chchang/hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add do not use 10.0.0.0 privae lan in GCP

Browse Source
This commit is contained in:
Eric Chang
2019-08-16 10:36:54 +08:00
parent 2a946fe47b
commit 99aa15344f
111 changed files with 6387 additions and 2693 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
content/post/do-no-use-10-0-0-0-private-ipaddr-in-gcp.md Normal file
View File

@@ -0,0 +1,107 @@
---
title: "[筆記] 在gcp 中用wireguard建立VPN時不要用 10.0.0.0/16 網段/Do No Use 10 0 0 0 Private Ipaddr in GCP"
date: 2019-08-16T10:18:06+08:00
noSummary: false
featuredImage: "https://h.cowbay.org/images/post-default-8.jpg"
categories: ['筆記']
tags: ['vpn','wireguard']
author: "Eric Chang"
---
最近一直在玩 wireguard 先前把各個分公司和總部的VPN 改用 wireguard 建立
想說再打個VPN tunnel 來當跳板連 ptt 好了
因為wireguard 建立很簡單,而且又可以指定想要繞出去的路由,不會影響原本的網路環境
本來是在vultr 的VPS上面建立這個tunnel
但是那台VPS連去ptt 很頓,卡卡的
所以改用google cloud platform 的free tier 來做
反正只是拿來當跳板,不會有什麼流量、運算產生,可以一直保持免費的狀態
<!--more-->
GCP的申請、設定就不多說了
這次碰到的怪異現象是當wireguard 都已經設定好client 也都連上了之後
會發生client 開不了 www.google.com.tw / youtube / google map 等等google 服務的狀況
VPN確定是通的我可以在client 這邊連上其他網站但就是google的服務開不了
後來不知道是怎麼樣突然靈機一動因為一開始設定server/peer 都是用 10.0.0.x/24 的IP
想說會不會是因為這個也是google cloud platform 預設的LAN IP 網段,所以沒辦法繞出去
看一下設定,確認一下這個想法對不對,果然是這樣沒錯
![](https://i.imgur.com/XkrH4Pa.png)
解決方法很簡單要不修改VPS的內部IP要不修改wireguard的設定
當然我是選擇改wireguard ,因為簡單嘛!
修改後的configuration 長這樣
```
[Interface]
Address = 192.168.10.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE
ListenPort = 12000
PrivateKey = E..........................E
#OFFICE DESKTOP
[Peer]
PublicKey = W...........................W
AllowedIPs = 192.168.10.2/32
#ANDROID
[Peer]
PublicKey = w............................w
AllowedIPs = 192.168.10.3/32
#HOME
[Peer]
PublicKey = 2.........................................2
AllowedIPs = 192.168.10.4/32
```
重起wireguard (或者說重起 wg0 這個interface)之後client 開google 網頁就正常了
client 這邊也是簡單設定一下把要透過跳板出去的IP 改走wireguard 出去
底下這個,就是把往台大(140.112.0.0) 和 term.ptt.cc(104.31.0.0)的封包改走wireguard
```
[Interface]
PrivateKey = e............................e
Address = 192.168.10.2/24
DNS = 8.8.8.8
MTU = 1420
[Peer]
PublicKey = q...........................q
Endpoint = public_ip_of_gcp:12000
AllowedIPs = 140.112.0.0/16,104.31.0.0/16,192.168.10.1/32
PersistentKeepalive = 25
```
然後看一下路由對不對
```
2019-08-16 10:34:21 [cch@hq34 ~]$ traceroute term.ptt.cc
traceroute to term.ptt.cc (104.31.231.9), 30 hops max, 60 byte packets
1 192.168.10.1 (192.168.10.1) 191.826 ms 192.556 ms 192.678 ms
2 * * *
3 * * *
4 * * *
5 104.31.231.9 (104.31.231.9) 203.918 ms 203.982 ms 203.979 ms
2019-08-16 10:34:33 [cch@hq34 ~]$
```
果然是走wireguard (192.168.10.1) 出去 ,跳板成功!

