Hagaha WireGuard: Talaabo-tallaabo Rakibaadda iyo Habaynta

Qaab dhismeedka fudud iyo sirta casriga ah: furayaasha asaaga ah iyo AllowedIPs ee habaynta
Ku rakib deg deg ah Linux iyo abka rasmiga ah ee desktop-ka iyo mobilada.
Waxqabadka ugu sarreeya ee IPsec/OpenVPN, oo leh wareeg iyo daahitaan hoose.

Haddii aad raadineyso a VPN waa dhakhso, ammaan ah oo sahlan in la geeyo WireGuard Waa sida ugu wanaagsan ee aad isticmaali karto maanta. Iyada oo leh naqshad yar iyo xog-qoris casri ah, waxay ku habboon tahay isticmaaleyaasha guriga, xirfadleyda, iyo deegaanka shirkadaha, labadaba kombuyuutarrada iyo aaladaha mobilada iyo router-yada.

Tilmaamahan wax ku oolka ah waxaad ka heli doontaa wax walba laga bilaabo aasaaska ilaa kuwa Qaabeynta horumarsanKu rakibida Linux (Ubuntu/Debian/CentOS), furayaasha, server-ka iyo faylasha macmiilka, gudbinta IP, NAT/Firewall, codsiyada ku jira Windows/macOS/Android/iOS, tunneling kala, waxqabadka, cilad-saarka, iyo la jaanqaadida aaladaha sida OPNsense, pfSense, QNAP, Mikrotik ama Teltonika.

Waa maxay WireGuard iyo sababta ay u doorteen?

WireGuard waa il furan borotokoolka VPN iyo software loogu talagalay in la abuuro L3 tunnel sir ah oo dulmaray UDP. Waxay u taagan tahay marka la barbar dhigo OpenVPN ama IPsec sababtoo ah fududaanteeda, waxqabadkeeda iyo daahitaanka hoose, ku tiirsanaanta algorithms casriga ah sida Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 iyo HKDF.

Saldhig kood waa mid aad u yar ( agagaarka kun oo sadar), kaas oo fududeeya xisaab xidhka, yareeya oogada weerarka iyo hagaajinta dayactirka. Waxa kale oo lagu dhex daray kernel Linux, taas oo u oggolaanaysa heerarka kala iibsiga sare iyo jawaab degdeg ah xitaa qalab yar.

Waa multiplatform: waxaa jira apps rasmi ah oo loogu talagalay Windows, macOS, Linux, Android iyo iOS, iyo taageerada nidaamka router/firewall-ku jihaysan sida OPNsense. Waxa kale oo diyaar u ah bay'adaha sida FreeBSD, OpenBSD, iyo NAS iyo aaladaha wax-ku-oolka ah.

Sida ay uga shaqeyso gudaha

WireGuard waxay samaysaa tunnel sir ah oo u dhexeeya asxaabta (ardayda) lagu garto furayaasha. Qalab kastaa wuxuu abuuraa lamaane fure ah (gaar ah/dadweyne) wuxuuna la wadaagaa kiisa oo keliya furaha dadweynaha oo leh dhamaadka kale; halkaas, dhammaan taraafikada waa la sir ah oo la xaqiijiyay.

Dardaaran Allow IPs Qeexayaa labadaba dariiqa baxaya (waxa taraafikada ay tahay inay maraan tunnelka) iyo liiska ilaha saxda ah ee asxaabta fog ay aqbali doonaan ka dib markay si guul leh u furaan xirmada. Habkaan waxaa loo yaqaanaa Jidka Cryptokey wuxuuna si weyn u fududeeyaa siyaasadda gaadiidka.

WireGuard waa mid aad u fiican barqiyey- Haddii IP-ga macmiilkaagu isbeddelo (tusaale, aad ka booddo Wi-Fi ilaa 4G/5G), fadhigu si hufan oo degdeg ah ayaa dib loogu aasaasay. Waxay kaloo taageertaa dilaan beddelka si loo joojiyo taraafikada ka baxa tunnelka haddii VPN uu hoos u dhaco.

