- Meaho e bonolo le encryption ea sejoale-joale: linotlolo tsa per-peer le AllowedIPs bakeng sa ho tsamaisa.
- Ho kenya ka potlako ho Linux le lisebelisoa tsa molao tsa desktop le mobile.
- Ts'ebetso e phahameng ho feta IPsec/OpenVPN, e nang le ho solla le latency e tlase.
Haeba u batla a VPN e potlakile, e bolokehile ebile e bonolo ho e sebelisa, WireGuard Ke eona e molemohali eo u ka e sebelisang kajeno. Ka moralo o fokolang le mokhoa oa sejoale-joale oa mokhoa oa ho ngola, o loketse basebelisi ba lapeng, litsebi, le tikoloho ea khoebo, ka likhomphutha le lisebelisoa tsa mehala le li-routers.
Ka tataiso ena e sebetsang u tla fumana ntho e 'ngoe le e' ngoe ho tloha ho tsa motheo ho ea ho Tlhophiso e tsoetseng pele: Ho kenya Linux (Ubuntu/Debian/CentOS), linotlolo, lifaele tsa seva le tsa bareki, ho fetisa IP, NAT/Firewall, lits'ebetso ho Windows/macOS/Android/iOS, ho arohana ho arohana, ts'ebetso, ho rarolla mathata, le ho lumellana le lipolanete tse kang OPNsense, pfSense, QNAP, Mikrotik kapa Teltonika.
WireGuard ke eng mme ke hobane'ng ha u e khetha?
WireGuard ke mohloli o bulehileng oa VPN protocol le software e etselitsoeng ho theha Lithanele tse patiloeng tsa L3 holim'a UDP. E hlahella ha e bapisoa le OpenVPN kapa IPsec ka lebaka la bonolo, ts'ebetso le latency e tlase, e itšetlehileng ka li-algorithms tsa sejoale-joale tse kang. Curve25519, ChaCha20-Poly1305, BLAKE2, SipHash24 and HKDF.
Motheo oa khoutu ea eona o nyane haholo (ho pota likete tsa mela), e thusang ho hlahloba, ho fokotsa sebaka sa tlhaselo le ho ntlafatsa tlhokomelo. E boetse e kopantsoe le Linux kernel, e lumella litefiso tse phahameng tsa phetisetso le karabelo e potlakileng esita le ho hardware e itekanetseng.
Ke multiplatform: ho na le lisebelisoa tsa molao bakeng sa Windows, macOS, Linux, Android le iOS, le tšehetso bakeng sa litsamaiso tse shebaneng le router/firewall joalo ka OPNsense. E fumaneha hape bakeng sa libaka tse kang FreeBSD, OpenBSD, le NAS le li-platform tsa virtualization.
E sebetsa joang ka hare
WireGuard e theha kotopo e patiloeng lipakeng tsa lithaka (lithaka) e khetholloang ka linotlolo. Sesebelisoa se seng le se seng se hlahisa para ea bohlokoa (ea poraefete / ea sechaba) mme e arolelana feela ea eona senotlolo sa sechaba ka ntlha e nngwe; ho tloha moo, sephethephethe sohle se patiloe ebile se netefalitsoe.
Taelo Li-IP tse lumelletsoeng E hlalosa litsela tse tsoang (sephethephethe se lokelang ho feta kotopong) le lethathamo la mehloli e nepahetseng eo thaka e hole e tla e amohela ka mor'a ho hlakola pakete ka katleho. Mokhoa ona o tsejoa e le Mokhoa oa ho tsamaisa Cryptokey mme e nolofatsa leano la sephethephethe haholo.
WireGuard e ntle ka ho fetisisa ho rouma- Haeba IP ea moreki oa hau e fetoha (mohlala, o tlola ho tloha ho Wi-Fi ho ea ho 4G/5G), seboka se tla tsosolosoa pepeneneng le kapele haholo. E boetse e tšehetsa bolaea switjha ho thibela sephethephethe ka ntle ho kotopo haeba VPN e theoha.
