- I-WireGuard inikeza ukusebenza okuphezulu nokubambezeleka okuphansi nge-cryptography yesimanje nokusetha okulula.
- Isekela ukuzulazula, ukushintsha-bulala kanye nokuhlukanisa-umhubhe, ilungele ukuhamba nokufinyelela kwenethiwekhi okuvikelekile.
- Ukucushwa kwe-homogeneous kanye ne-multi-platform enokuphathwa kokhiye ocacile kanye nemithetho ye-NAT/Firewall.
- Ezindaweni zamabhizinisi, ihlanganisa ne-NAC, IDS/IPS kanye nezinkomba zokufinyelela okulawulwayo.
Ingabe ufuna i-VPN esheshayo, evikelekile, futhi engeke ikukhungathekise ngokusetha okungapheli? I-WireGuard Kungenye yezinketho ezinhle kakhulu. Le phrothokholi yesimanje ibeka phambili ubulula kanye ne-cryptography yesimanje, okwenza kube lula kunoma ngubani ukumisa umhubhe ovikelekile.
Ngaphezu kokukuvikela kumanethiwekhi omphakathi kanye nokukuvumela ukuthi ufinyelele inethiwekhi yakho yasekhaya noma yebhizinisi, I-VPN isiza ukudlula ama-geo-blocks kanye nokucwaningaNge-WireGuard, lokho bumfihlo obengeziwe nokusebenza kuza nenqubo yokusetha elula ngokumangazayo, kokubili kumakhompyutha namadivayisi eselula.
WireGuard ngamafuphi
I-WireGuard iyi-a isofthiwe ye-vpn umthombo ovulekile oqondiswe kungqimba 3 (L3) lokho Isebenzisa i-UDP kuphela kanye ne-cryptography yesimanje ngokuzenzakalelayo.Inzuzo yayo eyinhloko idizayini encane enemigqa embalwa kakhulu yekhodi, eyenza ukuhlolwa kwamabhuku, inciphise indawo yokuhlasela, futhi ithuthukise ukusebenza.
Ngokungafani nalokho okunikezwa ngamanye ama-VPN, lapha awukhethi inqwaba yama-algorithms noma izigaba; I-WireGuard ichaza "iphakheji" ehambisanayo ye-cryptographicUma i-algorithm yehliswa, inguqulo entsha iyakhululwa futhi amaklayenti/iseva ixoxisana ngokuthuthukiswa ngokusobala.
Le protocol ihlala isebenza kumodi yomhubhe, futhi Isekela i-IPv4 ne-IPv6 (ihlanganisa eyodwa phakathi kwenye uma kunesidingo)Ukuze uyisebenzise, uzodinga ukuvula imbobo ye-UDP (elungisekayo) kumzila wakho kuseva yakho.
Ukuhambisana nokusekelwa
Emhlabeni wama-firewall, I-OPNsense ihlanganisa i-WireGuard ku-kernel ukukhulisa isivinini. I-pfSense ibe nokwehla nokwenyuka kwayo: ivele enguqulweni engu-2.5.0, yasuswa ku-2.5.1 ngenxa yokutholwa kokuvikeleka, futhi Namuhla ingafakwa njengephakheji iphethwe kusuka kusixhumi esibonakalayo sewebhu.
I-Cryptography esetshenzisiwe
I-WireGuard incike kusethi yama-algorithms esimanje futhi acwaningwe kakhulu: I-Noise Protocol Framework, i-Curve25519, i-ChaCha20, i-Poly1305, i-BLAKE2, i-SipHash ne-HKDFUkubethela idatha kusebenzisa i-ChaCha20-Poly1305 (AEAD), ngokushintshaniswa kwe-ECDH ku-Curve25519 kanye nokuphuma kokhiye nge-HKDF.
Le ndlela igwema ukuxuba ama-suites ahlukene kanye kunciphisa amaphutha okumisaKwenza futhi ukuxazulula izinkinga kube lula, njengoba wonke ama-node ekhuluma ulimi olufanayo lwe-cryptographic.
