Wireguard » Historique » Version 26
xavier, 15/08/2019 18:51
WIP
| 1 | 21 | xavier | {{>toc}} |
|---|---|---|---|
| 2 | |||
| 3 | 1 | sacha | # Wireguard |
| 4 | |||
| 5 | 14 | sacha | Le VPN Kiss, utilisant les dernières règles de l'art, construit pour être audité & performant ! au revoir IPSec & OpenVPN ! |
| 6 | 20 | xavier | |
| 7 | 25 | xavier | Aquilenet utilise Wireguard avec succès depuis mi-2019, pour interconnecter une partie de ses [[îlots]] à son [[infrastructure:|cœur de réseau]]. |
| 8 | |||
| 9 | 26 | xavier | ## *Work In Progress* |
| 10 | |||
| 11 | 1 | sacha | ## Installation |
| 12 | |||
| 13 | https://www.wireguard.com/install/ |
||
| 14 | 23 | xavier | |
| 15 | Dans le Kernel Linux : via DKMS pour l'instant (2019-08-15) et en userspace écrit en GO (en cours de migration en Rust) sur les autres plateformes (*BSD, OpenWRT, Android, Windows). |
||
| 16 | |||
| 17 | Pour Debian stable, au départ « Stretch » 9.8 et dorénavant « Buster » 10.0, des paquets `wireguard{,-dkms,-modules}` sont installables depuis le dépôt `unstable` (uniquement). Les mises à jour y sont fréquentes, par exemple les versions disponibles au 2019-03-07 étaient les 0.0.20190227-1, celles disponibles au 2019-07-19 étaient les 0.0.20190702-1. |
||
| 18 | 1 | sacha | |
| 19 | 24 | xavier | ATTENTION : sous Debian Stretch, [une bogue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934763) introduite dans la dernière mise à jour du paquet des entêtes du noyau (2019-09-14), casse la compilation du module Wireguard. Il reste possible de compiler le module avec la version précédente, puis de l'utiliser avec la dernière version du noyau. |
| 20 | |||
| 21 | 1 | sacha | ## Configuration |
| 22 | |||
| 23 | ### Serveur |
||
| 24 | |||
| 25 | ~~~ |
||
| 26 | umask 077 |
||
| 27 | wg genkey > /etc/wireguard/private |
||
| 28 | wg genkey | tee /etc/wireguard/private | wg pubkey > /etc/wireguard/publickey |
||
| 29 | wg set wg0 private-key /etc/wireguard/private |
||
| 30 | ip link set wg0 up |
||
| 31 | |||
| 32 | cat << EOF > /etc/wireguard/wireguard.conf |
||
| 33 | [Interface] |
||
| 34 | ListenPort = 50000 |
||
| 35 | PrivateKey = `cat /etc/wireguard/private` |
||
| 36 | |||
| 37 | [Peer] |
||
| 38 | PublicKey = Va0X1zOpRc9471Aa3DEUUy7UkAv5aq5SojtIPqOSqwg= |
||
| 39 | AllowedIPs = 10.33.33.0/24 |
||
| 40 | Endpoint = 185.233.100.19:50000 |
||
| 41 | EOF |
||
| 42 | |||
| 43 | ~~~ |
||
| 44 | |||
| 45 | ### Client |
||
| 46 | |||
| 47 | ~~~ |
||
| 48 | umask 077 |
||
| 49 | wg genkey | tee /etc/wireguard/private | wg pubkey > /etc/wireguard/publickey |
||
| 50 | wg set wg0 private-key /etc/wireguard/private |
||
| 51 | 17 | stephanie.vieville | ip link add dev wg0 type wireguard |
| 52 | 1 | sacha | ip link set wg0 up |
| 53 | 17 | stephanie.vieville | |
| 54 | 1 | sacha | ~~~ |
| 55 | 2 | sacha | |
| 56 | 12 | louis.leveque | ### Config serveur (Hypnos) |
| 57 | |||
| 58 | ~~~ |
||
| 59 | #!/bin/bash |
||
| 60 | |||
| 61 | set -x -e |
||
| 62 | |||
| 63 | # Creating the wireguard interface |
||
| 64 | ip link add dev wg0 type wireguard |
||
| 65 | |||
| 66 | # Setting the IP on the wireguard interface |
||
| 67 | ip address add dev wg0 185.233.101.127/24 |
||
| 68 | |||
| 69 | # Configuring the wireguard server |
||
| 70 | wg set wg0 listen-port 50000 private-key /etc/wireguard/private |
||
| 71 | |||
| 72 | # Starting up the wireguard interface |
||
| 73 | ip link set up dev wg0 |
||
| 74 | |||
| 75 | # Add Client |
||
| 76 | wg set wg0 peer W/iRbRNZhftkcmkfS/pUNcyDJ1YHB0cBEDigzed6+B0= allowed-ips 185.233.101.126/32 |
||
| 77 | |||
| 78 | # Create the static route for the client |
||
| 79 | ip route add 185.233.101.126/32 dev wg0 proto static |
||
| 80 | ~~~ |
||
| 81 | |||
| 82 | ### Config client |
||
| 83 | |||
| 84 | ~~~ |
||
| 85 | #!/bin/bash |
||
| 86 | |||
| 87 | set -e -x |
||
| 88 | |||
| 89 | # Creating the wireguard interface |
||
| 90 | ip link add dev wg0 type wireguard |
||
| 91 | |||
