweki sikutsitsa njira, zomwe zimawongolera zomwe zimachitika.

Monga kuipa, mumakoka kutayika kwa liwiro komanso kuchedwa kwambiri poyerekeza ndi kutulutsa mwachindunji, ndipo mumadalira seva nthawi zonse. Kupezeka. Komabe, poyerekeza ndi IPsec/OpenVPN chilangocho chimakhala chochepa.

WireGuard imaphatikiza kuphweka, kuthamanga, ndi chitetezo chenicheni ndi njira yophunzirira mofatsa: ikani, pangani makiyi, fotokozani ma AllowedIPs, ndipo mwakonzeka kupita. Onjezani kutumiza kwa IP, NAT yoyendetsedwa bwino, mapulogalamu ovomerezeka okhala ndi ma QR code, komanso kugwirizanitsa ndi zachilengedwe monga OPNsense, Mikrotik, kapena Teltonika. VPN yamakono pafupifupi zochitika zilizonse, kuyambira pakupeza maukonde a anthu onse mpaka kulumikiza ku likulu ndikupeza ntchito zapakhomo popanda kupwetekedwa mutu.