wireguard的使用
【摘要】 先了解一下概念ip命令概念:link - network device.address - protocol (IP or IPv6) address on a device. (abbr. a/addr)tunnel - tunnel over IP.wireguard概念:peer - Logical member of a WireGuard VPN. Each pee...
先了解一下概念
ip命令概念:
link - network device.
address - protocol (IP or IPv6) address on a device. (abbr. a/addr)
tunnel - tunnel over IP.
wireguard概念:
peer - Logical member of a WireGuard VPN. Each peer has its own Public Key Pair, used to uniquely identify the peer.
A peer exposed internally to the host through a WireGuard Interface. exposed externally as a WireGuard Endpoint.
endpoint - External IP Address and Network Port by which a WireGuard Interface can be reached on a remote Host.
简单的说,一般就是机器物理网卡的IP和端口
tunnel - logical connection between one WireGuard Peer and another.
traffic is encrypted and wrapped by the WireGuard interface on the first host,
and sent out some other physical Network Interface on the host;
finally received on some physical interface of the destination host (matching the WireGuard Endpoint for destination peer);
unwrapped, decrypted, and handed off to the network stack on the destination host as if it had come into its WireGuard interface from a direct physical connection.
vpn - Virtual Private Network. Typically the communication between hosts in a VPN is routed via private network addresses.
This enables applications running on two hosts separated by multiple insecure, physical networks to communicate
as if they had a direct, secure connection to one another.
vpn server - Host that can route traffic from other hosts in a VPN to hosts outside of the VPN.
For consumer-oriented VPNs, a VPN server usually routes traffic from the VPN to the Internet;
for business VPNs, a VPN server usually routes traffic from the VPN to other private networks of the business.
With WireGuard, any host (if so configured) can act as a VPN server — the WireGuard protocol does not have built-in server or client roles.
vpn client - Host that is part of a VPN, but does not route traffic for other hosts in the VPN.
再看一张图
2台服务器如下:
A: 10.0.0.27 (CentOS 8.5 kernel 4.18.0)
B: 192.168.0.37 (Huawei Cloud EulerOS release 2.0 (West Lake) kernel 5.10.0)
分别位于同一区域内2个不同的VPN内,已做对等连接,互相可访问。
步骤可分为
- 用wg工具生成私钥公钥的秘钥对:参考
- 加载wireguard核心模块
- 用ip命令,新增wireguard类型的网络设备,名称wg0;设置ip地址
- 用wg工具,设置wg0的侦听端口;私钥文件位置;带对端公钥设置对端信息
在A上进行以下操作:
modprobe wireguard
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
ip link add dev wg0 type wireguard
ip address add dev wg0 172.16.0.1/24
wg set wg0 listen-port 7777
wg set wg0 private-key /etc/wireguard/privatekey
wg set wg0 peer f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs= allowed-ips 172.16.0.2/24 endpoint 192.168.0.37:8888
#执行到这里会有一个警告
#Warning: AllowedIP has nonzero host part: 172.16.0.2/24
ip link set dev wg0 up
执行后看一下网络信息、路由信息:
[root@ecs-d589 thirdtool]# ip a
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.16.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
[root@ecs-d589 thirdtool]# wg
interface: wg0
public key: VMEXQFMcZDJ7W4k0Ok9nH+7fy3Mv6PSJcX0/fqPYqSg=
private key: (hidden)
listening port: 7777
peer: f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs=
endpoint: 192.168.0.37:8888
allowed ips: 172.16.0.0/24
[root@ecs-d589 thirdtool]# ip r
default via 10.0.0.1 dev eth0 proto dhcp metric 100
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.27 metric 100
169.254.169.254 via 10.0.0.254 dev eth0 proto dhcp metric 100
172.16.0.0/24 dev wg0 proto kernel scope link src 172.16.0.1
同时查看wireguard输出的调试信息:
[root@ecs-d589 ~]# dmesg -wT |grep wireguard
[Sat Aug 27 16:13:56 2022] wireguard: WireGuard 1.0.20220627 loaded. See www.wireguard.com for information.