Ukusebenza kanye nokubambezeleka
Ukuqaliswa okuncane kanye nokuhlanganiswa kwezinga eliphansi kuvumela isivinini esikhulu kakhulu kanye nokubambezeleka okuphansi kakhuluEziqhathanisweni zomhlaba wangempela ngokumelene ne-L2TP/IPsec ne-OpenVPN, i-WireGuard ivamise ukuphuma phezulu, ivamise ukuphinda kabili ukuphuma ku-hardware efanayo.
Kumanethiwekhi angazinzile noma eselula, Ukubuyiselwa kweseshini kuyashesha Futhi ukuxhuma kabusha ngemva kwezinguquko zenethiwekhi (ukuzulazula) akubonakali. Kumadivayisi anezinsiza ezilinganiselwe (amarutha, amadivayisi we-IoT), ukusetshenziswa kwayo kwamandla okuphansi kwenza umehluko, konga i-CPU namandla ebhethri.
Ukufakwa okusheshayo ku-Linux
Ekusabalaliseni kwanamuhla, i-WireGuard isivele itholakala kumakhosombe azinzile. Ku-Debian/Ubuntu, vele uyifake. buyekeza futhi ufake iphakheji esemthethweniKwezinye, ungase udinge ukungeza amakhosombe noma uvule imojuli ye-kernel.
sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y
sudo modprobe wireguard
Uma usebenzisa igatsha elingenalo "esitebeleni", ungaphendukela kumakhosombe "angazinzile/okuhlola" ngaphansi kokulawula okubalulekile, nakuba Ngokufanelekile, kufanele uyidonse ku-repo ezinzile. ye-distro yakho uma isitholakala.
Ukukhiqiza ukhiye
Idivayisi ngayinye (iseva neklayenti) idinga ukubhanqwa kokhiye bayo. Gcina igumbi langasese likhiyiwe. futhi yabelana ngeyomphakathi kuphela nontanga.
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Ungaphinda inqubo yeklayenti ngalinye futhi ulandelele ngegama. ukugwema ukudideka phakathi kontanga njengoba ukuthunyelwa kwakho kukhula.
Ukucushwa kweseva
Ifayela elijwayelekile lithi /etc/wireguard/wg0.confKulesi sigaba, uchaza ikheli le-IP ye-VPN, ukhiye oyimfihlo, kanye nembobo ye-UDP. Esigabeni ngasinye, ungeza iklayenti, uvumele ukhiye walo osesidlangalaleni namakheli e-IP agunyaziwe.
Address = 192.168.2.1/24
ListenPort = 51820
PrivateKey = <clave_privada_servidor>
# Ejemplo de NAT automátizado con PostUp/PostDown, si lo necesitas
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PublicKey = <clave_publica_cliente1>
AllowedIPs = 192.168.2.2/32
# Añade más peers según necesites
#
#PublicKey = <clave_publica_cliente2>
#AllowedIPs = 192.168.2.3/32
Uma ukhetha ukuvumela noma iyiphi i-IP yeklayenti futhi uphathe imizila ngokuhlukana, ungasebenzisa Ama-IP avunyelwe = 0.0.0.0/0 Ezindaweni zontanga, kodwa ezindaweni ezilawulwayo kungcono ukunikeza /32 iklayenti ngalinye ukuze kulandeleke.
Ukucushwa kweklayenti
La ingxenye Iphethe ukhiye oyimfihlo kanye ne-IP yayo ku-VPN; ukhiye osesidlangalaleni weseva, iphoyinti layo lokugcina, kanye nenqubomgomo yomzila.
PrivateKey = <clave_privada_cliente>
Address = 192.168.2.2/32
DNS = 1.1.1.1
PublicKey = <clave_publica_servidor>
Endpoint = <IP_publica_servidor>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
El I-PersistentKeepalive (25) Lokhu kusiza uma iklayenti lingemuva kwe-NAT/izindonga zomlilo ezivimba amamephu angasebenzi. I-AllowedIPs ichaza ukuthi uhambisa yonke ithrafikhi nge-VPN (0.0.0.0/0) noma ama-subnet athile kuphela.
