最後更新: 2023-11-24
WireGuard 簡介
WireGuard securely encapsulates IP packets over UDP.
核心
WireGuard interface
It works by adding a network interface (wg0, wg1, etc), like eth0 or wlan0, called.
Cryptokey Routing
Each network interface has a private key and a list of peers.
Each peer has a public key.
Public keys with a list of tunnel IP addresses that are allowed inside the tunnel.(AllowedIPs)
Public key must be unique between multiple peers on the same tunnel. Otherwise,
traffic to the conflicting networks will only be routed to the last peer in the list.
優點
Minimal Attack Surface
It is meant to be easily implemented in very few lines of code,
and easily auditable for security vulnerabilities.
High Performance
WireGuard lives inside the Linux kernel
Simple & Easy-to-use
At the heart of WireGuard is a concept called Cryptokey Routing
simply match on "is it from this IP? on this interface?
Ready for Containers
Known Limitations
- WireGuard does not focus on obfuscation
- WireGuard explicitly does not support tunneling over TCP
-
WireGuard uses ChaCha20Poly1305
(does not support hardware encryption devices)
Other Project
目錄
Clients
Windows 's client
https://download.wireguard.com/windows-client/
Linux Install
apt install wireguard
dnf install wireguard-tools # RHEL(7,8)@EPEL: kmod-wireguard wireguard-tools
Usage
1)
ip link add dev wg0 type wireguard
2)
ip address add dev wg0 192.168.2.1/24
OR
ip address add dev wg0 192.168.2.1 peer 192.168.2.2
3) Configure NIC
方式 A
wg set wg0 \
listen-port 51820 \
private-key /path/to/private-key \
peer R.R.R.R \
allowed-ips 192.168.88.0/24 \
endpoint R.R.R:R:51820
Default Port: 51820/udp
方式 B
wg setconf wg0 myconfig.conf
4) Checking
wg [show]
wg showconf <interface> # output 係可以直接使用的 config file
Key Generation
Private & Public key
wg genkey > privatekey
wg pubkey < privatekey > publickey
PSK
# 256 bits base64-encoded string (44 alphanumeric characters)
wg genpsk
Options
必要的 settings
Address = Your.internal.IP.address
AllowedIPs
The Tunnel address, and any additional networks which should be routed across the VPN in a comma-separated list.
This could be a LAN subnet (e.g. 10.6.0.0/24) or
use 0.0.0.0/0 to route all traffic, including Internet traffic, across the tunnel.
Optional Settings
PersistentKeepalive = 10
DNS = 1.1.1.1, 1.0.0.1
MTU = 1440
PostUp =
PostDown =
PresharedKey = /path/to/file
A base64 preshared key generated by wg genpsk.
This option adds an additional layer of symmetric-key cryptography to be mixed into
the already existing public-key cryptography, for post-quantum resistance.
Summary
Diagram
LAN: 192.168.31.0/24 | Server(51820/udp) <- UDP - Client 10.0.31.254 Tunnel 10.0.31.11
client.conf
[Interface] PrivateKey = ABCDE... Address = 10.0.31.11 [Peer] PublicKey = FGHIJ... PresharedKey = KLMNO... Endpoint = R.R.R.R:51820 AllowedIPs = 10.0.31.0/24, 192.168.31.0/24 PersistentKeepalive = 10