このページの翻訳:
- 日本語 (ja)
- English (en)
最近の更新
- 02 Apache2で自己認証ssl [中間証明書の整合性確認]
最近の更新
Ubuntu 22.04
# apt install wireguard
秘密鍵:privkey 公開鍵:pubkey
mkdir -p ~/WireGuard/server && cd ~/WireGuard/server wg genkey > privkey cat privkey | wg pubkey > pubkey cat privkey XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXSUQ= cat pubkey YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYSUQ=
秘密鍵:privkey 公開鍵:pubkey 事前共有キー:preshared
CL=client01 mkdir -p ~/WireGuard/${CL} && cd ~/WireGuard/${CL} wg genkey > privkey cat privkey | wg pubkey > pubkey wg genpsk > preshared cat preshared ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZk= cat privkey AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= cat pubkey BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBQ=
client02以降もあるなら、その分作成
CL=client02 mkdir -p ~/WireGuard/${CL} && cd ~/WireGuard/${CL} wg genkey > privkey cat privkey | wg pubkey > pubkey wg genpsk > preshared
※このPeerで指定するAllowedIPs は、32bitで記述
SERVER_privkey=`cat ~/WireGuard/server/privkey` CLIENT01_pubkey=`cat ~/WireGuard/client01/pubkey` CLIENT01_preshared=`cat ~/WireGuard/client01/preshared` cat << __EOM__ > /etc/wireguard/wg0.conf [Interface] Address = 10.0.1.1/24 #wg0に付けるIP ListenPort = 51820 PrivateKey = ${SERVER_privkey} #~/WireGuard/server/privkey の値 [Peer] # client01 PublicKey = ${CLIENT01_pubkey} #~/WireGuard/client01/pubkey の値 PresharedKey = ${CLIENT01_preshared} #~/WireGuard/client01/preshared の値 AllowedIPs = 10.0.1.2/32 #client01に割り当てるIP [Peer] # client02 PublicKey = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBQ= #~/WireGuard/client02/pubkey の値 PresharedKey = ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZk= #~/WireGuard/client02/preshared の値 AllowedIPs = 10.0.1.3/32 #client02に割り当てるIP __EOM__
これでwg0が作成されます。
# wg-quick up /etc/wireguard/wg0.conf # ip -4 a 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 inet 10.0.0.1/24 scope global wg0 valid_lft forever preferred_lft forever
# wg-quick down /etc/wireguard/wg0.conf
サーバ再起動しても起動するよう自動起動設定を入れておく
# systemctl enable wg-quick@wg0
CL=client01 cd ~/WireGuard/${CL} SERVER_pubkey=`cat ~/WireGuard/server/pubkey` CLIENT_privkey=`cat ~/WireGuard/${CL}/privkey` CLIENT_preshared=`cat ~/WireGuard/${CL}/preshared` cat << __EOM__ > ${CL}.conf [Interface] # ${CL} PrivateKey = ${CLIENT_privkey} #~/WireGuard/${CL}/privkey の値 Address = 10.0.1.2/32 #${CL}のIP DNS = 8.8.8.8, 8.8.4.4 #参照させたいDNS [Peer] # server PublicKey = ${SERVER_pubkey} #~/WireGuard/server/pubkey の値 PresharedKey = ${CLIENT_preshared} #~/WireGuard/${CL}/preshared の値 AllowedIPs = 10.0.1.0/24, 10.0.0.0/24 #WireGuard経由で接続したいIPアドレスを指定 Endpoint = XXX.XXX.XXX.XXX:51820 #WireGuardサーバーのグローバルIPアドレス:ポート番号を指定 PersistentKeepAlive = 30 __EOM__
CL=client02 CLIENT_pubkey=`cat ~/WireGuard/${CL}/pubkey` CLIENT_preshared=`cat ~/WireGuard/${CL}/preshared` IP=`cat ~/WireGuard/${CL}/${CL}.conf | awk 039;/Address/ {print $3}039;` cat << __EOM__ [Peer] # ${CL} PublicKey = ${CLIENT_pubkey} #~/WireGuard/${CL}/pubkey の値 PresharedKey = ${CLIENT_preshared} #~/WireGuard/${CL}/preshared の値 AllowedIPs = ${IP} #${CL}に割り当てるIP __EOM__
※PersistentKeepAlive NAT を保持するための KeepAlive 送信間隔 [秒]
クライアント設定ファイルを/etc/wireguard/wg0.confに記述して、起動でOK
atp install wireguard resolvconf cat /etc/wireguard/wg0.conf wg-quick up /etc/wireguard/wg0.conf
iPhoneでは、wireguardのアプリからQRを読み込む
# apt install qrencode # qrencode -o client01.png -d 350 -r ~/WireGuard/client01/client01.conf # ll client01.png -rw-r--r-- 1 root root 1255 Feb 15 13:59 client01.png
wireguardの接続状態を確認
# wg show interface: wg0 public key: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa= private key: (hidden) listening port: 51820 peer: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb= preshared key: (hidden) endpoint: XXX.XXX.XXX.XXX:42173 allowed ips: 10.0.1.4/32 latest handshake: 20 seconds ago transfer: 8.00 KiB received, 1.80 KiB sent peer: cccccccccccccccccccccccccccccccccccccccc= preshared key: (hidden) endpoint: XXX.XXX.XXX.XXX:50493 allowed ips: 10.0.1.3/32 latest handshake: 3 minutes, 23 seconds ago transfer: 31.21 KiB received, 16.46 KiB sent peer: ddddddddddddddddddddddddddddddddddddddddd= preshared key: (hidden) allowed ips: 10.0.1.2/32