Bearbeiten von „Wireguard“

Zur Navigation springen Zur Suche springen

Warnung: Du bist nicht angemeldet. Deine IP-Adresse wird bei Bearbeitungen öffentlich sichtbar. Melde dich an oder erstelle ein Benutzerkonto, damit Bearbeitungen deinem Benutzernamen zugeordnet werden.

Die Bearbeitung kann rückgängig gemacht werden. Bitte prüfe den Vergleich unten, um sicherzustellen, dass du dies tun möchtest, und veröffentliche dann unten deine Änderungen, um die Bearbeitung rückgängig zu machen.

Aktuelle Version Dein Text
Zeile 8: Zeile 8:


== Zentrale einrichten ==
== Zentrale einrichten ==
=== Ablauf der Konfiguration ===
* Scripts erzeugen: Kapitel "Scripts erstellen"
* Server konfigurieren: Kapitel "Konfiguration Server"
* Beliebig viele Clients konfigurieren: "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
* Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
* Client löschen:
** db/<vpn-id>/clients/<client>.conf löschen
** Kapitel "Wireguard Konfiguration erzeugen"
* Client ändern (z.B. erlaubte Netze)
** db/<vpn-id>/clients/<client>.conf ändern
** Kapitel "Wireguard Konfiguration erzeugen"
* neuer Client:
** "Konfiguration existierender Client (Public Key bekannt)" oder "Erzeugen Client (Keys werden erzeugt)"
** Wireguard-Konfiguration erzeugen: Kapitel "Wireguard Konfiguration erzeugen"
=== Scripts erstellen ===
=== Scripts erstellen ===
==== Script für Initialisierung: Build ====
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
FN_SCRIPT=/etc/wireguard/Build
FN_SCRIPT=/etc/wireguard/Build
cat <<'ESCRIPT' >$FN_SCRIPT
cat <<'ESCRIPT' >$FN_SCRIPT
#! /bin/bash
#! /bin/bash
VPN_ID=$1
WG_ID=$1


function Server(){
function Server(){
   source db/$VPN_ID/server.conf
   source db/$WG_ID/server.conf
   cat <<EOS >$VPN_ID.conf
   cat <<EOS >$WG_ID.conf
[Interface]
[Interface]
Address = $IP_SERVER  
Address = $IP_SERVER  
Zeile 41: Zeile 24:


EOS
EOS
   echo "= created: $VPN_ID.conf"
   echo "= created: $WG_ID.conf"
}
}


Zeile 47: Zeile 30:
   local config=$1
   local config=$1
   source $config
   source $config
   local fn=$VPN_ID.conf
   local fn=$WG_ID.conf
   cat <<EOS >>$fn
   cat <<EOS >>$fn
[Peer]
[Peer]
Zeile 61: Zeile 44:
   echo "+++ $*"
   echo "+++ $*"
}
}
if [ -z "$VPN_ID" ]; then
if [ -z "$WG_ID" ]; then
   Usage "missing VPN_ID"
   Usage "missing VPN_ID"
elif [ ! -d db/$VPN_ID ]; then
elif [ ! -d db/$WG_ID ]; then
   Usage "VPN_ID not defined: $VPN_ID"
   Usage "VPN_ID not defined: $WG_ID"
   echo "= available:"
   echo "= available:"
   for dir in db/*; do
   for dir in db/*; do
Zeile 71: Zeile 54:
else
else
   Server
   Server
   for client in db/$VPN_ID/clients/*.conf; do
   for client in db/$WG_ID/clients/*.conf; do
     Client $client
     Client $client
   done
   done
Zeile 78: Zeile 61:
echo "created: $FN_SCRIPT"
echo "created: $FN_SCRIPT"
chmod +x $FN_SCRIPT
chmod +x $FN_SCRIPT
</syntaxhighlight>
# =======
 
