最後更新: 2023-11-24

WireGuard 簡介

WireGuard securely encapsulates IP packets over UDP.

核心

WireGuard interface

It works by adding a network interface (wg0, wg1, etc), like eth0 or wlan0, called.

Cryptokey Routing

Each network interface has a private key and a list of peers.
Each peer has a public key.
Public keys with a list of tunnel IP addresses that are allowed inside the tunnel.(AllowedIPs)

Public key must be unique between multiple peers on the same tunnel. Otherwise,
 traffic to the conflicting networks will only be routed to the last peer in the list.

優點

Minimal Attack Surface

It is meant to be easily implemented in very few lines of code,
 and easily auditable for security vulnerabilities.

High Performance

WireGuard lives inside the Linux kernel

Simple & Easy-to-use

At the heart of WireGuard is a concept called Cryptokey Routing
simply match on "is it from this IP? on this interface?

Ready for Containers

Known Limitations

• WireGuard does not focus on obfuscation
• WireGuard explicitly does not support tunneling over TCP
• WireGuard uses ChaCha20Poly1305
  (does not support hardware encryption devices)

Other Project

• tailscale
• headscale

目錄

• 同時建立 wireguard 的 pri & pub key

 

---

Clients

 

Windows 's client

https://download.wireguard.com/windows-client/

 

---

Linux Install

 

apt install wireguard

dnf install wireguard-tools       # RHEL(7,8)@EPEL: kmod-wireguard wireguard-tools

 

---

Usage

 

1)

ip link add dev wg0 type wireguard

2)

ip address add dev wg0 192.168.2.1/24

OR

ip address add dev wg0 192.168.2.1 peer 192.168.2.2

3) Configure NIC

方式 A

wg set wg0 \
listen-port 51820 \
private-key /path/to/private-key \
peer R.R.R.R \
allowed-ips 192.168.88.0/24 \
endpoint R.R.R:R:51820

Default Port: 51820/udp

方式 B

wg setconf wg0 myconfig.conf

 

4) Checking

wg [show]

wg showconf <interface> # output 係可以直接使用的 config file

 

---

Key Generation

 

Private & Public key

wg genkey > privatekey

wg pubkey < privatekey > publickey

PSK

# 256 bits base64-encoded string (44 alphanumeric characters)

wg genpsk

 

---

Options

 

必要的 settings

Address = Your.internal.IP.address

AllowedIPs

    The Tunnel address, and any additional networks which should be routed across the VPN in a comma-separated list.
    This could be a LAN subnet (e.g. 10.6.0.0/24) or
    use 0.0.0.0/0 to route all traffic, including Internet traffic, across the tunnel.

Optional Settings

PersistentKeepalive = 10

DNS = 1.1.1.1, 1.0.0.1

MTU = 1440

PostUp =
PostDown =

PresharedKey = /path/to/file

A base64 preshared key generated by wg genpsk.

This option adds an additional layer of symmetric-key cryptography to be mixed into
the already existing public-key cryptography, for post-quantum resistance.

 

---

Summary

 

Diagram

LAN: 192.168.31.0/24
      |
Server(51820/udp)      <- UDP -      Client
10.0.31.254             Tunnel       10.0.31.11 

client.conf

[Interface]
PrivateKey = ABCDE...
Address = 10.0.31.11

[Peer]
PublicKey = FGHIJ...
PresharedKey = KLMNO...
Endpoint = R.R.R.R:51820
AllowedIPs = 10.0.31.0/24, 192.168.31.0/24
PersistentKeepalive = 10

 

---