notiz:wireguard
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.
Nächste Überarbeitung | Vorherige Überarbeitung | ||
notiz:wireguard [2020/03/18 19:24] – ↷ Seitename wurde von notiz:wireguard auf notiz:wireguard-alt geändert clerie | notiz:wireguard [2020/03/31 00:31] (aktuell) – [Beispiele] clerie | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Wireguard ====== | ||
+ | ===== Kryptografie ===== | ||
+ | |||
+ | ==== Privaten Schlüssel erzeugen ==== | ||
+ | <code bash> | ||
+ | wg genkey > wg-c2s-private.key | ||
+ | </ | ||
+ | |||
+ | ==== Öffentlichen Schlüssel erzeugen ==== | ||
+ | <code bash> | ||
+ | cat wg-c2s-private.key | wg pubkey > wg-c2s-public.key | ||
+ | </ | ||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | Wireguard wird über Konfigurationsdateien verwaltet. Diese liegen unter / | ||
+ | |||
+ | Eine solche Datei sieht ungefähr so aus. | ||
+ | |||
+ | <code ini / | ||
+ | # Lokales Interface | ||
+ | [Interface] | ||
+ | Address = 192.168.123.1/ | ||
+ | PrivateKey = <private key of local interface> | ||
+ | ListenPort = 51820 # Netzwerport | ||
+ | PostUp = <bash command> | ||
+ | PostDown = <bash command> | ||
+ | |||
+ | # Client 1 | ||
+ | [Peer] | ||
+ | PublicKey = <public key of client 1> | ||
+ | AllowedIPs = 192.168.123.11/ | ||
+ | |||
+ | # Client 2 | ||
+ | [Peer] | ||
+ | PublicKey = <public key of client 2> | ||
+ | AllowedIPs = 192.168.123.12/ | ||
+ | </ | ||
+ | |||
+ | * **AllowedIPs** dient WireGuard zum routen von Paketen | ||
+ | |||
+ | ===== Wireguard verwenden ===== | ||
+ | |||
+ | ==== Interface starten ==== | ||
+ | <code bash> | ||
+ | wg-quick up < | ||
+ | </ | ||
+ | |||
+ | ==== Interface stoppen ==== | ||
+ | <code bash> | ||
+ | wg-quick down < | ||
+ | </ | ||
+ | |||
+ | ==== Interface starten systemd ==== | ||
+ | <code bash> | ||
+ | systemctl start wg-quick@< | ||
+ | </ | ||
+ | |||
+ | ==== Interface stoppen systemd ==== | ||
+ | <code bash> | ||
+ | systemctl stop wg-quick@< | ||
+ | </ | ||
+ | |||
+ | ==== Interface persistent starten systemd ==== | ||
+ | <code bash> | ||
+ | systemctl enable wg-quick@< | ||
+ | </ | ||
+ | |||
+ | ===== Beispiele ===== | ||
+ | Gute Beispiele hier: https:// | ||
+ | ==== Client-Server-Client ==== | ||
+ | === Server === | ||
+ | <code ini / | ||
+ | [Interface] | ||
+ | Address = 192.168.123.1/ | ||
+ | PrivateKey = <private key of server> | ||
+ | ListenPort = 51820 # Port, auf dem der Server läuft | ||
+ | # Forwardingregeln, | ||
+ | PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; | ||
+ | PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; ip6tables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; | ||
+ | |||
+ | # Client 1 | ||
+ | [Peer] | ||
+ | PublicKey = <public key of client 1> | ||
+ | AllowedIPs = 192.168.123.11/ | ||
+ | |||
+ | # Client 2 | ||
+ | [Peer] | ||
+ | PublicKey = <public key of client 2> | ||
+ | AllowedIPs = 192.168.123.12/ | ||
+ | </ | ||
+ | |||
+ | Wichtig ist an dieser Stelle, dass auf dem Server folgende Systemvariablen gesetzt sind: | ||
+ | < | ||
+ | net.ipv4.ip_forward=1 | ||
+ | net.ipv6.conf.all.forwarding=1 | ||
+ | </ | ||
+ | |||
+ | Herausfinden kann man das folgendermaßen: | ||
+ | <code bash> | ||
+ | sysctl net.ipv4.ip_forward | ||
+ | sysctl net.ipv6.conf.all.forwarding | ||
+ | </ | ||
+ | |||
+ | Dauerhaft aktivieren lässt sich das in der / | ||
+ | <code - / | ||
+ | net.ipv4.ip_forward=1 | ||
+ | net.ipv6.conf.all.forwarding=1 | ||
+ | </ | ||
+ | |||
+ | **Achtung!** net.ipv6.conf.all.forwarding=1 verhinder IPv6 Autokonfig auf allen Interfaces. Aus diesem Grund sollte dies **vorher** statisch eingerichtet werden. | ||
+ | |||
+ | === Client 1 === | ||
+ | <code ini / | ||
+ | [Interface] | ||
+ | PrivateKey = <private key of client 1> | ||
+ | Address = 192.168.123.11/ | ||
+ | |||
+ | [Peer] | ||
+ | Endpoint = wireguard-1.clerie.de: | ||
+ | PublicKey = <public key of server> | ||
+ | AllowedIPS = 192.168.123.0/ | ||
+ | </ | ||
+ | |||
+ | === Client 2 === | ||
+ | <code ini / | ||
+ | [Interface] | ||
+ | PrivateKey = <private key of client 2> | ||
+ | Address = 192.168.123.12/ | ||
+ | |||
+ | [Peer] | ||
+ | Endpoint = wireguard-1.clerie.de: | ||
+ | PublicKey = <public key of server> | ||
+ | AllowedIPS = 192.168.123.0/ | ||
+ | </ |