Wireguard est un VPN moderne, léger et très compact (4000 lignes de code) qui utilise les derniers algorithmes de cryptographie
apt update && apt upgrade -y
puis un redémarrage)apt install -y wireguard wireguard-tools
cd /etc/wireguard umask 077 ; wg genkey | tee private.key | wg pubkey > public.key cat private.key WIgkDciQDO38k6mb5yT7FAivxnDuqbNHx+0qLAPfA24= cat public.key lbCB7J6kdQlnwPu67KDJIshqZH66fdGwq6zaUrbws1c=
Editer le fichier /etc/wireguard/wg0.conf
[Interface] Address = 10.0.2.1/24 # Adresses autorisées dans le VPN Listenport = 51820 # clé privée de machine A PrivateKey = qPF9uU7qsCbw3uKR1t2Q0gfr2HasTKZGPkCHz2AszUs= # UDP service port; 51820 is a common choice for WireGuard ListenPort = 51820 [Peer] PublicKey = zpNm6Du5j8Y2SqsWOcPj67KYPxqQ1M2sv0Uvi0a9oA8= # de machine B AllowedIPs = 10.0.2.1/24 # le peer peut acceder au serveur
systemctl start wg-quick@wg0 systemctl enable wg-quick@wg0 wg wginterface: wg0 public key: cHQaOlh6/d8tvPn/7ESawn+DcbO01UeR5Z/DvRu8YiI= private key: (hidden) listening port: 51820
root@A:~# wg interface: wg0 public key: cHQaOlh6/d8tvPn/7ESawn+DcbO01UeR5Z/DvRu8YiI= private key: (hidden) listening port: 47580 peer: wclxVxrolgdsquZ3gD9Ysu71+IQt7bFfetRfBsWKYWo= endpoint: 192.168.1.14:39785 allowed ips: 10.0.0.2/32 latest handshake: 22 minutes, 21 seconds ago transfer: 32.11 KiB received, 34.48 KiB sent
ip 192.168.1.14/24
cd /etc/wireguard umask 077 ; wg genkey | tee private.key | wg pubkey > public.key
[Interface] PrivateKey = SHUt1BtkKjAKn12MLKorv3Mm2G45iwseZigCDe1PXno= Address = 10.0.2.2/32 #DNS = 192.168.1.254 [Peer] PublicKey = xKzwFyVVjeyuLS/vSb1T3PgdGDS7kkaDABX1icr3Bjo= # de machineA #AllowedIPs = 10.0.0.0/8, 192.168.1.0/24 AllowedIPs = 0.0.0.0/0 Wireguard - Scripts de configuration Endpoint = 192.168.1.13:51820 Wireguard - Scripts de configuration PersistentKeepalive = 20
La commande wg permet d'afficher les paramètres de base et l'état de fonctionnement de wireguard
wg interface: wg0 public key: zpNm6Du5j8Y2SqsWOcPj67KYPxqQ1M2sv0Uvi0a9oA8= private key: (hidden) listening port: 57250 fwmark: 0xca6c peer: xKzwFyVVjeyuLS/vSb1T3PgdGDS7kkaDABX1icr3Bjo= endpoint: 192.168.1.13:51820 allowed ips: 0.0.0.0/0 latest handshake: 22 seconds ago transfer: 10.56 KiB received, 80.12 KiB sent persistent keepalive: every 20 seconds
Remarque : wireguard n'est pas activé au démarrage. Pour l'activer :
systemctl enable --now wg-quick@wg0 systemctl status wg-quick@wg0
Le script génère deux fichier de configuration wg0-a.conf et wg0-b.conf à copier sur les deux machines et à renommer wg0.conf
#!/bin/bash set -u set -e AddressAwg=10.0.0.1/32 # Adresse VPN Wireguard extremite A EndpointA=192.168.1.81 # Adresse extremite A PortA=51820 # Port ecoute extremite A AddressBwg=10.0.0.2/32 # Adresse VPN Wireguard extremite B EndpointB=192.168.1.82 # Adresse extremite B PortB=51820 # Port ecoute extremite B umask 077 ; wg genkey > endpoint-a.key wg pubkey < endpoint-a.key > endpoint-a.pub wg genkey > endpoint-b.key wg pubkey < endpoint-b.key > endpoint-b.pub PKA=$(cat endpoint-a.key) pKA=$(cat endpoint-a.pub) PKB=$(cat endpoint-b.key) pKB=$(cat endpoint-b.pub) cat <<FINI > wg0-a.conf # local settings for Endpoint A [Interface] PrivateKey = $PKA Address = $AddressAwg ListenPort = $PortA # remote settings for Endpoint B [Peer] PublicKey = $pKB Endpoint = ${EndpointB}:$PortB AllowedIPs = $AddressBwg FINI cat <<FINI > wg0-b.conf # local settings for Endpoint B [Interface] PrivateKey = $PKB Address = $AddressBwg ListenPort = $PortB # remote settings for Endpoint A [Peer] PublicKey = $pKA Endpoint = ${EndpointA}:$PortA AllowedIPs = $AddressAwg FINI
Le script est similaire au précédent avec en plus l'adresse du réseau distant dans la clause AllowedIPs (variables NetworkA et NetworkB)
#!/bin/bash set -u set -e # Version Site to Site AddressAwg="10.0.0.1/32" # Adresse VPN Wireguard cote A EndpointA="192.168.1.81" # Adresse extremite A PortA="51820" # Port ecoute extremite A NetworkA="10.0.1.0/24" # reseau cote A AddressBwg="10.0.0.2/32" # Adresse VPN Wireguard cote B EndpointB="192.168.1.82" # Adresse extremite B PortB="51820" # Port ecoute extremite B NetworkB="10.0.2.0/24" # reseau cote B umask 077 wg genkey > endpoint-a.key wg pubkey < endpoint-a.key > endpoint-a.pub wg genkey > endpoint-b.key wg pubkey < endpoint-b.key > endpoint-b.pub PKA=$(cat endpoint-a.key) pKA=$(cat endpoint-a.pub) PKB=$(cat endpoint-b.key) pKB=$(cat endpoint-b.pub) cat <<FINI > wg0-a.conf # local settings for Endpoint A [Interface] PrivateKey = $PKA Address = $AddressAwg ListenPort = $PortA # IP forwarding PreUp = sysctl -w net.ipv4.ip_forward=1 # remote settings for Endpoint B [Peer] PublicKey = $pKB Endpoint = ${EndpointB}:$PortB AllowedIPs = $AddressBwg, $NetworkB FINI cat <<FINI > wg0-b.conf # local settings for Endpoint B [Interface] PrivateKey = $PKB Address = $AddressBwg ListenPort = $PortB # IP forwarding PreUp = sysctl -w net.ipv4.ip_forward=1 # remote settings for Endpoint A [Peer] PublicKey = $pKA Endpoint = ${EndpointA}:$PortA AllowedIPs = $AddressAwg, $NetworkA FINI echo "wg0-a.conf et wg0-b.conf sont generes ..." echo "copier wg0-b.conf sur la machine b et renommer les fichiers de configuration ..."