Ho kenya Linux: Ubuntu/Debian/CentOS
Ho Ubuntu, WireGuard e fumaneha liofising tsa semmuso. Ntlafatsa liphutheloana ebe u kenya software ho fumana module le lisebelisoa. wg le wg-ka potlako.
apt update && apt upgrade -y
apt install wireguard -y
modprobe wireguardSetaleng sa Debian u ka itšetleha ka li-repos tse sa tsitsang tsa lekala haeba u hloka, ho latela mokhoa o khothaletsoang le ka tlhokomelo tlhahisong:
sudo sh -c 'echo deb https://deb.debian.org/debian/ unstable main > /etc/apt/sources.list.d/unstable.list'
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'
sudo apt update
sudo apt install wireguardHo CentOS 8.3 phallo e tšoana: o kenya tšebetsong EPEL/ElRepo repos ha ho hlokahala ebe o kenya sephutheloana. WireGuard le li-module tse tsamaellanang.
Moloko oa bohlokoa
Sethaka se seng le se seng se tlameha ho ba le sa sona poraefete/public key para. Sebelisa umask ho thibela tumello le ho hlahisa linotlolo bakeng sa seva le bareki.
umask 077
wg genkey | tee privatekey | wg pubkey > publickeyPheta sesebelisoa ka seng. Le ka mohla u se ke ua arolelana senotlolo sa lekunutu mme o boloke bobedi ka polokeho. Haeba u rata, etsa lifaele ka mabitso a fapaneng, mohlala Privatekeyserver y publicserverkey.
Ho seta seva
Theha faele e kholo ho /etc/wireguard/wg0.conf. Fana ka subnet ea VPN (e sa sebelisoeng ho LAN ea hau ea 'nete), boema-kepe ba UDP ebe u eketsa block [Lithaka] ka moreki ea lumelletsoeng.
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>
# Cliente 1
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 10.0.0.2/32U ka sebelisa subnet e 'ngoe, mohlala 192.168.2.0/24, 'me u hōle le lithaka tse ngata. Bakeng sa ho tsamaisoa ka potlako, ho tloaelehile ho e sebelisa wg-ka potlako ka lifaele tsa wgN.conf.
Tlhophiso ea Moreki
Ho moreki etsa faele, mohlala wg0-client.conf, ka senotlolo sa eona sa lekunutu, aterese ea kotopo, DNS ea boikhethelo, le thaka ea seva e nang le pheletso ea eona ea sechaba le boema-kepe.
[Interface]
PrivateKey = <clave_privada_cliente>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <clave_publica_servidor>
Endpoint = <ip_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25Haeba u beha AllowedIPs = 0.0.0.0/0 Sephethephethe sohle se tla feta VPN; haeba u batla feela ho fihlella marang-rang a itseng a seva, e behe moeli ho li-subnet tse hlokahalang 'me u tla fokotsa latency le tshebediso.
IP Forwarding le NAT ho Seva
Lumella ho fetisa e le hore bareki ba khone ho kena Marang-rang ka seva. Sebelisa liphetoho ka fofa ka sysctl.
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -pLokisa NAT ka li-iptables bakeng sa subnet ea VPN, ho beha sebopeho sa WAN (mohlala, eth0):
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADEEtsa hore e phehelle ka liphutheloana tse loketseng 'me u boloke melao e tla sebelisoa ha ho qala sistimi.
apt install -y iptables-persistent netfilter-persistent
netfilter-persistent saveHo qala le ho netefatsa
Hlahisa sebopeho mme u nolofalletse ts'ebeletso ho qala ka sistimi. Mohato ona o theha sebopeho se hlakileng mme oa eketsa Litsela hlokahala.