| 92 | # Setting the IP on the wireguard interface |
||
| 93 | ip address add dev wg0 185.233.101.126/24 |
||
| 94 | |||
| 95 | # Configuring wireguard |
||
| 96 | wg set wg0 private-key ./private |
||
| 97 | |||
| 98 | # Starting up the wireguard interface |
||
| 99 | ip link set up dev wg0 |
||
| 100 | |||
| 101 | # Connect to the server |
||
| 102 | wg set wg0 peer 'XRhI4WqBipwY21pxPZ9Q7EWkypnQCKKtJjqu2tUUTVo=' allowed-ips 0.0.0.0/0 endpoint 185.233.100.9:50000 |
||
| 103 | ~~~ |
||
| 104 | |||
| 105 | 4 | sacha | ### 1er test: @Sacha's Home (Fibre Bouygues) --> @Hypnos (VM Aquilenet) |
| 106 | 3 | sacha | |
| 107 | 2 | sacha | ~~~ |
| 108 | |||
| 109 | root@hypnos:/etc/wireguard# iperf3 -s |
||
| 110 | ----------------------------------------------------------- |
||
| 111 | Server listening on 5201 |
||
| 112 | ----------------------------------------------------------- |
||
| 113 | Accepted connection from 10.33.33.2, port 60038 |
||
| 114 | [ 5] local 10.33.33.1 port 5201 connected to 10.33.33.2 port 60040 |
||
| 115 | [ ID] Interval Transfer Bandwidth |
||
| 116 | [ 5] 0.00-1.00 sec 15.1 MBytes 127 Mbits/sec |
||
| 117 | [ 5] 1.00-2.00 sec 19.9 MBytes 167 Mbits/sec |
||
| 118 | [ 5] 2.00-3.00 sec 20.1 MBytes 169 Mbits/sec |
||
| 119 | [ 5] 3.00-4.00 sec 20.1 MBytes 169 Mbits/sec |
||
| 120 | [ 5] 4.00-5.00 sec 19.7 MBytes 166 Mbits/sec |
||
| 121 | [ 5] 5.00-6.00 sec 20.0 MBytes 168 Mbits/sec |
||
| 122 | [ 5] 6.00-7.00 sec 20.2 MBytes 169 Mbits/sec |
||
| 123 | [ 5] 7.00-8.00 sec 20.2 MBytes 170 Mbits/sec |
||
| 124 | [ 5] 8.00-9.00 sec 20.1 MBytes 169 Mbits/sec |
||
| 125 | [ 5] 9.00-10.00 sec 20.2 MBytes 169 Mbits/sec |
||
| 126 | [ 5] 10.00-10.03 sec 566 KBytes 165 Mbits/sec |
||
| 127 | - - - - - - - - - - - - - - - - - - - - - - - - - |
||
| 128 | [ ID] Interval Transfer Bandwidth |
||
| 129 | [ 5] 0.00-10.03 sec 0.00 Bytes 0.00 bits/sec sender |
||
| 130 | [ 5] 0.00-10.03 sec 196 MBytes 164 Mbits/sec receiver |
||
| 131 | ----------------------------------------------------------- |
||
| 132 | Server listening on 5201 |
||
| 133 | ----------------------------------------------------------- |
||
| 134 | ~~~ |
||
| 135 | |||
| 136 | |||
| 137 | ~~~ |
||
| 138 | root@hypnos:/etc/wireguard# wg |
||
| 139 | interface: wg0 |
||
| 140 | public key: Va0X1zOpRc9471Aa3DEUUy7UkAv5aq5SojtIPqOSqwg= |
||
| 141 | private key: (hidden) |
||
| 142 | listening port: 50000 |
||
| 143 | |||
| 144 | peer: VEfmgnq/aXPX3qBB7Q2fgxAawQdfUYZDRKEQSPC8tnA= |
||
| 145 | endpoint: 5.51.0.155:3418 |
||
| 146 | allowed ips: 10.33.33.0/24 |
||
| 147 | latest handshake: 4 minutes, 30 seconds ago |
||
| 148 | transfer: 208.75 MiB received, 6.68 MiB sent |
||
| 149 | ~~~ |
||
| 150 | 5 | sacha | |
| 151 | ## InstallDebian sur Apu2 |
||
| 152 | |||
| 153 | https://blog.pgeiser.com/posts/2017/04/installing-debian-stretch-on-a-machine-without-a-graphic-card/ |
||
| 154 | 6 | sacha | |
| 155 | 18 | xavier | ~~~ |
| 156 | 22 | sacha | apt-get install aptitude \ |
| 157 | 18 | xavier | dhcpd resolvconf \ |
| 158 | curl dnsutils htop iperf3 tcpdump tmux whois \ |
||
| 159 | 1 | sacha | debian-security-support debsums needrestart |
| 160 | 18 | xavier | ~~~ |
| 161 | 8 | sacha | |
| 162 | ~~~ |
||
| 163 | #!/bin/bash |
||
| 164 | gw=`ip route | awk '/default/ { print $3 }'` |
||
| 165 | 9 | sacha | sysctl -w net.ipv4.ip_forward=1 |
| 166 | 8 | sacha | ip link add dev wg0 type wireguard |
| 167 | ip address add dev wg0 10.33.33.2/24 |
||
| 168 | ip link set up dev wg0 |
||
| 169 | ip route add 185.233.100.19/32 via $gw dev enp1s0 |
||
| 170 | ip route del default |
||
| 171 | ip route add default dev wg0 |
||
| 172 | wg setconf wg0 /etc/wireguard/wg0.conf |
||
| 173 | ~~~ |
||
| 174 | 10 | sacha | |
| 175 | https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 |
||
| 176 | https://git.zx2c4.com/WireGuard/about/src/tools/wg.8 |
||
| 177 | 16 | sacha | |
| 178 | https://vincent.bernat.ch/fr/blog/2018-vpn-wireguard-route |