==== Script zum Server konfigurieren ====
<syntaxhighlight lang="bash">
FN_SCRIPT=/etc/wireguard/BuildServer
FN_SCRIPT=/etc/wireguard/BuildServer
cat <<'SCRIPT' >$FN_SCRIPT
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
#! /bin/bash
VPN_ID=$1
WG_ID=$1
IP_SERVER=$2
IP_SERVER=$2
IP_PUBLIC=$3
HOST=$3
HOST=$4
PORT=$4
PORT=$5
DNS_SERVER=$6
 
test -z "$HOST" && HOST=$(hostname)
test -z "$HOST" && HOST=$(hostname)
test -z "$PORT" && PORT=51820
test -z "$PORT" && PORT=51820
test -z "$DNS_SERVER" && DNS_SERVER=9.9.9.9


function Usage(){
function Usage(){
   echo "Usage BuildServer VPN_ID IP_VPN IP_PUBLIC [HOST [PORT [DNS_SERVER]]]"
   echo "Usage BuildServer VPN_ID IP [HOST [PORT]]"
   echo "Example: BuildServer wg0 10.10.100.1/24 207.180.255.91 dragon 51820 9.9.9.9"
   echo "Example: BuildServer wg0 10.10.100.1/24 dragon 51820"
  echo "+++ $*"
}
}


function Create(){
function Create(){
   mkdir -p db/$VPN_ID/clients
   mkdir -p db/$WG_ID/clients
   local fnPrivateKey=db/$VPN_ID/private.key
   local fnPrivateKey=db/$WG_ID/private.key
   if [ ! -e $fnPrivateKey ]; then
   if [ ! -e $fnPrivateKey ]; then
     wg genkey > $fnPrivateKey
     wg genkey > $fnPrivateKey
Zeile 110: Zeile 85:
     echo "= created: $fnPrivateKey"
     echo "= created: $fnPrivateKey"
   fi
   fi
   local fnPublicKey=db/$VPN_ID/public.key
   local fnPublicKey=db/$WG_ID/public.key
   if [ ! -e $fnPublicKey ]; then
   if [ ! -e $fnPublicKey ]; then
     wg <$fnPrivateKey pubkey >$fnPublicKey
     wg <$fnPrivateKey pubkey >$fnPublicKey
     echo "= created: $fnPublicKey"  
     echo "= created: $fnPublicKey"  
   fi
   fi
   local fnConfig=db/$VPN_ID/server.conf
   local fnConfig=db/$WG_ID/server.conf
   cat <<EOS >$fnConfig
   cat <<EOS >$fnConfig
VPN_ID=$VPN_ID
WG_ID=$WG_ID
IP_SERVER=$IP_SERVER
IP_SERVER=$IP_SERVER
PORT=$PORT
PORT=$PORT
DNS_SERVER=$DNS_SERVER
IP_PUBLIC=$IP_PUBLIC
PRIVATE_KEY=$(cat $fnPrivateKey)
PRIVATE_KEY=$(cat $fnPrivateKey)
PUBLIC_KEY=$(cat $fnPublicKey)
EOS
EOS
  chmod og= $fnConfig
   echo "= created: $fnConfig"
   echo "= created: $fnConfig"
}
}
Zeile 139: Zeile 110:
chmod +x $FN_SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
echo "= created: $FN_SCRIPT"
</syntaxhighlight>
# =======
 
==== Script zur Clientkonfiguration: ImportClient ====
Zur Anwendung dieses Scripts ist der Public Key schon vorhanden.
<syntaxhighlight lang="bash">
FN_SCRIPT=/etc/wireguard/ImportClient
FN_SCRIPT=/etc/wireguard/ImportClient
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
#! /bin/bash
cat <<'SCRIPT' >$FN_SCRIPT
WG_ID=$1
VPN_ID=$1
CLIENT=$2
CLIENT=$2
PUBLIC_KEY=$3
PUBLIC_KEY=$3
Zeile 154: Zeile 121:


function Usage(){
function Usage(){
   echo "Usage: ImportClient VPN_ID CLIENT_NAME IP_CLIENT PUB_KEY ALLOWED_IDS"
   echo "Usage: BuildClient VPN_ID CLIENT_NAME IP_CLIENT PUB_KEY ALLOWED_IDS"
   echo "Example: ImportClient wg0 joe 10.10.100.44/32 0fajdkafkdla02jiw902902= 10.10.100.0/24,10.10.101.0/24"
   echo "Example: BuildClient wg0 joe 10.10.100.44/32 0fajdkafkdla02jiw902902= 10.10.100.0/24,10.10.101.0/24"
   echo "+++ $*"
   echo "+++ $*"
}
}