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wgCon wg U tla bona lithaka, linotlolo, phetisetso, le linako tsa ho qetela tsa ho ts'oarana ka matsoho. Haeba pholisi ea hau ea li-firewall e le lithibelo, lumella ho kena ka har'a sehokelo. wg0 le boema-kepe ba UDP ba ts'ebeletso:
iptables -I INPUT 1 -i wg0 -j ACCEPT
Lisebelisoa tsa semmuso: Windows, macOS, Android, le iOS
Ho komporo ea hau u ka kenya a .conf faele. Ho lisebelisoa tsa cellular, sesebelisoa se u lumella ho theha sebopeho ho tsoa ho a QR code e nang le tlhophiso; e loketse haholo bakeng sa bareki bao e seng ba theknoloji.
Haeba sepheo sa hau ke ho pepesa litšebeletso tsa boipheliso tse kang Plex/Radarr/Sonarr Ka VPN ea hau, fana feela ka li-IP ho WireGuard subnet 'me u fetole AllowedIPs hore moreki a khone ho fihla marang-rang ao; ha ho hlokahale hore u bule likou tse eketsehileng ho ea kantle haeba phihlello eohle e feta kotopo.
Melemo le likotsi
WireGuard e potlakile haholo ebile e bonolo, empa ho bohlokoa ho nahana ka mefokolo ea eona le lintlha tse ikhethang ho latela ts'ebeliso. Mona ke kakaretso e leka-lekaneng ea tse ngata loketseng.
| Melemo | Mathata |
|---|---|
| Tlhophiso e hlakileng le e khuts'oane, e loketseng ho iketsetsa | Ha e kenyelletse tšitiso ea sephethe-phethe |
| Ts'ebetso e phahameng le latency e tlase esita le ho mokoloko | Libakeng tse ling tsa lefa ho na le likhetho tse fokolang tse tsoetseng pele |
| Li-cryptography tsa sejoale-joale le khoutu e nyane e etsang hore ho be bonolo tlhahlobo | Lekunutu: IP/public key association e ka ba le maikutlo a mabe ho latela maano |
| Seamless roaming and kill switch e fumaneha ho bareki | Ho lumellana ha motho oa boraro ha se kamehla ho tšoanang |
Ho arola kotopo: ho tsamaisa se hlokahalang feela
Split tunneling e u lumella ho romella feela sephethephethe seo u se hlokang ka VPN. Ka Li-IP tse lumelletsoeng U etsa qeto ea hore na u tla etsa phetiso e felletseng kapa e khethileng ho li-subnets tse le 'ngoe kapa ho feta.
# Redirección completa de Internet
[Peer]
AllowedIPs = 0.0.0.0/0# Solo acceder a recursos de la LAN 192.168.1.0/24 por la VPN
[Peer]
AllowedIPs = 192.168.1.0/24Ho na le mefuta e fapaneng e kang reverse petsoha tunneling, e tlhotliloeng ka URL kapa ka ts'ebeliso (ka li-extensions / bareki ba itseng), leha motheo oa tlhaho ho WireGuard o laoloa ke IP le prefixes.
Tšebelisano le tikoloho
WireGuard e hlahetse kernel ea Linux, empa kajeno ho joalo sefapano sa sefapanoOPNsense e e kopanya ka tlhaho; pfSense e ile ea emisoa ka nakoana bakeng sa lihlahlobo, 'me hamorao ea fanoa e le sephutheloana sa boikhethelo ho latela mofuta.
Ho NAS joalo ka QNAP u ka e beha ka QVPN kapa mechini e fumanehang, u nka monyetla ka 10GbE NICs ho mabelo a maholoLiboto tsa router tsa MikroTik li kenyelelitse tšehetso ea WireGuard ho tloha RouterOS 7.x; nakong ea eona ea pele, e ne e le beta mme e sa khothaletsoe bakeng sa tlhahiso, empa e lumella lithanele tsa P2P lipakeng tsa lisebelisoa esita le bareki ba ho qetela.
