- Qaab dhismeedka fudud iyo sirta casriga ah: furayaasha asaaga ah iyo AllowedIPs ee habaynta
- Ku rakib deg deg ah Linux iyo abka rasmiga ah ee desktop-ka iyo mobilada.
- Waxqabadka ugu sarreeya ee IPsec/OpenVPN, oo leh wareeg iyo daahitaan hoose.
Si buscas una VPN waa dhakhso, ammaan ah oo sahlan in la geeyo WireGuard Waa sida ugu wanaagsan ee aad isticmaali karto maanta. Iyada oo leh naqshad yar iyo xog-qoris casri ah, waxay ku habboon tahay isticmaaleyaasha guriga, xirfadleyda, iyo deegaanka shirkadaha, labadaba kombuyuutarrada iyo aaladaha mobilada iyo router-yada.
Tilmaamahan wax ku oolka ah waxaad ka heli doontaa wax walba laga bilaabo aasaaska ilaa kuwa dejinta horumarsanKu rakibida Linux (Ubuntu/Debian/CentOS), furayaasha, server-ka iyo faylasha macmiilka, gudbinta IP, NAT/Firewall, codsiyada ku jira Windows/macOS/Android/iOS, split tunneling, waxqabadka, cilad-saarka, iyo la jaanqaadida aaladaha sida OPNsense, pfSense, QNAP, Mikrotik ama Teltonika.
Waa maxay WireGuard iyo sababta ay u doorteen?
WireGuard waa il furan borotokoolka VPN iyo software loogu talagalay in la abuuro L3 tunnel sir ah oo dulmaray UDP. Waxay u taagan tahay marka la barbar dhigo OpenVPN ama IPsec sababtoo ah fududaanteeda, waxqabadkeeda iyo daahitaanka hoose, ku tiirsanaanta algorithms casriga ah sida Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 iyo HKDF.
Saldhig kood waa mid aad u yar ( agagaarka kun oo sadar), kaas oo fududeeya xisaab xidhka, yareeya oogada weerarka iyo hagaajinta dayactirka. Waxa kale oo lagu dhex daray kernel Linux, taas oo u oggolaanaysa altas tasas de transferencia iyo jawaab degdeg ah xitaa qalab yar.
Waa multiplatform: waxaa jira apps rasmi ah oo loogu talagalay Windows, macOS, Linux, Android iyo iOS, iyo taageerada nidaamka router/firewall-ku jihaysan sida OPNsense. Waxa kale oo diyaar u ah bay'adaha sida FreeBSD, OpenBSD, iyo NAS iyo aaladaha wax-ku-oolka ah.
Sida ay gudaha uga shaqeyso
WireGuard waxay samaysaa tunnel sir ah oo u dhexeeya asxaabta (peers) lagu garto furayaasha. Qalab kastaa wuxuu abuuraa lamaane fure ah (gaar ah/dadweyne) wuxuuna la wadaagaa kiisa oo keliya clave pública oo leh dhamaadka kale; halkaas, dhammaan taraafikada waa la sir ah oo la xaqiijiyay.
La directiva AllowedIPs Qeexayaa labadaba dariiqa baxaya (waxa taraafikada ay tahay inay maraan tunnelka) iyo liiska ilaha saxda ah ee asxaabta fog ay aqbali doonaan ka dib markay si guul leh u furaan xirmada. Habkaan waxaa loo yaqaanaa Cryptokey Routing wuxuuna si weyn u fududeeyaa siyaasadda gaadiidka.
WireGuard waa mid aad u fiican roaming- Haddii IP-ga macmiilkaagu isbeddelo (tusaale, aad ka booddo Wi-Fi ilaa 4G/5G), fadhigu si hufan oo degdeg ah ayaa dib loogu aasaasay. Waxay kaloo taageertaa dilaan beddelka si loo joojiyo taraafikada ka baxa tunnelka haddii VPN uu hoos u dhaco.
Ku rakibida Linux: Ubuntu/Debian/CentOS
Ubuntu, WireGuard waxaa laga heli karaa boosaska rasmiga ah. Cusbooneysii xirmooyinka ka dibna ku rakib software-ka si aad u hesho moduleka iyo qalabka. wg iyo wg-dhakhso ah.
apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguardDebian deggan waxaad ku tiirsanaan kartaa meelaha laanta aan degganayn haddii aad u baahato, adoo raacaya habka lagu taliyey iyo la daryeelka ee wax soo saarka:
sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguardGudaha CentOS 8.3 socodka ayaa la mid ah: waxaad dhaqaajisaa EPEL/ElRepo repos haddii loo baahdo ka dibna rakib xirmada WireGuard iyo modules u dhigma.