I-NAT, ukudlulisela phambili kanye ne-firewall
Ukuvumela amaklayenti ukuthi afinyelele i-inthanethi ngeseva, kufanele vumela ukudluliselwa kwe-IP futhi usebenzise i-NAT kusixhumi esibonakalayo se-WAN.
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
Uma inqubomgomo yakho ye-firewall ikhawulela, ivumela ithrafikhi kusixhumi esibonakalayo se-wg0 bese uvule imbobo ye-UDP ekhethiwe ku-firewall/NAT router.
sudo iptables -I INPUT 1 -i wg0 -j ACCEPT
Ukuletha isikhombimsebenzisi futhi unike amandla isevisi ekuqaleni: wg-esheshayo kanye ne-systemd Bakushiyela ku-autopilot.
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
Ukuzulazula, Kill-Switch kanye nokuhamba
I-WireGuard yakhelwe ukusetshenziswa kwansuku zonke kweselula: Uma ushintsha usuka ku-Wi-Fi uye ku-4G/5G, umhubhe usungulwa kabusha ngokuphazima kweso.Ngeke ubone noma yiziphi iziphazamiso ezimbi lapho ushintsha amanethiwekhi.
Ukwengeza, ungakwazi ukunika amandla i-a bulala-shintsha (kuye ngokuthi isiteji noma uhlelo lokusebenza) ukuze, uma i-VPN yehla, uhlelo luvimbela ithrafikhi kuze kube yilapho ibuyiselwa, ivimbela ukuvuza ngengozi.
Ukuhlukanisa-umhubhe
Umhubhe ohlukanisiwe ikuvumela ukuthi unqume Iyiphi ithrafikhi ehamba nge-VPN futhi yini ephuma ngokuqondile?Iwusizo ekugcineni ukubambezeleka okuphansi ngaphakathi imidlalo noma amakholi wevidiyo ngenkathi ufinyelela izinsiza zangaphakathi ngomhubhe.
Izibonelo ezimbili zokucushwa ezijwayelekile kuklayenti, kusetshenziswa umyalelo we-AllowedIPs:
# Redirección total por la VPN
PublicKey = <clave_publica_servidor>
AllowedIPs = 0.0.0.0/0
Endpoint = <IP_publica_servidor>:51820
# Solo la LAN remota (por ejemplo, 192.168.1.0/24) a través de la VPN
PublicKey = <clave_publica_servidor>
AllowedIPs = 192.168.1.0/24
Endpoint = <IP_publica_servidor>:51820
Lokhu kunciphisa umthelela kusivinini/ukubambezeleka kanye Ulungiselela ukuzizwisa ngalokho okudingayo ngempela ukuze uvikele.
Izinzuzo kanye nokubi kwe-WireGuard
- NGOKUTHANDA: isivinini, ukubambezeleka okuphansi, ubulula, i-cryptography yesimanje, ukusetshenziswa okuncishisiwe kwensiza, kanye ne-codebase encane ehambisa ukuhlolwa.
- PHAMBILI: Ukusekelwa kwezinye i-ecosystem yefa akuvuthwanga kangako kune-IPsec/OpenVPN, izici ezithuthuke kakhulu (imibhalo ne-obfuscation yomdabu), nokucatshangelwa kobumfihlo ngoba okhiye basesidlangalaleni bahlotshaniswa nama-IP emhubhe wangaphakathi.
Ukusekelwa kwama-firewall, i-NAS ne-QNAP
Ezintweni zikagesi zohlobo lwe-firewall, I-OPNsense ihlanganisa i-WireGuard ngokusheshisa kwe-kernel. Ku-pfSense, ngenkathi ulindele ukuhlanganiswa okuzinzile, ungafaka iphakheji futhi uliphathe kalula kusuka ku-GUI.
Ku-QNAP NAS, nge-QVPN 2, Ungasetha i-L2TP/IPsec, i-OpenVPN, namaseva e-WireGuard....futhi wenze i-Debian ibe ngokoqobo uma ufuna ukulungisa i-OpenVPN nge-AES-GCM noma ulinganise nge-iperf3. Ekuhlolweni nge-hardware enamandla (njenge-QNAP ene-Ryzen 7 ne-10GbE) kanye neklayenti le-10GbE, I-WireGuard iphinde kabili ukusebenza iqhathaniswa ne-L2TP/IPsec noma i-OpenVPN endaweni efanayo yendawo.