Baetsi ba kang Teltonika ba na le sephutheloana sa ho eketsa WireGuard ho li-routers tsa bona; haeba u hloka lisebelisoa, u ka li reka ho shop.davantel.com le ho latela litataiso tsa moetsi bakeng sa ho instola liphutheloana e eketsehileng.
Tshebetso le latency
Ka lebaka la moralo oa eona o fokolang le khetho ea li-algorithms tse sebetsang hantle, WireGuard e fihlela lebelo le holimo haholo latencies tlaase, ka kakaretso e phahametse L2TP/IPsec le OpenVPN. Litekong tsa lehae tse nang le lisebelisoa tse matla, sekhahla sa 'nete hangata se habeli sa mefuta e meng, se etsa hore e be se loketseng ho phallela, ho bapala kapa VoIP.
Ts'ebetsong ea khoebo le teleworking
Khoebong, WireGuard e loketse ho theha lithanele lipakeng tsa liofisi, phihlello ea basebetsi ba hole, le likhokahano tse sireletsehileng lipakeng tsa CPD le leru (mohlala, bakeng sa li-backups). Syntax ea eona e khuts'oane e etsa hore ho be bonolo ho fetolela le ho iketsetsa.
E hokahana le li-directory tse kang LDAP/AD e sebelisa litharollo tsa lipakeng 'me e ka lula hammoho le IDS/IPS kapa sethala sa NAC. Khetho e tsebahalang ke PacketFence (mohloli o bulehileng), e u lumellang ho netefatsa boemo ba lisebelisoa pele u fana ka phihlello le taolo ea BYOD.
Windows/macOS: Lintlha le malebela
Sesebelisoa sa Windows sa semmuso hangata se sebetsa ntle le mathata, empa liphetolelong tse ling tsa Windows 10 ho bile le mathata ha u sebelisa AllowedIPs = 0.0.0.0/0 ka lebaka la likhohlano tsa litsela. E le mokhoa o mong oa nakoana, basebelisi ba bang ba khetha bareki ba thehiloeng ho WireGuard joalo ka TunSafe kapa ho fokotsa AllowedIPs ho li-subnet tse itseng.
Debian Quick Start Guide e nang le Linotlolo tsa Mohlala
Hlahisa linotlolo bakeng sa seva le moreki ho /etc/wireguard/ 'me u thehe sebopeho sa wg0. Etsa bonnete ba hore li-IP tsa VPN ha li tsamaellane le li-IP tse ling marang-rang a lehae kapa bareki ba hau.
cd /etc/wireguard/
wg genkey | tee claveprivadaservidor | wg pubkey > clavepublicaservidor
wg genkey | tee claveprivadacliente1 | wg pubkey > clavepublicacliente1wg0.conf seva e nang le subnet 192.168.2.0/24 le port 51820. Numella PostUp/PostDown haeba u batla ho iketsetsa NAT ka li-iptables ha o tlisa / theola sebopeho.
[Interface]
Address = 192.168.2.1/24
PrivateKey = <clave_privada_servidor>
ListenPort = 51820
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <clave_publica_cliente1>
AllowedIPs = 0.0.0.0/0Moreki ea nang le aterese 192.168.2.2, a supa pheletsong ea sechaba ea seva le ka keepalive boikhethelo haeba ho na le NAT ea mahareng.
[Interface]
PrivateKey = <clave_privada_cliente1>
Address = 192.168.2.2/32
[Peer]
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip_publica_servidor>:51820
#PersistentKeepalive = 25Hula sebopeho mme u shebelle joalo ka MTU, matšoao a litsela, le fwmark le melaoana ea leano la litsela. Lekola tlhahiso ea wg-potlako le boemo ka wg pontšo.
Mikrotik: kotopo lipakeng tsa RouterOS 7.x
MikroTik e tšehelitse WireGuard ho tloha RouterOS 7.x. Theha sebopeho sa WireGuard ho router ka 'ngoe, e sebelise, 'me e tla hlahisoa ka bo eona. linotlolo. Abela li-IP ho Ether2 e le WAN le wireguard1 e le sebopeho sa kotopo.