function Create(){
function Create(){
   mkdir -p db/$VPN_ID/clients
   mkdir -p db/$WG_ID/clients
   local fnConfig=db/$VPN_ID/clients/$CLIENT.conf
   local fnConfig=db/$WG_ID/clients/$CLIENT.conf
   cat <<EOS >$fnConfig
   cat <<EOS >$fnConfig
CLIENT=$CLIENT
CLIENT=$CLIENT
Zeile 172: Zeile 139:
if [ -z "$ALLOWED_IPS" ]; then
if [ -z "$ALLOWED_IPS" ]; then
   Usage "missing arguments"
   Usage "missing arguments"
elif [ ! -d db/$VPN_ID ]; then
elif [ ! -d db/$WG_ID ]; then
   Usage "unknown VPN_ID: $VPN_ID"
   Usage "unknown VPN_ID: $WG_ID"
else
else
   Create
   Create
fi
fi
SCRIPT
SCRIPT
chmod +x $FN_SCRIPT
  chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
   echo "= created: $FN_SCRIPT"
</syntaxhighlight>
 
==== Script zur Clientkonfiguration: ExportClient ====
Erzeugt Konfiguration für neuen Client (inklusive Erzeugung der Schlüssel).
<syntaxhighlight lang="bash">
FN_SCRIPT=/etc/wireguard/ExportClient
cat <<'SCRIPT' >$FN_SCRIPT
#! /bin/bash
VPN_ID=$1
CLIENT=$2
IP_CLIENT=$3
ALLOWED_IPS=$4
 
function Usage(){
  echo "Usage: ExportClient VPN_ID CLIENT_NAME IP_CLIENT ALLOWED_IDS"
  echo "Example: ExportClient wg0 joe 10.10.100.44/32 10.10.100.0/24,10.10.101.0/24"
  echo "+++ $*"
}
 
function CreateIntern(){
  mkdir -p db/$VPN_ID/clients
  local fnConfig=db/$VPN_ID/clients/$CLIENT.conf
  cat <<EOS >$fnConfig
CLIENT=$CLIENT
PUB_KEY=$PUBLIC_KEY_CLIENT
ALLOWED_IPS=$ALLOWED_IPS
EOS
   echo "= created: $fnConfig"
  fnConfig=exported/$VPN_ID.$CLIENT.conf
  mkdir -p $(dirname $fnConfig)
  cat <<EOS >$fnConfig
EOS
}
 
function CreateExport(){
  local fnConfig=export/$VPN_ID.$CLIENT.conf
  mkdir -p $(dirname $fnConfig)
  source db/$VPN_ID/server.conf
  local privateKey=$(wg genkey)
  PUBLIC_KEY_CLIENT=$(echo $privateKey | wg pubkey)
  cat <<EOS >$fnConfig
VPN_ID=$VPN_ID
DNS_SERVER=$DNS_SERVER
IP_SERVER=$IP_PUBLIC
IP_CLIENT=$IP_CLIENT
PORT_SERVER=$PORT
ALLOWED_IPS=$ALLOWED_IPS
PRIV_KEY=$privateKey
PUB_KEY=$PUBLIC_KEY_CLIENT
PUBKEY_SERVER=$(cat /etc/wireguard/db/$VPN_ID/public.key)
EOS
  echo "= created: $fnConfig"
}
  fnConfig=exported/$VPN_ID.$CLIENT.conf
if [ -z "$ALLOWED_IPS" ]; then
  Usage "missing arguments"
elif [ ! -d db/$VPN_ID ]; then
  Usage "unknown VPN_ID: $VPN_ID"
else
  CreateExport
  CreateIntern
fi
SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
</syntaxhighlight>
 