[Sat Aug 27 16:13:56 2022] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[Sat Aug 27 16:23:22 2022] wireguard: wg0: Interface created
[Sat Aug 27 16:23:46 2022] wireguard: wg0: Peer 1 created
#开启与对端通讯后的输出
[Sat Aug 27 17:12:56 2022] wireguard: wg0: Sending handshake initiation to peer 1 (192.168.0.37:8888)
[Sat Aug 27 17:12:56 2022] wireguard: wg0: Receiving handshake response from peer 1 (192.168.0.37:8888)
[Sat Aug 27 17:12:56 2022] wireguard: wg0: Keypair 1 created for peer 1
[Sat Aug 27 17:13:08 2022] wireguard: wg0: Sending keepalive packet to peer 1 (192.168.0.37:8888)
[Sat Aug 27 17:22:16 2022] wireguard: wg0: Zeroing out all keys for peer 1 (192.168.0.37:8888), since we haven't received a new one in 540 seconds
[Sat Aug 27 17:22:16 2022] wireguard: wg0: Keypair 1 destroyed for peer 1
[Sat Aug 27 17:28:00 2022] wireguard: wg0: Receiving handshake initiation from peer 1 (192.168.0.37:8888)
[Sat Aug 27 17:28:00 2022] wireguard: wg0: Sending handshake response to peer 1 (192.168.0.37:8888)
[Sat Aug 27 17:28:00 2022] wireguard: wg0: Keypair 2 created for peer 1
[Sat Aug 27 17:28:10 2022] wireguard: wg0: Sending keepalive packet to peer 1 (192.168.0.37:8888)
#卸载模块
[Sat Aug 27 17:33:21 2022] wireguard: wg0: Keypair 2 destroyed for peer 1
[Sat Aug 27 17:33:21 2022] wireguard: wg0: Peer 1 (192.168.0.37:8888) destroyed
[Sat Aug 27 17:33:21 2022] wireguard: wg0: Interface destroyed
在B上也是同步的配置,然后下面就要开始做通道间的通讯测试了,在此之前在A上将抓包打开看一下。先看下本机接口。
[root@ecs-d589 ~]# tcpdump -D
1.eth0 [Up, Running]
2.wg0 [Up, Running]
3.lo [Up, Running, Loopback]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]
5.bluetooth-monitor (Bluetooth Linux Monitor) [none]
6.nflog (Linux netfilter log (NFLOG) interface) [none]
7.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
8.usbmon0 (Raw USB traffic, all USB buses) [none]
9.usbmon1 (Raw USB traffic, bus number 1)
我们关心的接口是eth0和wg0,一个是以太网物理网络接口,一个是wireguard使用的VPN虚拟网络接口。
A先ping一下B,然后B访问A的一个HTTP服务
最后卸载模块
[root@ecs-d589 thirdtool]# ping 172.16.0.2 -c 3
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=6.10 ms
64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=2.76 ms
64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=2.77 ms
[root@ecs-hce tool]# curl http://172.16.0.1/t.htm
<html>
this is a test html page...