Ku rakibida Linux: Ubuntu/Debian/CentOS

Ubuntu, WireGuard waxaa laga heli karaa boosaska rasmiga ah. Cusbooneysii xirmooyinka ka dibna ku rakib software-ka si aad u hesho moduleka iyo qalabka. wg iyo wg-dhakhso ah.

apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguard

Debian deggan waxaad ku tiirsanaan kartaa meelaha laanta aan degganayn haddii aad u baahato, adoo raacaya habka lagu taliyey iyo la daryeelka ee wax soo saarka:

sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguard

Gudaha CentOS 8.3 socodka ayaa la mid ah: waxaad dhaqaajisaa EPEL/ElRepo repos haddii loo baahdo ka dibna rakib xirmada WireGuard iyo modules u dhigma.

Waxyaabaha gaarka ah - Riix Halkan Antivirus ugu mushaarka badan

Jiilka muhiimka ah

fac walba waa inuu lahaado u gaar ah lamaane fure gaar ah/guud. Codso umask si loo xaddido oggolaanshaha oo u soo saaro furayaasha serferka iyo macaamiisha.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Ku soo celi qalab kasta. Waligaa ha wadaagin furaha gaarka ah Labadaba si badbaado leh u badbaadi. Haddii aad doorbidayso, samee faylal leh magacyo kala duwan, tusaale ahaan privatekeyserver y publicserverkey.

Qaabeynta Server

Abuur faylka ugu muhiimsan gudaha /etc/wireguard/wg0.conf. U qoondee shabakad hoose oo VPN ah (aan lagu isticmaalin LAN-gaaga dhabta ah), dekedda UDP oo ku dar block [Faca] macmiil kasta oo idman.

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>

# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32

Waxa kale oo aad isticmaali kartaa subnet kale, tusaale ahaan 192.168.2.0/24, oo kula koraan facooda badan. Si degdeg ah loo geeyo, waa wax caadi ah in la isticmaalo wg-dhakhso wata faylasha wgN.conf.

Qaabeynta macmiilka

Macmiilka ku samee fayl, tusaale ahaan wg0-macmiil.conf, oo leh furihiisa gaarka ah, ciwaanka tunnel-ka, DNS-ka ikhtiyaariga ah, iyo saaxiibka serferka oo leh bartiisa guud iyo dekeddeeda.

[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Hadii aad dhigto AllowedIPs = 0.0.0.0/0 Dhammaan taraafikada waxay mari doonaan VPN; Haddii aad rabto inaad gaadho shabakado gaar ah oo server ah, ku xaddid subnets-yada lagama maarmaanka ah oo aad yarayn doonto daahitaan iyo isticmaalka.

Gudbinta IP iyo NAT ee Server-ka

Daar u gudbinta si macaamiishu ay ugu galaan internetka serverka. Ku dabaq isbeddelada duullimaadyada sysctl.

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -p

Ku habee NAT oo leh iptables-ka hoose ee VPN, dejinta WAN interface (tusaale ahaan, eth0):

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Ka dhig mid joogto ah oo leh baakadaha ku habboon iyo xeerarka kaydinta si loogu dabaqo nidaamka reboot.

apt install -y iptables-persistent netfilter-persistent
netfilter-persistent save

Bilawga iyo xaqiijinta

Keen interface-ka oo awood adeeggu inuu ku bilaabo nidaamka. Talaabadani waxay abuurtaa interface-ka dalwaddii waxayna ku daraysaa jidadka lagama maarmaan.

systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wg

cunt wg Waxaad arki doontaa asxaabta, furayaasha, wareejinta, iyo waqtiyada gacan-qaadka ee u dambeeya. Haddii siyaasaddaada dab-damiska ay xaddidan tahay, u oggolow in la soo galo interface-ka. wg0 iyo dekedda UDP ee adeegga:

iptables -I INPUT 1 -i wg0 -j ACCEPT

Barnaamijyada rasmiga ah: Windows, macOS, Android, iyo iOS

On desktop-ka waxaad ka soo dejisan kartaa a .conf file. Qalabka mobilada, appku wuxuu kuu ogolaanayaa inaad ka abuurto interface ka a QR code ka kooban qaabeynta; aad bay ugu habboon tahay macaamiisha aan farsamada ahayn.