=== Wireguard-Konfiguration erzeugen ===
<syntaxhighlight lang="bash">
cd /etc/wireguard
VPN_ID=wg0
./Build $VPN_ID
</syntaxhighlight>
* VPN neu starten
<syntaxhighlight lang="bash">
# Falls VPN läuft:
wg-quick down wg0
wg-quick up wg0
</syntaxhighlight>
</syntaxhighlight>


=== Konfiguration Server ===
=== Konfiguration Server ===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /etc/wireguard
WG_ID=wg0
VPN_ID=wg0
IP_SERVER=10.58.1.1/16
IP_SERVER=10.10.100.1/16
IP_PUBLIC=139.44.33.91
DNS_SERVER=9.9.9.9
HOST=$(hostname)
HOST=$(hostname)
PORT=51820
PORT=51820
./BuildServer $VPN_ID $IP_SERVER $IP_PUBLIC $HOST $PORT $DNS_SERVER
./BuildServer $WK_ID $IP_SERVER $HOST $PORT
</syntaxhighlight>
</syntaxhighlight>


=== Konfiguration existierender Client (Public Key bekannt) ===
=== Konfiguration existierender Client (Public Key bekannt) ===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
VPN_ID=wg0
WG_ID=wg0
CLIENT=joe
CLIENT=joe
IP_CLIENT=10.10.100.10/32
IP_CLIENT=10.58.1.10/32
PUB_KEY=0fajdkafkdla02jiw902902=
PUB_KEY=0fajdkafkdla02jiw902902=
ALLOWED_IPS=10.100.10.0/24
ALLOWED_IPS=10.58.1.0/24
./ImportClient $VPN_ID $CLIENT $IP_CLIENT $PUB_KEY $ALLOWED_IPS
./ImportClient $WG_ID $CLIENT $IP_CLIENT $PUB_KEY $ALLOWED_IPS
</syntaxhighlight>
</syntaxhighlight>


=== Erzeugen Client (Keys werden erzeugt) ===
=== Erzeugen Client (Keys werden erzeugt) ===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /etc/wireguard
WG_ID=wg0
VPN_ID=wg0
CLIENT=joe
CLIENT=joe
IP_CLIENT=10.10.100.112/32
IP_CLIENT=10.58.1.10/32
ALLOWED_IPS=10.10.100.0/24
ALLOWED_IPS=10.58.1.0/24
./ExportClient $VPN_ID $CLIENT $IP_CLIENT $ALLOWED_IPS
./CreateClient $WG_ID $CLIENT $IP_CLIENT ALLOWED_IPS
</syntaxhighlight>
</syntaxhighlight>


== Linux Client einrichten ==
== Linux Client einrichten ==
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
apt install wireguard-tools resolvconf
apt install wireguard-tools
</syntaxhighlight>
WG_ID=vinfeos0
=== Script erzeugen ===
IP_SERVER=207.180.255.91
<syntaxhighlight lang="bash">
PUBKEY_SERVER=eK7tZw0WgbjjxkRdAwGvp8aAV/cfzhwpIymZdVTFE3k=
FN_SCRIPT=/etc/wireguard/Import
DNS_SERVER=9.9.9.9
cat <<'SCRIPT' >$FN_SCRIPT
PORT_SERVER=51820
#! /bin/bash
IP2_SERVER=10.58.1.1
CONFIG=$1
IP_CLIENT=10.58.1.11/32
ALLOWED_IPS=10.58.1.0/16
FN_CONFIG=/etc/wireguard/$WG_ID.conf


function Usage(){
FN_KEY_PRIVATE=/etc/wireguard/$WG_ID.private.key
  echo "Usage: Import IMPORT_FILE"
wg genkey | sudo tee $FN_KEY_PRIVATE
  echo "Example: Import db/wg0.joe.conf"
chmod go= $FN_KEY_PRIVATE
  echo "+++ $*"
PUBKEY_CLIENT=$(wg <$FN_KEY_PRIVATE pubkey)
}
cat <<EOS >$FN_CONFIG
 