</html>
[root@ecs-hce tool]# wg
interface: wg0
public key: f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs=
private key: (hidden)
listening port: 8888
peer: VMEXQFMcZDJ7W4k0Ok9nH+7fy3Mv6PSJcX0/fqPYqSg=
endpoint: 10.0.0.27:7777
allowed ips: 172.16.0.0/24
latest handshake: 3 seconds ago
transfer: 1.30 KiB received, 1.25 KiB sent
抓包输出如下。可以看到wireguard采用了UDP协议,通过物理接口eth0传送。而VPN虚拟接口wg0,获取到的是最终的业务数据,它不需要再关心VPN的安全细节。
[root@ecs-d589 ~]# tcpdump -nn -i eth0 port 7777
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:13:32.515293 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 148
17:13:32.518463 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 92
17:13:32.518583 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 128
17:13:32.521233 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 128
17:13:33.516573 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 128
17:13:33.519160 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 128
17:13:34.518470 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 128
17:13:34.521037 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 128
17:13:44.755339 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 32
17:28:36.768090 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 148
17:28:36.768383 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 92
17:28:36.771250 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 96
17:28:36.771346 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 96
17:28:36.773890 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 96
17:28:36.773922 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 176
17:28:36.773956 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 96
17:28:36.774266 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 384
17:28:36.776728 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 96
17:28:36.777705 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 96
17:28:36.777934 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 96
17:28:36.780430 IP 192.168.0.37.8888 > 10.0.0.27.7777: UDP, length 96
17:28:46.899323 IP 10.0.0.27.7777 > 192.168.0.37.8888: UDP, length 32
[root@ecs-d589 ~]# tcpdump -nn -i wg0
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
17:13:32.515158 IP 172.16.0.1 > 172.16.0.2: ICMP echo request, id 65184, seq 1, length 64
17:13:32.521252 IP 172.16.0.2 > 172.16.0.1: ICMP echo reply, id 65184, seq 1, length 64
17:13:33.516441 IP 172.16.0.1 > 172.16.0.2: ICMP echo request, id 65184, seq 2, length 64
17:13:33.519183 IP 172.16.0.2 > 172.16.0.1: ICMP echo reply, id 65184, seq 2, length 64
17:13:34.518339 IP 172.16.0.1 > 172.16.0.2: ICMP echo request, id 65184, seq 3, length 64
17:13:34.521090 IP 172.16.0.2 > 172.16.0.1: ICMP echo reply, id 65184, seq 3, length 64
17:28:36.771327 IP 172.16.0.2.37464 > 172.16.0.1.80: Flags [S], seq 2937783468, win 64860, options [mss 1380,sackOK,TS val 3318454630 ecr 0,nop,wscale 7], len gth 0
17:28:36.771340 IP 172.16.0.1.80 > 172.16.0.2.37464: Flags [S.], seq 2287813111, ack 2937783469, win 27360, options [mss 1380,sackOK,TS val 2859528380 ecr 331 8454630,nop,wscale 7], length 0
17:28:36.773906 IP 172.16.0.2.37464 > 172.16.0.1.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 3318454636 ecr 2859528380], length 0
17:28:36.773932 IP 172.16.0.2.37464 > 172.16.0.1.80: Flags [P.], seq 1:80, ack 1, win 507, options [nop,nop,TS val 3318454636 ecr 2859528380], length 79: HTTP : GET /t.htm HTTP/1.1
17:28:36.773945 IP 172.16.0.1.80 > 172.16.0.2.37464: Flags [.], ack 80, win 214, options [nop,nop,TS val 2859528382 ecr 3318454636], length 0
17:28:36.774175 IP 172.16.0.1.80 > 172.16.0.2.37464: Flags [P.], seq 1:290, ack 80, win 214, options [nop,nop,TS val 2859528383 ecr 3318454636], length 289: H TTP: HTTP/1.1 200 OK
17:28:36.776788 IP 172.16.0.2.37464 > 172.16.0.1.80: Flags [.], ack 290, win 505, options [nop,nop,TS val 3318454639 ecr 2859528383], length 0
