ссылки:
|
1 2 3 4 5 6 7 |
https://github.com/cloudflare/boringtun https://www.wireguard.com/xplatform/ https://stackoverflow.com/questions/31571091/could-not-find-cargo-toml-when-building-a-dependent-crate-from-github https://github.com/webrtc-rs/webrtc/issues/433 https://crates.io/crates/cargo-update https://doc.rust-lang.org/cargo/commands/cargo-update.html https://www.comptia.org/blog/configuring-wireguard-vpn |
install
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
0. Установим необходимые пакеты apt update && apt upgrade -y apt install wireguard apt install cargo 1. Установим boringtun sudo su - # собираем под пользователем # cargo install boringtun-cli - может не сработать cargo install --locked boringtun-cli 2. Добавить в конец vim .profile --------- # set PATH so it includes user's private bin if it exists if [ -d "$HOME/.cargo/bin" ] ; then PATH="$HOME/.cargo/bin:$PATH" fi --------- 3. Запуск Скопируем бинарник boringtun-cli в /usr/bin # sudo cp ./cargo/bin/boringtun-cli /usr/bin/ Выдадим на него права # sudo setcap cap_net_admin+epi /usr/bin/boringtun-cli sudo WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun-cli WG_SUDO=1 wg-quick up CONFIGURATION |
systemd
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
vim /etc/systemd/system/boringtun.service ----------------------------------------- [Unit] Description=BoringTUN via wg-quick for wg0 Before=network-pre.target After=network-online.target nss-lookup.target Wants=network-online.target nss-lookup.target PartOf=wg-quick.target [Service] Type=oneshot RemainAfterExit=yes User=root WorkingDirectory=/root ExecStart=/usr/bin/wg-quick up wg0 ExecStop=/usr/bin/wg-quick down wg0 Environment=WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun-cli #ExecStartPost=/usr/bin/wg setconf wg0 /etc/wireguard/wg0.conf Restart=on-failure [Install] WantedBy=multi-user.target ----------------------------------------- systemctl daemon-reload systemctl start boringtun.service |
Debian 11 генерация QR (каур кода) для wireguard
|
1 2 |
apt install qrencode qrencode -t ansiutf8 < wg0.conf |
Пример конфигов wg-quik без boring
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
Генерируем ключи: cd /etc/wireguard umask 077; wg genkey | tee privatekey | wg pubkey > publickey Генерируем общий ключ: wg genpsk > presharedKey PC1 cat /etc/wireguard/wg0.conf --------------------------- cat wg0.conf [Interface] Address = 10.0.0.1/24 ListenPort = 51100 PrivateKey = PRIVATE_KEY_TEXT_PC1 #MTU = 9000 [Peer] PresharedKey = PRE_KEY PublicKey = PUBLIC_KEY_TEXT_PC2 AllowedIPs = 10.0.0.2/32 --------------------------- PC2 cat /etc/wireguard/wg0.conf --------------------------- [Interface] PrivateKey = PRIVATE_KEY_TEXT_PC2 Address = 10.0.0.2/24 #MTU = 9000 [Peer] PresharedKey = PRE_KEY PublicKey = PUBLIC_KEY_TEXT_PC1 AllowedIPs = 10.0.0.0/24 Endpoint = 10.77.77.1:51100 PersistentKeepalive = 20 --------------------------- Запуск и остановка вручную: wg-quick up wg0 wg-quick down wg0 В автозагрузку можно так: systemctl start wg-quick@wg0 systemctl enable wg-quick@wg0 systemctl status wg-quick@wg0 Еше пример конфига для клиента Interface] Address = 10.0.0.4/24 DNS = 8.8.8.8, 8.8.4.4 PrivateKey = PRIVAT_KEY_CLIENT #PostUp = ip r a 0.0.0.0/1 dev wg0 #PostDown = ip r d 0.0.0.0/1 dev wg0 [Peer] PublicKey = PUBLIC_KEY_SERVER_WG #AllowedIPs = 0.0.0.0/0 AllowedIPs = 0.0.0.0/1 # если сделать так то весь трафик кроме локального будет завернут в vpn Endpoint = IP_WG_SERVER:PORT_WG_SERVER PersistentKeepalive = 25 |
Пример запуска в ручную в userspace
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
root@puzzleiperf1:/etc/wireguard# pc1 cat boringtun.sh -------------------- boringtun-cli --log /root/boringtun.log --threads 4 --verbosity info wg0 ip a a 10.0.0.1/24 dev wg0 wg set wg0 private-key ./privatekey listen-port 51100 wg set wg0 peer PUBLIC_KEY_TEXT_PC2 allowed-ips 10.0.0.2/32 endpoint 10.77.77.2:51100 ip link set up dev wg0 ---------------------- pc2 cat boringtun.sh ---------------------- boringtun-cli --log /root/boringtun.log --threads 4 --verbosity info wg0 ip a a 10.0.0.2/24 dev wg0 wg set wg0 listen-port 51100 wg set wg0 private-key ./privatekey wg set wg0 peer PUBLIC_KEY_TEXT_PC1 allowed-ips 10.0.0.0/24 endpoint 10.77.77.1:51100 ip link set up wg0 ----------------------- |