Haddi yoolkaagu yahay inaad soo bandhigto adeegyada is-martigeliyay sida Plex/Radarr/Sonarr Iyada oo loo marayo VPN-gaaga, si fudud u qoondee IP-yada hoose ee WireGuard oo hagaaji AllowedIPs si macmiilku u gaadho shabakadaas; Uma baahnid inaad dekedo dheeraad ah u furto bannaanka haddii dhammaan gelitaanka la soo maro tuneel.

Faa'iidooyinka iyo faa'iido darrada

WireGuard waa mid aad u dhakhso badan oo fudud, laakiin waxaa muhiim ah in la tixgeliyo xaddidaadda iyo waxyaabaha gaarka ah ee ku xiran kiiska isticmaalka. Halkan waxaa ah dulmar dheeli tiran oo ah inta ugu badan ku haboon.

Waxyaabaha gaarka ah - Riix Halkan Sidee lagu ogaan karaa haddii Whatsapp-kaygu uu i basaaso

Faa'iidooyinka	Dhibaatooyin
qaabeynta cad oo gaaban, oo ku habboon otomaatiga	Kuma darto xannibaadda taraafikada waddaniga ah
Waxqabadka sare iyo daahitaanka hooseeya xitaa gudaha mobile	Deegaannada dhaxalka ah qaarkood waxa jira doorashooyin horumarsan oo yar
Xog-qoris casri ah iyo kood yar oo fududeynaya baadhitaan	Qarsoodi: IP/Ururka muhiimka ah ee dadweynaha ayaa laga yaabaa inay xasaasi noqoto iyadoo ku xiran siyaasadaha
Wareega iyo dilaaga bilaa xuduud ah ayaa diyaar u ah macaamiisha	Waafaqid kooxda saddexaad had iyo jeer ma aha mid isku mid ah

Tunneling kala qaybsan: hagida kaliya waxa loo baahan yahay

Tunneling kala qaybsan wuxuu kuu ogolaanayaa inaad dirto kaliya taraafikada aad u baahan tahay VPN-ka. leh Allow IPs Adiga ayaa go'aan ka gaaraya in aad si buuxda ama doorasho u jiheyso hal ama in ka badan oo shabakad hoosaadyo ah.

# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0

# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24

Waxaa jira kala duwanaansho sida tunneling kala go'an, oo lagu sifeeyo URL ama codsi (iyada oo loo marayo kordhin/macaamiil gaar ah), in kasta oo asalka asalka ah ee WireGuard uu xakameynayo IP iyo horgalayaasha.

Waafaqid iyo nidaamka deegaanka

WireGuard wuxuu u dhashay kernel Linux, laakiin maanta waa marinka iskutallaabtaOPNsense waxay u dhexaysaa si asal ah; pfSense si ku meel gaar ah ayaa loo joojiyay xisaab xirka, ka dibna waxaa loo soo bandhigay xirmo ikhtiyaari ah iyadoo ku xiran nooca.

On NAS sida QNAP waxaad ku dhejin kartaa adigoo isticmaalaya QVPN ama mishiinada farsamada, adoo ka faa'iideysanaya 10GbE NICs xawaaraha sareGuddiyada router-ka ee MikroTik waxay ku dareen taageerada WireGuard ilaa RouterOS 7.x; ku celcelinteedii hore, waxay ku jirtay beta oo laguma talin wax soo saarka, laakiin waxay u ogolaataa tunnelka P2P inta u dhaxaysa aaladaha iyo xitaa dhamaadka macaamiisha.