17:28:36.777800 IP 172.16.0.2.37464 > 172.16.0.1.80: Flags [F.], seq 80, ack 290, win 505, options [nop,nop,TS val 3318454639 ecr 2859528383], length 0
17:28:36.777847 IP 172.16.0.1.80 > 172.16.0.2.37464: Flags [F.], seq 290, ack 81, win 214, options [nop,nop,TS val 2859528386 ecr 3318454639], length 0
17:28:36.780445 IP 172.16.0.2.37464 > 172.16.0.1.80: Flags [.], ack 291, win 505, options [nop,nop,TS val 3318454642 ecr 2859528386], length 0
#卸载模块后
tcpdump: pcap_loop: The interface went down
16 packets captured
16 packets received by filter
0 packets dropped by kernel
在B上:
modprobe wireguard
ip link add dev wg0 type wireguard
ip address add dev wg0 172.16.0.2/24
wg set wg0 listen-port 8888
wg set wg0 private-key /etc/wireguard/privatekey
wg set wg0 peer VMEXQFMcZDJ7W4k0Ok9nH+7fy3Mv6PSJcX0/fqPYqSg= allowed-ips 172.16.0.1/24 endpoint 10.0.0.27:7777
#执行到这里同样会有一个Warning: AllowedIP has nonzero host part: 172.16.0.1/24
ip link set dev wg0 up
执行后看一下网络信息:
[root@ecs-hce tool]# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.16.0.2/24 scope global wg0
valid_lft forever preferred_lft forever
[root@ecs-hce tool]# wg
interface: wg0
public key: f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs=
private key: (hidden)
listening port: 8888
peer: VMEXQFMcZDJ7W4k0Ok9nH+7fy3Mv6PSJcX0/fqPYqSg=
endpoint: 10.0.0.27:7777
allowed ips: 172.16.0.0/24
wireguard调试信息输出:
[root@ecs-hce ~]# dmesg -wT|grep wireguard
[Sat Aug 27 16:22:11 2022] wireguard: allowedips self-tests: pass
[Sat Aug 27 16:22:11 2022] wireguard: nonce counter self-tests: pass
[Sat Aug 27 16:22:11 2022] wireguard: ratelimiter self-tests: pass
[Sat Aug 27 16:22:11 2022] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[Sat Aug 27 16:22:11 2022] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[Sat Aug 27 16:30:47 2022] wireguard: wg0: Interface created
[Sat Aug 27 16:30:47 2022] wireguard: wg0: Peer 1 created
#开启与对端通讯后的输出 很明显这个时间展示和对端是对不上的
[Sat Aug 27 17:13:16 2022] wireguard: wg0: Receiving handshake initiation from peer 1 (10.0.0.27:7777)
[Sat Aug 27 17:13:16 2022] wireguard: wg0: Sending handshake response to peer 1 (10.0.0.27:7777)
[Sat Aug 27 17:13:16 2022] wireguard: wg0: Keypair 1 created for peer 1
[Sat Aug 27 17:13:28 2022] wireguard: wg0: Receiving keepalive packet from peer 1 (10.0.0.27:7777)
[Sat Aug 27 17:22:28 2022] wireguard: wg0: Zeroing out all keys for peer 1 (10.0.0.27:7777), since we haven't received a new one in 540 seconds
[Sat Aug 27 17:22:28 2022] wireguard: wg0: Keypair 1 destroyed for peer 1
[Sat Aug 27 17:28:20 2022] wireguard: wg0: Sending handshake initiation to peer 1 (10.0.0.27:7777)
[Sat Aug 27 17:28:20 2022] wireguard: wg0: Receiving handshake response from peer 1 (10.0.0.27:7777)
[Sat Aug 27 17:28:20 2022] wireguard: wg0: Keypair 2 created for peer 1
[Sat Aug 27 17:28:30 2022] wireguard: wg0: Receiving keepalive packet from peer 1 (10.0.0.27:7777)
#对端卸载模块,这里并没有输出内容。
[root@ecs-hce tool]# wg
interface: wg0
public key: f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs=
private key: (hidden)
listening port: 8888
peer: VMEXQFMcZDJ7W4k0Ok9nH+7fy3Mv6PSJcX0/fqPYqSg=
endpoint: 10.0.0.27:7777
allowed ips: 172.16.0.0/24
latest handshake: 7 minutes, 7 seconds ago
transfer: 1.33 KiB received, 1.25 KiB sent
#但握手时间到了,就有了输出
[Sat Aug 27 17:37:29 2022] wireguard: wg0: Zeroing out all keys for peer 1 (10.0.0.27:7777), since we haven't received a new one in 540 seconds
[Sat Aug 27 17:37:29 2022] wireguard: wg0: Keypair 2 destroyed for peer 1
[root@ecs-hce tool]# wg
interface: wg0
public key: f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs=
private key: (hidden)
listening port: 8888
peer: VMEXQFMcZDJ7W4k0Ok9nH+7fy3Mv6PSJcX0/fqPYqSg=
endpoint: 10.0.0.27:7777
allowed ips: 172.16.0.0/24
latest handshake: 10 minutes, 56 seconds ago
transfer: 1.33 KiB received, 1.25 KiB sent
【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)