Wireguard - Un VPN moderne

Wireguard est un VPN moderne, léger et très compact (4000 lignes de code) qui utilise les derniers algorithmes de cryptographie

• https://www.malekal.com/wireguard-installer-et-configurer-un-serveur-vpn-linux-et-client-windows-android-ubuntu/
• https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04

• sur chaque machine à jour (apt update && apt upgrade -y puis un redémarrage)

apt install -y wireguard wireguard-tools

• Adresse IP : ip 192.168.1.13/24

• Adresse IP VPN : 10.0.2.1/24 - 10.0.2.2/24

cd /etc/wireguard
umask 077 ; wg genkey | tee private.key | wg pubkey > public.key 
cat private.key 
WIgkDciQDO38k6mb5yT7FAivxnDuqbNHx+0qLAPfA24=
cat public.key 
lbCB7J6kdQlnwPu67KDJIshqZH66fdGwq6zaUrbws1c=

Editer le fichier /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.2.1/24 # Adresses autorisées dans le VPN
Listenport = 51820

# clé privée de machine A 
PrivateKey = qPF9uU7qsCbw3uKR1t2Q0gfr2HasTKZGPkCHz2AszUs= 
# UDP service port; 51820 is a common choice for WireGuard
ListenPort = 51820

[Peer]
PublicKey = zpNm6Du5j8Y2SqsWOcPj67KYPxqQ1M2sv0Uvi0a9oA8= # de machine B
AllowedIPs = 10.0.2.1/24 # le peer peut acceder au serveur

systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
wg 
wginterface: wg0
  public key: cHQaOlh6/d8tvPn/7ESawn+DcbO01UeR5Z/DvRu8YiI=
  private key: (hidden)
  listening port: 51820

root@A:~# wg
interface: wg0
  public key: cHQaOlh6/d8tvPn/7ESawn+DcbO01UeR5Z/DvRu8YiI=
  private key: (hidden)
  listening port: 47580
 
peer: wclxVxrolgdsquZ3gD9Ysu71+IQt7bFfetRfBsWKYWo=
  endpoint: 192.168.1.14:39785
  allowed ips: 10.0.0.2/32
  latest handshake: 22 minutes, 21 seconds ago
  transfer: 32.11 KiB received, 34.48 KiB sent

ip 192.168.1.14/24

• même manipulation pour les clés

cd /etc/wireguard
umask 077 ; wg genkey | tee private.key | wg pubkey > public.key 

• fichier etc/wireguard/wg0.conf

[Interface]
PrivateKey = SHUt1BtkKjAKn12MLKorv3Mm2G45iwseZigCDe1PXno=
Address = 10.0.2.2/32
#DNS = 192.168.1.254

[Peer]
PublicKey = xKzwFyVVjeyuLS/vSb1T3PgdGDS7kkaDABX1icr3Bjo= # de machineA
#AllowedIPs = 10.0.0.0/8, 192.168.1.0/24
AllowedIPs = 0.0.0.0/0
Wireguard - Scripts de configuration
Endpoint = 192.168.1.13:51820
Wireguard - Scripts de configuration
PersistentKeepalive = 20

La commande wg permet d'afficher les paramètres de base et l'état de fonctionnement de wireguard

wg
interface: wg0
  public key: zpNm6Du5j8Y2SqsWOcPj67KYPxqQ1M2sv0Uvi0a9oA8=
  private key: (hidden)
  listening port: 57250
  fwmark: 0xca6c
 
peer: xKzwFyVVjeyuLS/vSb1T3PgdGDS7kkaDABX1icr3Bjo=
  endpoint: 192.168.1.13:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 22 seconds ago
  transfer: 10.56 KiB received, 80.12 KiB sent
  persistent keepalive: every 20 seconds

