chchang
/
hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '754d4cbd7d'
${ noResults }
hugo_backup/public/post/multiple-site-to-site-vpn-u.../index.html

688 lines
23 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<html class="no-js" lang="tw">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="Eric Chang">
<meta name="description" content="Whats the Worst That Could Happen?">
<meta name="keywords" content="linux,blog,responsive,search,font awesome,pages,posts,multilingual,highlight.js,syntax highlighting,premium,shortcuts">
<meta content="" name="keywords">
<meta name="generator" content="Hugo 0.50" />
<title> [筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard | MCの飄狂山莊㊣</title>
<meta name="description" content="[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard - Whats the Worst That Could Happen?">
<meta itemprop="name" content="[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard">
<meta itemprop="description" content="[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard - Whats the Worst That Could Happen?">
<meta property="og:title" content="[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard">
<meta property="og:description" content="[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard - Whats the Worst That Could Happen?">
<meta property="og:image" content="https://h.cowbay.org/images/post-default-10.jpg">
<meta property="og:url" content="https://h.cowbay.org/post/multiple-site-to-site-vpn-using-wireguard/">
<meta property="og:site_name" content="MCの飄狂山莊㊣">
<meta property="og:type" content="article">
<link rel="icon" type="image/png" href="https://h.cowbay.org/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="https://h.cowbay.org/favicon-16x16.png" sizes="16x16">
<link rel="stylesheet" href="https://h.cowbay.org/sass/combined.min.a89dfa577f701bffe9659f476ef61241cb2a3452b913e793463b0074a10c0a59.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
</head>
<body class="bilberry-hugo-theme">
<nav class="permanentTopNav">
<div class="container">
<ul class="topnav">
</ul>
<div id="search-box" class="search">
<i class="fa fa-search"></i>
<input id="search" type="text" placeholder="">
</div>
</div>
</nav>
<header>
<div class="container">
<div class="logo">
<a href="/" class="logo">
<img src="https://www.gravatar.com/avatar/e4eb1f8e016ffb73e9889f87d16e15f0?d=mm&size=200" alt="">
<span class="overlay"><i class="fa fa-home"></i></span>
</a>
</div>
<div class="titles">
<h3 class="title"><a href="/">MCの飄狂山莊㊣</a></h3>
<span class="subtitle">Whats the Worst That Could Happen?</span>
</div>
<div class="toggler permanentTopNav">
<i class="fa fa-bars" aria-hidden="true"></i>
</div>
</div>
</header>
<div class="main container">
<div class="article-wrapper u-cf single">
<a class="bubble" href="/post/multiple-site-to-site-vpn-using-wireguard/">
<i class="fa fa-fw fa-pencil"></i>
</a>
<article class="default article">
<div class="featured-image">
<a href="/post/multiple-site-to-site-vpn-using-wireguard/">
<img src="/images/post-default-10.jpg" alt="">
</a>
</div>
<div class="content">
<h3><a href="/post/multiple-site-to-site-vpn-using-wireguard/">[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard</a></h3>
<div class="meta">
<span class="date moment">2019-08-13</span>
<span class="categories">
<a href="/categories/%E7%AD%86%E8%A8%98">筆記</a>
</span>
<span class="author"><a href="/author/eric-chang">Eric Chang</a></span>