function Create(){
  local fn=$1
  source $fn
  if [ -z "$VPN_ID" -o -z "$DNS_SERVER" -o -z "$IP_SERVER" -o -z "$IP_CLIENT" ]; then
    echo "+++ wrong import data in $fn: vpn: $VPN_ID dns: $DNS_SERVER ip: $IP_SERVER ipcl: $IP_CLIENT"
  elif [ -z "$PORT_SERVER" -o -z "$ALLOWED_IPS" ]; then
    echo "+++ wrong import data: port: $PORT_SERVER allowed: $ALLOWED_IPS"
  elif [ -z "$PRIV_KEY" -o -z "$PUB_KEY" -o -z "$PUBKEY_SERVER" ]; then
    echo "+++ wrong import data: pub: $PUB_KEY priv: $PRIV_KEY pub-sv: $PUBKEY_SERVER"
  else
    local fnPrivate=/etc/wireguard/db/$VPN_ID.private.key
    mkdir -p $(dirname $fnPrivate)
    echo $PUB_KEY > db/$VPN_ID.public.key
    echo $PRIV_KEY > $fnPrivate
    chmod og= $fnPrivate
    local config=/etc/wireguard/$VPN_ID.conf
    cat <<EOS >$config
[Interface]
[Interface]
Address = $IP_CLIENT
# The address your computer will use on the VPN
Address = $IP_CLIE:q:NT
DNS = $DNS_SERVER
DNS = $DNS_SERVER
# Load your privatekey from file
# Load your privatekey from file
PostUp = wg set %i private-key $fnPrivate
PostUp = wg set %i private-key $FN_KEY_PRIVATE
# Also ping the vpn server to ensure the tunnel is initialized
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 $IP_SERVER
PostUp = ping -c1 $IP2_SERVER


[Peer]
[Peer]
# VPN server's wireguard public key
PublicKey = $PUBKEY_SERVER
PublicKey = $PUBKEY_SERVER
# Public IP address of your VPN server (USE YOURS!)
Endpoint = $IP_SERVER:$PORT_SERVER
Endpoint = $IP_SERVER:$PORT_SERVER
# 10.0.0.0/24 is the VPN subnet
AllowedIPs = $ALLOWED_IPS
AllowedIPs = $ALLOWED_IPS
PersistentKeepalive = 15
# PersistentKeepalive = 25
EOS
EOS
    echo "= created: $config"
  fi
}
if [ -z "$CONFIG" ]; then
  Usage "Missing parameter CONFIG_FILE"
elif [ ! -e $CONFIG ]; then
  Usage "Missing configuration file $CONFIG"
else
  Create $CONFIG
fi
SCRIPT
chmod +x $FN_SCRIPT
echo "= created: $FN_SCRIPT"
</syntaxhighlight>
=== Importieren der Daten ===
<syntaxhighlight lang="bash">
mkdir -p /etc/wireguard
cd /etc/wireguard
CONFIG=/Downloads/wg0.joe.conf
./Import $CONFIG
</syntaxhighlight>
=== VPN neu starten ===
<syntaxhighlight lang="bash">
# Falls VPN läuft:
wg-quick down wg0
wg-quick up wg0
</syntaxhighlight>
</syntaxhighlight>

Bitte kopiere keine Webseiten, die nicht deine eigenen sind, benutze keine urheberrechtlich geschützten Werke ohne Erlaubnis des Urhebers!
Du gibst uns hiermit deine Zusage, dass du den Text selbst verfasst hast, dass der Text Allgemeingut (public domain) ist, oder dass der Urheber seine Zustimmung gegeben hat. Falls dieser Text bereits woanders veröffentlicht wurde, weise bitte auf der Diskussionsseite darauf hin. Bitte beachte, dass alle Info-Theke-Beiträge automatisch unter der „Gemeinfreiheit“ stehen (siehe Info-Theke:Urheberrechte für Einzelheiten). Falls du nicht möchtest, dass deine Arbeit hier von anderen verändert und verbreitet wird, dann klicke nicht auf „Seite speichern“.

Abbrechen Bearbeitungshilfe (wird in einem neuen Fenster geöffnet)