Soo-saareyaasha sida Teltonika waxay leeyihiin xirmo ay ku daraan WireGuard router-yadooda; Haddii aad u baahan tahay qalab, waxaad ka iibsan kartaa dukaanka.davantel.com oo raac tilmaamaha soo-saaraha ee rakibidda baakadaha dheeraad ah.

Waxqabadka iyo daahitaanka

Thanks to naqshadeeda ugu yar iyo xulashada algorithms-yada hufan, WireGuard waxay ku guulaysataa xawaare aad u sarreeya iyo latencies hooseeya, guud ahaan ka sarreeya L2TP/IPsec iyo OpenVPN. Tijaabooyin maxalli ah oo wata qalab awood leh, heerka dhabta ahi inta badan waa labanlaab ka beddelka, taas oo ka dhigaysa mid ku habboon streaming, ciyaaraha ama VoIP.

Hirgelinta shirkadaha iyo isgaarsiinta

Shirkadda dhexdeeda, WireGuard waxay ku habboon tahay abuurista tunnelyada u dhexeeya xafiisyada, gelitaanka shaqaalaha fog, iyo xidhiidho sugan oo dhexmara CPD iyo daruur (tusaale ahaan, kaydinta). Syntax-keeda kooban ayaa ka dhigaysa hab-noqosho iyo hab-samayn fudud.

Waxay la midaysaa hagaha sida LDAP/AD iyadoo la adeegsanayo xalal dhexdhexaad ah waxayna la noolaan kartaa IDS/IPS ama aaladaha NAC. Doorasho caan ah ayaa ah Xirmada (ilo furan), kaas oo kuu ogolaanaya inaad xaqiijiso heerka qalabka ka hor inta aan la siin helitaanka iyo xakamaynta BYOD.

Windows/macOS: Qoraallada iyo Talooyin

App-ka rasmiga ah ee Windows wuxuu u shaqeeyaa dhibaato la'aan, laakiin noocyada qaar ee Windows 10 waxaa jiray arrimo marka la isticmaalayo AllowedIPs = 0.0.0.0/0 isku dhacyada wadada awgeed. Beddel ku meel gaar ah ahaan, isticmaaleyaasha qaarkood waxay doortaan macaamiisha ku saleysan WireGuard sida TunSafe ama xaddididda AllowedIP-yada shabakado hoose oo gaar ah.

Debian Hagaha Bilowga Degdegga ah ee Furayaasha Tusaalaha

U samee furayaasha server-ka iyo macmiilka gudaha / iwm/wireguard/ oo samee interface-ka wg0. Hubi in VPN-yada IP-yada aysan ku habboonayn IP-yada kale ee shabakadda deegaankaaga ama macaamiishaada.

cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1

Wg0.conf server leh subnet 192.168.2.0/24 iyo dekedda 51820. Daar PostUp/PostDown haddii aad rabto in aad otomaatig ah NAT oo leh iptables marka la keenayo / la soo dejinayo interface-ka.

[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0

Macmiil leh ciwaanka 192.168.2.2, oo tilmaamaya serverka bartiisa guud iyo ilaalin Ikhtiyaar ah haddii uu jiro NAT dhexdhexaad ah.

[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32

[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25

Kor u qaad interface-ka oo u fiirso sida MTU-ga, calaamadaynta waddada, iyo fwmark iyo xeerarka siyaasadda dariiqa. Dib u eeg wax soo saarka wg-dhakhso leh iyo heerka wg show.

Waxyaabaha gaarka ah - Riix Halkan Adeegyada aad ka joojin karto gudaha Windows 11 adiga oo aan waxba jebin

Mikrotik: tunnel inta u dhaxaysa RouterOS 7.x

MikroTik ayaa taageeray WireGuard ilaa RouterOS 7.x. Ku samee interface WireGuard router kasta, isticmaal, oo si toos ah ayaa loo soo saari doonaa. furayaasha. U qoondee IPS Ether2 sida WAN iyo wireguard1 sida tunnel interface.