</div>
<p>因為實在受夠了現在用的 openwrt + strongswan 建立 IPSec VPN</p>
<p>雖然說其實沒有什麼不好,但是畢竟不是我建立的,而當初的文件也都不見了</p>
<p>完全沒辦法了解當時設計的邏輯造成後續debug 困難</p>
<p>可以想像一下一台VPN router ping 不到remote、ping不到internet、甚至ping不到自己 是要怎麼debug !?(翻桌</p>
<p>之前買了兩台edgerouter X 拿來玩了一下 wireguard感覺還不錯不過只有測試到點對點</p>
<p>這次試試看躲在gateway後面看看能不能建立多點的VPN環境</p>
<p></p>
<h4 id="every-node">every node</h4>
<h5 id="enable-ip-forward">enable ip_forward</h5>
<p>edit /etc/sysctl.conf
add below line in the end of the file</p>
<pre><code>net.ipv4.ip_forward=1
</code></pre>
<h5 id="install-wireguard">install wireguard</h5>
<pre><code>sudo apt-get install libmnl-dev linux-headers-$(uname -r) build-essential make git libelf-dev
git clone https://git.zx2c4.com/WireGuard
cd WireGuard/src/
make
sudo make install
</code></pre>
<p>or
<strong>via apt</strong></p>
<pre><code>sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard
</code></pre>
<h5 id="create-wireguard-service-file">create wireguard service file</h5>
<p>add /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service</p>
<pre><code>[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8
Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
[Install]
WantedBy=multi-user.target
</code></pre>
<h4 id="node-a">Node A</h4>
<h5 id="create-wireguard-private-public-key">create wireguard private/public key</h5>
<pre><code>wg genkey &gt; /etc/wireguard/private
cat /etc/wireguard/private | wg pubkey &gt; /etc/wireguard/public
</code></pre>
<h5 id="etc-wireguard-wg0-conf">/etc/wireguard/wg0.conf</h5>
<p>watch the interface name , must meets the interface name in system , ens18 is the default value of my test VM</p>
<pre><code>[Interface]
Address = 10.0.0.40/24
ListenPort = 12000
PrivateKey = private key of node A
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
[Peer]
PublicKey = public key of node B
AllowedIPs = 10.0.0.28/32,192.168.28.0/24
Endpoint = 2.2.2.2:12000
PersistentKeepalive = 15
[Peer]
PublicKey = public key of node C
AllowedIPs = 10.0.0.80/32,192.168.80.0/24
Endpoint = 3.3.3.3:12000
PersistentKeepalive = 15
</code></pre>
<h4 id="node-b-peer-1">Node B (peer 1)</h4>
<h5 id="create-wireguard-private-public-key-1">create wireguard private/public key</h5>
<pre><code>wg genkey &gt; /etc/wireguard/private
cat /etc/wireguard/private | wg pubkey &gt; /etc/wireguard/public
</code></pre>
<h5 id="etc-wireguard-wg0-conf-1">/etc/wireguard/wg0.conf</h5>
<p>watch the interface name , must meets the interface name in system , ens18 is the default value of my test VM</p>
<pre><code>[Interface]
ListenPort = 12000
PrivateKey = private key of node B
Address = 10.0.0.28/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
[Peer]
PublicKey = public key of node A
AllowedIPs = 10.0.0.40/32,192.168.40.0/24
Endpoint = 1.1.1.1:12000
PersistentKeepalive = 15
[Peer]
PublicKey = public key of node C
AllowedIPs = 10.0.0.80/32,192.168.80.0/24
Endpoint = 3.3.3.3:12000
PersistentKeepalive = 15
</code></pre>
<h4 id="node-c-peer-2">Node C (peer 2)</h4>
<h5 id="create-wireguard-private-public-key-2">create wireguard private/public key</h5>
<pre><code>wg genkey &gt; /etc/wireguard/private
cat /etc/wireguard/private | wg pubkey &gt; /etc/wireguard/public
</code></pre>
<h4 id="etc-wireguard-wg0-conf-2">/etc/wireguard/wg0.conf</h4>
<p>watch the interface name , must meets the interface name in system , ens18 is the default value of my test VM</p>
<pre><code>[Interface]
ListenPort = 12000