Generación de claves
fac walba waa inuu lahaado u gaar ah lamaane fure gaar ah/guud. Codso umask si loo xaddido oggolaanshaha oo u soo saaro furayaasha serferka iyo macaamiisha.
umask 077
wg genkey | tee privatekey | wg pubkey > publickeyKu soo celi qalab kasta. Waligaa ha wadaagin clave privada Labadaba si badbaado leh u badbaadi. Haddii aad doorbidayso, samee faylal leh magacyo kala duwan, tusaale ahaan privatekeyserver y publicserverkey.
Configuración del servidor
Abuur faylka ugu muhiimsan gudaha /etc/wireguard/wg0.conf. U qoondee shabakad hoose oo VPN ah (aan lagu isticmaalin LAN-gaaga dhabta ah), dekedda UDP oo ku dar block [Peer] macmiil kasta oo idman.
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>
# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32Waxa kale oo aad isticmaali kartaa subnet kale, tusaale ahaan 192.168.2.0/24, oo kula koraan facooda badan. Si degdeg ah loo geeyo, waa wax caadi ah in la isticmaalo wg-quick wata faylasha wgN.conf.
Configuración del cliente
Macmiilka ku samee fayl, tusaale ahaan wg0-macmiil.conf, oo leh furihiisa gaarka ah, ciwaanka tunnel-ka, DNS-ka ikhtiyaariga ah, iyo saaxiibka serferka oo leh bartiisa guud iyo dekeddeeda.
[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Si pones AllowedIPs = 0.0.0.0/0 Dhammaan taraafikada waxay mari doonaan VPN; Haddii aad rabto inaad gaadho shabakado gaar ah oo server ah, ku xaddid subnets-yada lagama maarmaanka ah oo aad yarayn doonto latencia y consumo.
Gudbinta IP iyo NAT ee Server-ka
Daar u gudbinta si macaamiishu ay ugu galaan internetka serverka. Ku dabaq isbeddelada duullimaadyada sysctl.
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -pKu habee NAT oo leh iptables-ka hoose ee VPN, dejinta WAN interface (tusaale ahaan, eth0):
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADEKa dhig mid joogto ah oo leh baakadaha ku habboon iyo xeerarka kaydinta si loogu dabaqo nidaamka reboot.
apt install -y iptables-persistent netfilter-persistent
netfilter-persistent saveBilawga iyo xaqiijinta
Keen interface-ka oo awood adeeggu inuu ku bilaabo nidaamka. Talaabadani waxay abuurtaa interface-ka dalwaddii waxayna ku daraysaa rutas necesarias.
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wgIyada oo leh wg Waxaad arki doontaa asxaabta, furayaasha, wareejinta, iyo waqtiyada gacan-qaadka ee u dambeeya. Haddii siyaasaddaada dab-damiska ay xaddidan tahay, u oggolow in la soo galo interface-ka. wg0 iyo dekedda UDP ee adeegga:
iptables -I INPUT 1 -i wg0 -j ACCEPT
Barnaamijyada rasmiga ah: Windows, macOS, Android, iyo iOS
On desktop-ka waxaad ka soo dejisan kartaa a .conf file. Qalabka mobilada, appku wuxuu kuu ogolaanayaa inaad ka abuurto interface ka a Koodhka QR ka kooban qaabeynta; aad bay ugu habboon tahay macaamiisha aan farsamada ahayn.
Haddi yoolkaagu yahay inaad soo bandhigto adeegyada is-martigeliyay sida Plex/Radarr/Sonarr Iyada oo loo marayo VPN-gaaga, si fudud u qoondee IP-yada hoose ee WireGuard oo hagaaji AllowedIPs si macmiilku u gaadho shabakadaas; Uma baahnid inaad dekedo dheeraad ah u furto bannaanka haddii dhammaan gelitaanka la soo maro túnel.
Ventajas y desventajas
WireGuard waa mid aad u dhakhso badan oo fudud, laakiin waxaa muhiim ah in la tixgeliyo xaddidaadda iyo waxyaabaha gaarka ah ee ku xiran kiiska isticmaalka. Halkan waxaa ah dulmar dheeli tiran oo ah inta ugu badan relevante.
| Faa'iidooyinka | Qasaarooyinka |
|---|---|
| qaabeynta cad oo gaaban, oo ku habboon otomaatiga | Kuma darto xannibaadda taraafikada waddaniga ah |
| Waxqabadka sare iyo daahitaanka hooseeya xitaa gudaha moobaylka | Deegaannada dhaxalka ah qaarkood waxa jira doorashooyin horumarsan oo yar |
| Xog-qoris casri ah iyo kood yar oo fududeynaya baaritaan | Qarsoodi: IP/Ururka muhiimka ah ee dadweynaha ayaa laga yaabaa inay xasaasi noqoto iyadoo ku xiran siyaasadaha |
| Wareega iyo dilaaga bilaa xuduud ah ayaa diyaar u ah macaamiisha | Waafaqid kooxda saddexaad had iyo jeer ma aha mid isku mid ah |
Tunneling kala qaybsan: hagida kaliya waxa loo baahan yahay
Tunneling kala qaybsan wuxuu kuu ogolaanayaa inaad dirto kaliya taraafikada aad u baahan tahay VPN-ka. leh AllowedIPs Adiga ayaa go'aan ka gaaraya in aad si buuxda ama doorasho u jiheyso hal ama in ka badan oo shabakad hoosaadyo ah.
# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24Waxaa jira kala duwanaansho sida tunneling kala go'an, oo lagu sifeeyo URL-ka ama codsi (iyada oo loo marayo kordhin/macaamiil gaar ah), in kasta oo asalka asalka ah ee WireGuard uu xakameynayo IP iyo horgalayaasha.
Compatibilidad y ecosistema
WireGuard wuxuu u dhashay kernel Linux, laakiin maanta waa madal badanOPNsense waxay u dhexaysaa si asal ah; pfSense si ku meel gaar ah ayaa loo joojiyay xisaab xirka, ka dibna waxaa loo soo bandhigay xirmo ikhtiyaari ah iyadoo ku xiran nooca.
On NAS sida QNAP waxaad ku dhejin kartaa adigoo isticmaalaya QVPN ama mishiinada farsamada, adoo ka faa'iideysanaya 10GbE NICs altas velocidadesGuddiyada router-ka ee MikroTik waxay ku dareen taageerada WireGuard ilaa RouterOS 7.x; ku celcelinteedii hore, waxay ku jirtay beta oo laguma talin wax soo saarka, laakiin waxay u ogolaataa tunnelka P2P inta u dhaxaysa aaladaha iyo xitaa dhamaadka macaamiisha.
Soo-saareyaasha sida Teltonika waxay leeyihiin xirmo ay ku daraan WireGuard router-yadooda; Haddii aad u baahan tahay qalab, waxaad ka iibsan kartaa dukaanka.davantel.com oo raac tilmaamaha soo-saaraha ee rakibidda paquetes extra.
Rendimiento y latencia
Thanks to naqshadeeda ugu yar iyo xulashada algorithms-yada hufan, WireGuard waxay ku guulaysataa xawaare aad u sarreeya iyo latencias bajas, guud ahaan ka sarreeya L2TP/IPsec iyo OpenVPN. Tijaabooyin maxalli ah oo wata qalab awood leh, heerka dhabta ahi inta badan waa labanlaab ka beddelka, taas oo ka dhigaysa mid ku habboon streaming, ciyaaraha ama VoIP.
Hirgelinta shirkadaha iyo isgaarsiinta
Shirkadda dhexdeeda, WireGuard waxay ku habboon tahay abuurista tunnelyada u dhexeeya xafiisyada, gelitaanka shaqaalaha fog, iyo xidhiidho sugan oo dhexmara CPD iyo daruur (tusaale ahaan, kaydinta). Syntax-keeda kooban ayaa ka dhigaysa hab-noqosho iyo hab-samayn fudud.
Waxay la midaysaa hagaha sida LDAP/AD iyadoo la adeegsanayo xalal dhexdhexaad ah waxayna la noolaan kartaa IDS/IPS ama aaladaha NAC. Doorasho caan ah ayaa ah PacketFence (ilo furan), kaas oo kuu ogolaanaya inaad xaqiijiso heerka qalabka ka hor inta aan la siin helitaanka iyo xakamaynta BYOD.
Windows/macOS: Qoraallada iyo Talooyin
App-ka rasmiga ah ee Windows wuxuu u shaqeeyaa dhibaato la'aan, laakiin noocyada qaar ee Windows 10 waxaa jiray arrimo marka la isticmaalayo AllowedIPs = 0.0.0.0/0 isku dhacyada wadada awgeed. Beddel ku meel gaar ah ahaan, isticmaaleyaasha qaarkood waxay doortaan macaamiisha ku saleysan WireGuard sida TunSafe ama xaddididda AllowedIP-yada shabakado hoose oo gaar ah.
Debian Hagaha Bilowga Degdegga ah ee Furayaasha Tusaalaha
U samee furayaasha server-ka iyo macmiilka gudaha /etc/wireguard/ oo samee interface-ka wg0. Hubi in VPN-yada IP-yada aysan ku habboonayn IP-yada kale ee shabakadda deegaankaaga ama macaamiishaada.
cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1Wg0.conf server leh subnet 192.168.2.0/24 iyo dekedda 51820. Daar PostUp/PostDown haddii aad rabto in aad otomaatig ah NAT oo leh iptables marka la keenayo / la soo dejinayo interface-ka.