Isku hagaaji asxaabta adiga oo ka gudbaya furaha guud ee serverka dhanka macmiilka iyo dhanka kale, qeex Ciwaanka La Ogol yahay/Tusaale ahaan 0.0.0.0/0 Haddii aad rabto in aad u oggolaato ilo / meel loo maro tunnel-ka) oo deji barta dhamaadka fog ee dekeddeeda. Pining to tunnel-ka fog IP ayaa xaqiijin doona isgaadhsiinta.

Haddii aad ku xidho mobaylada ama kombayutarada tunnelka Mikrotik, hagaajiso shabakadaha la ogolyahay si aanay u furmin wax ka badan intii loo baahnaa; WireGuard ayaa go'aamisa qulqulka xirmooyinka iyadoo ku saleysan adiga Jidka Cryptokey, marka waa muhiim in la is waafajiyo meesha laga soo jeedo iyo meesha loo socdo.

Cryptography la isticmaalay

WireGuard waxay shaqaaleysiisaa qalab casri ah oo ah: Sawaxanka qaab ahaan, Curve25519 ee ECDH, ChaCha20 oo loogu talagalay sireeynta sumaysan ee la xaqiijiyay oo leh Poly1305, BLAKE2 ee xashiishada, SipHash24 ee miisaska xashiishka iyo HKDF ee soo saarista furayaashaHaddi algorithm-ka la gooyo, borotokoolka waxa loo qaabayn karaa si uu si bilaa xad ah u haajiro.

Faa'iidooyinka iyo khasaaraha on mobile

Isticmaalka taleefannada casriga ah waxay kuu oggolaaneysaa inaad si ammaan ah wax u baadho Wi-Fi dadweynaha, ka qari gaadiidka ISP-gaaga, oo ku xidh shabakadaada guriga si aad u gasho NAS, qalabaynta guriga, ama ciyaaraha. IOS/Android, isku xirka shabakadaha ma dejiyaan tunnel-ka, taas oo wanaajisa waayo-aragnimada.

Qasaarooyin ahaan, waxaad jiidaysaa xoogaa xawli ah iyo daahitaan weyn marka loo eego wax soo saarka tooska ah, waxaadna ku tiirsan tahay server-ku inuu had iyo jeer ahaado. loo qeybin karo. Si kastaba ha ahaatee, marka la barbar dhigo IPsec/OpenVPN ciqaabtu inta badan way ka hooseysaa.

WireGuard wuxuu isku daraa fududaynta, xawaaraha, iyo amniga dhabta ah iyo qalooca barasho debecsan: rakib, abuur furayaal, qeex AllowedIPs, oo waxaad diyaar u tahay inaad tagto. Ku dar gudbinta IP-ga, NAT oo si wanaagsan loo hirgeliyay, abka rasmiga ah ee wata koodka QR, iyo la jaanqaadka nidaamyada deegaanka sida OPNsense, Mikrotik, ama Teltonika. VPN casri ah Ku dhawaad xaalad kasta, laga bilaabo sugidda shabakadaha dadweynaha ilaa isku xirka xarumaha iyo helitaanka adeegyada gurigaaga madax-xanuun la'aan.

Daniel Terrasa

Tafatiraha ku takhasusay tignoolajiyada iyo arrimaha internetka oo leh in ka badan toban sano oo khibrad u leh warbaahinta dhijitaalka ah ee kala duwan. Waxaan u shaqeeyay sidii tifaftire iyo abuuraha nuxurka ganacsiga e-commerce, isgaarsiinta, suuqgeynta internetka iyo shirkadaha xayeysiiska. Waxa kale oo aan wax ka qoray mareegaha dhaqaalaha, maaliyadda iyo qaybaha kale. Shaqadaydu sidoo kale waa dareenkeyga. Hadda, iyada oo loo marayo maqaalladayda gudaha Tecnobits, Waxaan isku dayaa in aan sahamiyo dhammaan wararka iyo fursadaha cusub ee dunida tignoolajiyada ay ina siiso maalin kasta si aan u wanaajino nolosheena.