293
content/post/multiple-site-to-site-vpn-using-wireguard.md Normal file
View File

@@ -0,0 +1,293 @@
---
title: "[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard"
date: 2019-08-13T15:50:31+08:00
noSummary: false
featuredImage: "https://h.cowbay.org/images/post-default-10.jpg"
categories: ['筆記']
tags: ['vpn','ubuntu','wireguard']
author: "Eric Chang"
---
因為實在受夠了現在用的 openwrt + strongswan 建立 IPSec VPN
雖然說其實沒有什麼不好,但是畢竟不是我建立的,而當初的文件也都不見了
完全沒辦法了解當時設計的邏輯造成後續debug 困難
可以想像一下一台VPN router ping 不到remote、ping不到internet、甚至ping不到自己 是要怎麼debug !?(翻桌
之前買了兩台edgerouter X 拿來玩了一下 wireguard感覺還不錯不過只有測試到點對點
這次試試看躲在gateway後面看看能不能建立多點的VPN環境
<!--more-->
#### every node
##### enable ip_forward
edit /etc/sysctl.conf
add below line in the end of the file
```
net.ipv4.ip_forward=1
```
##### install wireguard
```
sudo apt-get install libmnl-dev linux-headers-$(uname -r) build-essential make git libelf-dev
git clone https://git.zx2c4.com/WireGuard
cd WireGuard/src/
make
sudo make install
```
or
**via apt**
```
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard
```
##### create wireguard service file
add /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
```
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
[Install]
WantedBy=multi-user.target
```
#### Node A
##### create wireguard private/public key
```
wg genkey > /etc/wireguard/private
cat /etc/wireguard/private | wg pubkey > /etc/wireguard/public
```
##### /etc/wireguard/wg0.conf
watch the interface name , must meets the interface name in system , ens18 is the default value of my test VM
```
[Interface]
Address = 10.0.0.40/24
ListenPort = 12000
PrivateKey = private key of node A
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
[Peer]
PublicKey = public key of node B
AllowedIPs = 10.0.0.28/32,192.168.28.0/24
Endpoint = 2.2.2.2:12000
PersistentKeepalive = 15
[Peer]
PublicKey = public key of node C
AllowedIPs = 10.0.0.80/32,192.168.80.0/24
Endpoint = 3.3.3.3:12000
PersistentKeepalive = 15
```
#### Node B (peer 1)
##### create wireguard private/public key
```
wg genkey > /etc/wireguard/private
cat /etc/wireguard/private | wg pubkey > /etc/wireguard/public
```
##### /etc/wireguard/wg0.conf
watch the interface name , must meets the interface name in system , ens18 is the default value of my test VM
```
[Interface]
ListenPort = 12000
PrivateKey = private key of node B
Address = 10.0.0.28/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
[Peer]
PublicKey = public key of node A
AllowedIPs = 10.0.0.40/32,192.168.40.0/24
Endpoint = 1.1.1.1:12000
PersistentKeepalive = 15
[Peer]
PublicKey = public key of node C
AllowedIPs = 10.0.0.80/32,192.168.80.0/24
Endpoint = 3.3.3.3:12000
PersistentKeepalive = 15
```
#### Node C (peer 2)
##### create wireguard private/public key
```
wg genkey > /etc/wireguard/private
cat /etc/wireguard/private | wg pubkey > /etc/wireguard/public
```
#### /etc/wireguard/wg0.conf
watch the interface name , must meets the interface name in system , ens18 is the default value of my test VM
```
[Interface]
ListenPort = 12000
PrivateKey = private key of node C
Address = 10.0.0.80/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
[Peer]
PublicKey = public key of node A
AllowedIPs = 10.0.0.40/32,192.168.40.0/24
Endpoint = 1.1.1.1:12000
PersistentKeepalive = 15
[Peer]
PublicKey = public key of node B
AllowedIPs = 10.0.0.28/32,192.168.28.0/24
Endpoint = 2.2.2.2:12000
PersistentKeepalive = 15
```
##### Test
Reboot all nodes , check if interface wg0 up by default or not
use command wg show to check status
for example , this is result of wg show in node C
```
root@sdvpn:~# wg show
interface: wg0
public key: public key of Node C
private key: (hidden)
listening port: 12000
peer: public key of node A
endpoint: 1.1.1.1:12000
allowed ips: 10.0.0.40/32, 192.168.40.0/24
latest handshake: 49 seconds ago
transfer: 9.77 KiB received, 9.73 KiB sent
persistent keepalive: every 15 seconds
peer: public key of node B
endpoint: 2.2.2.2:12000
allowed ips: 10.0.0.28/32, 192.168.28.0/24
latest handshake: 2 minutes, 8 seconds ago
transfer: 3.93 KiB received, 7.89 KiB sent
persistent keepalive: every 15 seconds
```
and the ping test
```
root@sdvpn:~# ping -c 1 192.168.40.40
PING 192.168.40.40 (192.168.40.40) 56(84) bytes of data.