I-WireGuard kuselula: amandla nobuthakathaka
Ku-iOS ne-Android, uhlelo lokusebenza olusemthethweni lwenza kube lula ukushintsha phakathi kwamanethiwekhi kalula. Inzuzo enkulu: Ukuphequlula okuphephile ku-Wi-Fi yomphakathi emahhotela noma ezikhumulweni zezindiza futhi ufihle ithrafikhi yakho ku-ISP yakho. Ngaphezu kwalokho, uma usetha iseva yakho, ungafinyelela ikhaya lakho noma ibhizinisi njengokungathi ubulapho ngempela.
Umlingani onengqondo yilokho Okunye ukubambezeleka kuyengezwa futhi isivinini sehla kancaneikakhulukazi uma uqondisa kabusha yonke ithrafikhi. Kodwa-ke, i-WireGuard iphakathi kwamaphrothokholi asebenziseka kalula futhi asebenziseka kalula. Bheka futhi izincomo ze I-Android uma icala lakho lihamba.
Faka futhi usebenzise kwezinye izinkundla
Ku-macOS, Windows, Android, ne-iOS, unezinhlelo zokusebenza ezisemthethweni; okudingeka ukwenze nje ngenisa ifayela le-.conf noma uskene ikhodi ye-QR okukhiqizwa kumphathi wakho wokucushwa. Inqubo icishe ifane neye-Linux.
Uma uzoyisetha ku-VPS, khumbula imikhuba emihle: buyekeza uhlelo, nika amandla i-firewallKhawulela imbobo ye-WireGuard UDP kuma-IP avunyelwe uma kungenzeka futhi uphendukise okhiye uma kudingwa inqubomgomo yakho.
Ukuqinisekisa kanye nokuxilongwa
Ukuqinisekisa ukuthi konke kuhamba ngohlelo, ncika wg futhi wg-ngokusheshaUzobona ukuxhawula, amabhayithi adlulisiwe, kanye nezikhathi kusukela ekushintshaneni kokugcina.
wg
wg show
Uma kungekho ukuxhumana, hlola: imizila yesistimu, i-NAT, i-UDP port evulekile kumzila nokuthi Iphoyinti lokugcina nezikhiye zontanga ngayinye zilungile. I-ping ekhelini le-IP leseva ku-VPN ngokuvamile kuwukuhlola kokuqala okuwusizo.
Ngendlela elula, i-cryptography yesimanje, nokusebenza okubonakalayo, I-WireGuard izuze indawo yayo njenge-VPN ethandwayo Okwabasebenzisi basekhaya namabhizinisi. Ukufaka kuqondile, ukuphatha kulula, futhi uhla lwakho lokusebenzisa (ukufinyelela kude, indawo ukuya endaweni, ukuhamba okuvikelekile, noma ukuhlukaniswa kwe-tunnel) kufanelana cishe nanoma yisiphi isimo. Engeza izinqubo zokuphepha ezinhle, i-firewall ecushwe kahle, nokuqapha okuyisisekelo, futhi uzoba nomhubhe osheshayo, ozinzile, futhi onzima kakhulu ukuwephula.
Umhleli okhethekile kwezobuchwepheshe kanye nezindaba ze-inthanethi onolwazi olungaphezu kweminyaka eyishumi kumidiya ehlukene yedijithali. Ngisebenze njengomhleli kanye nomdali wokuqukethwe kwe-e-commerce, ukuxhumana, ukumaketha ku-inthanethi kanye nezinkampani zokukhangisa. Ngike ngabhala kumawebhusayithi ezomnotho, ezezimali neminye imikhakha. Umsebenzi wami nawo uwuthando lwami. Manje, ngokusebenzisa izihloko zami ku Tecnobits, ngizama ukuhlola zonke izindaba namathuba amasha izwe lobuchwepheshe elisinikeza lona nsuku zonke ukuze sithuthukise izimpilo zethu.