Remarque : wireguard n'est pas activé au démarrage. Pour l'activer :

  systemctl enable --now wg-quick@wg0
  systemctl status wg-quick@wg0

Le script génère deux fichier de configuration wg0-a.conf et wg0-b.conf à copier sur les deux machines et à renommer wg0.conf

mkwgconf-p2p.sh

#!/bin/bash
set -u
set -e
 
AddressAwg=10.0.0.1/32  # Adresse VPN Wireguard extremite A
EndpointA=192.168.1.81  # Adresse extremite A
PortA=51820             # Port ecoute extremite A
AddressBwg=10.0.0.2/32  # Adresse VPN Wireguard extremite B
EndpointB=192.168.1.82  # Adresse extremite B
PortB=51820             # Port ecoute extremite B
 
umask 077 ;  
wg genkey > endpoint-a.key
wg pubkey < endpoint-a.key > endpoint-a.pub
 
wg genkey > endpoint-b.key
wg pubkey < endpoint-b.key > endpoint-b.pub
 
PKA=$(cat endpoint-a.key)
pKA=$(cat endpoint-a.pub)
PKB=$(cat endpoint-b.key)
pKB=$(cat endpoint-b.pub)
 
cat <<FINI > wg0-a.conf
# local settings for Endpoint A
[Interface]
PrivateKey = $PKA
Address = $AddressAwg
ListenPort = $PortA
 
# remote settings for Endpoint B
[Peer]
PublicKey = $pKB
Endpoint = ${EndpointB}:$PortB
AllowedIPs = $AddressBwg
FINI
 
 
cat <<FINI > wg0-b.conf
# local settings for Endpoint B
[Interface]
PrivateKey = $PKB
Address = $AddressBwg
ListenPort = $PortB
 
# remote settings for Endpoint A
[Peer]
PublicKey = $pKA
Endpoint = ${EndpointA}:$PortA
AllowedIPs = $AddressAwg
FINI

Le script est similaire au précédent avec en plus l'adresse du réseau distant dans la clause AllowedIPs (variables NetworkA et NetworkB)

mkwgconf-s2s.sh

#!/bin/bash
set -u
set -e
# Version Site to Site 
 
AddressAwg="10.0.0.1/32"  # Adresse VPN Wireguard cote A
EndpointA="192.168.1.81"  # Adresse extremite A
PortA="51820"  # Port ecoute extremite A
NetworkA="10.0.1.0/24" # reseau cote A
 
AddressBwg="10.0.0.2/32"  # Adresse VPN Wireguard cote B
EndpointB="192.168.1.82" # Adresse extremite B
PortB="51820"  # Port ecoute extremite B
NetworkB="10.0.2.0/24" # reseau cote B
 
umask 077
wg genkey > endpoint-a.key
wg pubkey < endpoint-a.key > endpoint-a.pub
 
wg genkey > endpoint-b.key
wg pubkey < endpoint-b.key > endpoint-b.pub
 
 
PKA=$(cat endpoint-a.key)
pKA=$(cat endpoint-a.pub)
PKB=$(cat endpoint-b.key)
pKB=$(cat endpoint-b.pub)
 
cat <<FINI > wg0-a.conf
# local settings for Endpoint A
[Interface]
PrivateKey = $PKA
Address = $AddressAwg
ListenPort = $PortA
 
# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
 
# remote settings for Endpoint B
[Peer]
PublicKey = $pKB
Endpoint = ${EndpointB}:$PortB
AllowedIPs = $AddressBwg, $NetworkB
 
FINI
 
 
cat <<FINI > wg0-b.conf
# local settings for Endpoint B
[Interface]
PrivateKey = $PKB
Address = $AddressBwg
ListenPort = $PortB
 
# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
 
# remote settings for Endpoint A
[Peer]
PublicKey = $pKA
Endpoint = ${EndpointA}:$PortA
AllowedIPs = $AddressAwg, $NetworkA
 
FINI
 
echo "wg0-a.conf et wg0-b.conf sont generes ..."
echo "copier wg0-b.conf sur la machine b et renommer les fichiers de configuration ..."