[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0Macmiil leh ciwaanka 192.168.2.2, oo tilmaamaya serverka bartiisa guud iyo keepalive Ikhtiyaar ah haddii uu jiro NAT dhexdhexaad ah.
[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32
[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25Kor u qaad interface-ka oo u fiirso sida MTU-ga, calaamadaynta waddada, iyo fwmark iyo xeerarka siyaasadda dariiqa. Dib u eeg wax soo saarka wg-dhakhso leh iyo heerka wg show.
Mikrotik: tunnel inta u dhaxaysa RouterOS 7.x
MikroTik ayaa taageeray WireGuard ilaa RouterOS 7.x. Ku samee interface WireGuard router kasta, isticmaal, oo si toos ah ayaa loo soo saari doonaa. claves. U qoondee IPS Ether2 sida WAN iyo wireguard1 sida tunnel interface.
Isku hagaaji asxaabta adiga oo ka gudbaya furaha guud ee serverka dhanka macmiilka iyo dhanka kale, qeex Ciwaanka La Ogol yahay/Tusaale ahaan 0.0.0.0/0 Haddii aad rabto in aad u oggolaato ilo / meel loo maro tunnel-ka) oo deji barta dhamaadka fog ee dekeddeeda. Pining to tunnel-ka fog IP ayaa xaqiijin doona handshake.
Haddii aad ku xidho mobaylada ama kombayutarada tunnelka Mikrotik, hagaajiso shabakadaha la ogolyahay si aanay u furmin wax ka badan intii loo baahnaa; WireGuard ayaa go'aamisa qulqulka xirmooyinka iyadoo ku saleysan adiga Cryptokey Routing, marka waa muhiim in la is waafajiyo meesha laga soo jeedo iyo meesha loo socdo.
Criptografía utilizada
WireGuard waxay shaqaaleysiisaa qalab casri ah oo ah: Noise qaab ahaan, Curve25519 ee ECDH, ChaCha20 oo loogu talagalay sireeynta sumaysan ee la xaqiijiyay oo leh Poly1305, BLAKE2 ee xashiishada, SipHash24 ee miisaska xashiishka iyo HKDF ee soo saarista clavesHaddi algorithm-ka la gooyo, borotokoolka waxa loo qaabayn karaa si uu si bilaa xad ah u haajiro.
Faa'iidooyinka iyo khasaaraha on mobile
Isticmaalka taleefannada casriga ah waxay kuu oggolaaneysaa inaad si ammaan ah wax u baadho Wi‑Fi públicas, ka qari gaadiidka ISP-gaaga, oo ku xidh shabakadaada guriga si aad u gasho NAS, qalabaynta guriga, ama ciyaaraha. IOS/Android, isku xirka shabakadaha ma dejiyaan tunnel-ka, taas oo wanaajisa waayo-aragnimada.
Qasaarooyin ahaan, waxaad jiidaysaa xoogaa xawli ah iyo daahitaan weyn marka loo eego wax soo saarka tooska ah, waxaadna ku tiirsan tahay server-ku inuu had iyo jeer ahaado. la heli karo. Si kastaba ha ahaatee, marka la barbar dhigo IPsec/OpenVPN ciqaabtu inta badan way ka hooseysaa.
WireGuard wuxuu isku daraa fududaynta, xawaaraha, iyo amniga dhabta ah iyo qalooca barasho debecsan: rakib, abuur furayaal, qeex AllowedIPs, oo waxaad diyaar u tahay inaad tagto. Ku dar gudbinta IP-ga, NAT oo si wanaagsan loo hirgeliyay, abka rasmiga ah ee wata koodka QR, iyo la jaanqaadka nidaamyada deegaanka sida OPNsense, Mikrotik, ama Teltonika. VPN casri ah Ku dhawaad xaalad kasta, laga bilaabo sugidda shabakadaha dadweynaha ilaa isku xirka xarumaha iyo helitaanka adeegyada gurigaaga madax-xanuun la'aan.
Tafatiraha ku takhasusay tignoolajiyada iyo arrimaha internetka oo leh in ka badan toban sano oo khibrad u leh warbaahinta dhijitaalka ah ee kala duwan. Waxaan u shaqeeyay sidii tifaftire iyo abuuraha nuxurka ganacsiga e-commerce, isgaarsiinta, suuqgeynta internetka iyo shirkadaha xayeysiiska. Waxa kale oo aan wax ka qoray mareegaha dhaqaalaha, maaliyadda iyo qaybaha kale. Shaqadaydu sidoo kale waa dareenkeyga. Hadda, iyada oo loo marayo maqaalladayda gudaha Tecnobits, Waxaan isku dayaa in aan sahamiyo dhammaan wararka iyo fursadaha cusub ee dunida tignoolajiyada ay ina siiso maalin kasta si aan u wanaajino nolosheena.