Lokisa lithaka ka ho tšela linotlolo tsa sechaba tsa seva ka lehlakoreng la moreki le ka tsela e fapaneng, hlalosa Aterese e lumelletsoeng/AllowedIPs (mohlala. 0.0.0.0/0 haeba u batla ho lumella mohloli ofe kapa ofe / sebaka seo u eang ho sona ka kotopo) 'me u behe sebaka se hole le boema-kepe ba sona. Ho penya ho IP kotopo e hole ho tla netefatsa shapa letsoho.
Haeba o hokela liselefouno kapa likhomphutha kotopong ea Mikrotik, lokisa marang-rang a lumelletsoeng e le hore a se ke a bula ho feta kamoo ho hlokahalang; WireGuard e etsa qeto ea ho phalla ha lipakete ho ipapisitse le hau Mokhoa oa ho tsamaisa Cryptokey, kahoo ho bohlokoa ho bapisa tšimoloho le libaka tseo u eang ho tsona.
Cryptography e sebelisitsoeng
WireGuard e sebelisa sete ea sejoale-joale ea: Lerata joalo ka moralo, Curve25519 bakeng sa ECDH, ChaCha20 bakeng sa encryption e netefalitsoeng ea symmetric e nang le Poly1305, BLAKE2 bakeng sa hashing, SipHash24 bakeng sa litafole tsa hash le HKDF bakeng sa tlhahiso ea linotloloHaeba algorithm e theohile, protocol e ka fetoloa hore e falle ntle le ho khelosoa.
Melemo le likotsi ho mobile
Ho e sebelisa ho li-smartphones ho u lumella ho e bala ka mokhoa o sireletsehileng Wi-Fi ea Sechaba, pata sephethephethe ho ISP ea hau, 'me u hokahane le marang-rang a lapeng ho fihlella NAS, automation ea lapeng, kapa lipapali. Ho iOS/Android, ho chencha marang-rang ha ho theole kotopo, e leng ho ntlafatsang boiphihlelo.
Joalo ka bokhopo, o hula tahlehelo e itseng ea lebelo le latency e kholo ha e bapisoa le tlhahiso e tobileng, 'me u itšetlehile ka seva kamehla. e fumaneha. Leha ho le joalo, ha ho bapisoa le IPsec/OpenVPN kotlo hangata e tlase.
WireGuard e kopanya bonolo, lebelo le ts'ireletso ea 'nete ka mokhoa o bonolo oa ho ithuta: e kenye, hlahisa linotlolo, hlalosa AllowedIPs, 'me u se u loketse ho ea. Kenya phetisetso ea IP, NAT e sebelisitsoeng hantle, lits'ebetso tsa semmuso tse nang le likhoutu tsa QR, 'me e tsamaellana le tikoloho e kang OPNsense, Mikrotik, kapa Teltonika. VPN ea sejoale-joale hoo e batlang e le boemo bofe kapa bofe, ho tloha ho boloka marang-rang a sechaba ho ea ho hokahanya ntlo-khōlō le ho fumana litšebeletso tsa hau tsa lehae ntle le hlooho e bohloko.
Mohlophisi ea ikhethileng litabeng tsa theknoloji le marang-rang ea nang le boiphihlelo bo fetang lilemo tse leshome mecheng ea litaba tse fapaneng tsa dijithale. Ke sebelitse ke le mohlophisi le moetsi oa dikahare bakeng sa khoebo ea e-commerce, puisano, papatso ea marang-rang le lik'hamphani tsa papatso. Ke ngotse hape ka liwebsaete tsa moruo, tsa lichelete le tsa makala a mang. Mosebetsi oa ka le ona ke takatso ea ka. Joale, ka lingoliloeng tsa ka ho Tecnobits, Ke leka ho hlahloba litaba tsohle le menyetla e mecha eo lefatše la theknoloji le re fang eona letsatsi le leng le le leng ho ntlafatsa bophelo ba rona.