Wireguard
Wireguard is a VPN software, which is included in Linux 5.6 kernel
Install ubuntu 18.04
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install openssh-server
$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard
If add repository hang, follow: https://zach-adams.com/2015/01/apt-get-cant-connect-to-security-ubuntu-fix/
Open /etc/gai.conf
Uncomment following line
#
# For sites which prefer IPv4 connections change the last line to
#
precedence ::ffff:0:0/96 100
Enable ip forward in server and reboot, so that packet can be forwarded from default gateway to other interface with same subnet
echo "net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf
Gen key for server and client
$ umask 077
$ sudo wg genkey > private
$ sudo wg pubkey < private > public
Deploy server config
File: /etc/wireguard/wg0.conf
MASQUERADE: packet’s ip header will be changed to private ip and restore to public ip when writing back
10.0.0.1 can be freely configured, only need to make sure peers are in the same subnet
[Interface]
Address = 10.0.0.1/24
#SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT && iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE && iptables -A INPUT -i wg0 -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT && iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE && iptables -D INPUT -i wg0 -p udp --dport 51820 -j ACCEPT
ListenPort = 51820
PrivateKey = aP7Y6f0ubHbweFSs5EouXsT+klvsp2iFRZsmuBz+IHQ=
[Peer]
PublicKey = utH967EMNmx3Of9Breqp27T8+ZCOs1nawsmk+HpCLCY=
AllowedIPs = 10.0.0.2/32
Deploy client config
File: /etc/wireguard/client.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = WHLj16xU6/dq59Qks8Zn14vCjk3PMc7o4Pjm6lktfmE=
DNS = 1.1.1.1
[Peer]
PublicKey = 3GODl2zWseKTpRRiArn00TEZHw9qs0oOxD1AF4gcv3c=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.247.33.177:51820
Gen QRCode
$ sudo apt install qrencode
$ qrencode -t ansiutf8 < /etc/wireguard/client.conf
Start server
$ sudo wg-quick up wg0
Start client
$ sudo wg-quick up client
Wireguard do handshake through UDP protocol, so client connect successfully doesn’t mean VPN connection work.
Can debug by ip ping, route, traceroute commands to make sure peers can be connected.
沒有留言:
張貼留言