64 bytes from 192.168.40.40: icmp_seq=1 ttl=63 time=21.2 ms
--- 192.168.40.40 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 21.204/21.204/21.204/0.000 ms
root@sdvpn:~# ping -c 1 192.168.28.40
PING 192.168.28.40 (192.168.28.40) 56(84) bytes of data.
64 bytes from 192.168.28.40: icmp_seq=1 ttl=63 time=24.2 ms
--- 192.168.28.40 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.208/24.208/24.208/0.000 ms
root@sdvpn:~#
```
and the traceroute
```
root@sdvpn:~# traceroute 192.168.40.40
traceroute to 192.168.40.40 (192.168.40.40), 30 hops max, 60 byte packets
1 10.0.0.40 (10.0.0.40) 21.349 ms 22.337 ms 22.576 ms
2 tcpc040.abc.com (192.168.40.40) 22.565 ms 22.551 ms 22.541 ms
root@sdvpn:~# traceroute 192.168.28.40
traceroute to 192.168.28.40 (192.168.28.40), 30 hops max, 60 byte packets
1 10.0.0.28 (10.0.0.28) 25.481 ms 30.117 ms 32.086 ms
2 dcpc040.abc.com (192.168.28.40) 33.811 ms 35.360 ms 36.769 ms
root@sdvpn:~#
```
#### additonal steps
##### enable firewall NAT in each nodes router
not necessary , but if the wireguard node is behind a NAT router , then must enable NAT for wireguard
1.1.1.1 is the WAN IP of the router , and 192.168.80.4 is the wireguard LAN ip, I map port 224 to ssh and 12000 for wireguard
```
iptables -t nat -A PREROUTING -i eth1 -d 1.1.1.1 -p tcp --dport 224 -j DNAT --to-destination 192.168.80.4:22
iptables -t nat -A PREROUTING -i eth1 -d 1.1.1.1 -p udp --dport 12000 -j DNAT --to-destination 192.168.80.4:12000
```
#### summary
if want to add more nodes into VPN , just follow the logic and steps.
```
create private/public key
create wg0.conf
add new nodes in every other nodes wg0.conf as peer
```
1. for route , must add remote network in AllowedIPs
2. check ip_forward is enable
3. I think the postup haws no effect here , because the firewall service was disable by default , and if I use iptables -F to flush all firewall rules , the network still remain in connected.
4. need to create an ansible playbook for this
#### Update
##### strongswan IPSEC VS wireguard
**wireguard almost twice faster than strongswan**
iperf test with wireguard VPN 30 seconds benchmark
```
root@sdvpn:~# iperf -c 192.168.40.7 -t 30
------------------------------------------------------------
Client connecting to 192.168.40.7, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 10.0.0.80 port 48270 connected with 192.168.40.7 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.1 sec 65.1 MBytes 18.1 Mbits/sec
root@sdvpn:~#
```
iperf test with strongswan VPN
```
root@sdvpn:~# iperf -c 192.168.40.7 -t 30
------------------------------------------------------------
Client connecting to 192.168.40.7, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.80.4 port 57806 connected with 192.168.40.7 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.1 sec 35.6 MBytes 9.94 Mbits/sec
root@sdvpn:~#
```