PrivateKey = private key of node C
Address = 10.0.0.80/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
[Peer]
PublicKey = public key of node A
AllowedIPs = 10.0.0.40/32,192.168.40.0/24
Endpoint = 1.1.1.1:12000
PersistentKeepalive = 15
[Peer]
PublicKey = public key of node B
AllowedIPs = 10.0.0.28/32,192.168.28.0/24
Endpoint = 2.2.2.2:12000
PersistentKeepalive = 15
</code></pre>
<h5 id="test">Test</h5>
<p>Reboot all nodes , check if interface wg0 up by default or not</p>
<p>use command wg show to check status</p>
<p>for example , this is result of wg show in node C</p>
<pre><code>root@sdvpn:~# wg show
interface: wg0
public key: public key of Node C
private key: (hidden)
listening port: 12000
peer: public key of node A
endpoint: 1.1.1.1:12000
allowed ips: 10.0.0.40/32, 192.168.40.0/24
latest handshake: 49 seconds ago
transfer: 9.77 KiB received, 9.73 KiB sent
persistent keepalive: every 15 seconds
peer: public key of node B
endpoint: 2.2.2.2:12000
allowed ips: 10.0.0.28/32, 192.168.28.0/24
latest handshake: 2 minutes, 8 seconds ago
transfer: 3.93 KiB received, 7.89 KiB sent
persistent keepalive: every 15 seconds
</code></pre>
<p>and the ping test</p>
<pre><code>root@sdvpn:~# ping -c 1 192.168.40.40
PING 192.168.40.40 (192.168.40.40) 56(84) bytes of data.
64 bytes from 192.168.40.40: icmp_seq=1 ttl=63 time=21.2 ms
--- 192.168.40.40 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 21.204/21.204/21.204/0.000 ms
root@sdvpn:~# ping -c 1 192.168.28.40
PING 192.168.28.40 (192.168.28.40) 56(84) bytes of data.
64 bytes from 192.168.28.40: icmp_seq=1 ttl=63 time=24.2 ms
--- 192.168.28.40 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.208/24.208/24.208/0.000 ms
root@sdvpn:~#
</code></pre>
<p>and the traceroute</p>
<pre><code>root@sdvpn:~# traceroute 192.168.40.40
traceroute to 192.168.40.40 (192.168.40.40), 30 hops max, 60 byte packets
1 10.0.0.40 (10.0.0.40) 21.349 ms 22.337 ms 22.576 ms
2 tcpc040.abc.com (192.168.40.40) 22.565 ms 22.551 ms 22.541 ms
root@sdvpn:~# traceroute 192.168.28.40
traceroute to 192.168.28.40 (192.168.28.40), 30 hops max, 60 byte packets
1 10.0.0.28 (10.0.0.28) 25.481 ms 30.117 ms 32.086 ms
2 dcpc040.abc.com (192.168.28.40) 33.811 ms 35.360 ms 36.769 ms
root@sdvpn:~#
</code></pre>
<h4 id="additonal-steps">additonal steps</h4>
<h5 id="enable-firewall-nat-in-each-nodes-router">enable firewall NAT in each nodes router</h5>
<p>not necessary , but if the wireguard node is behind a NAT router , then must enable NAT for wireguard</p>
<p>1.1.1.1 is the WAN IP of the router , and 192.168.80.4 is the wireguard LAN ip, I map port 224 to ssh and 12000 for wireguard</p>
<pre><code>iptables -t nat -A PREROUTING -i eth1 -d 1.1.1.1 -p tcp --dport 224 -j DNAT --to-destination 192.168.80.4:22
iptables -t nat -A PREROUTING -i eth1 -d 1.1.1.1 -p udp --dport 12000 -j DNAT --to-destination 192.168.80.4:12000
</code></pre>
<h4 id="summary">summary</h4>
<p>if want to add more nodes into VPN , just follow the logic and steps.</p>
<pre><code>create private/public key
create wg0.conf
add new nodes in every other nodes wg0.conf as peer
</code></pre>
<ol>
<li>for route , must add remote network in AllowedIPs</li>
<li>check ip_forward is enable</li>
<li>I think the postup haws no effect here , because the firewall service was disable by default , and if I use iptables -F to flush all firewall rules , the network still remain in connected.</li>
<li>need to create an ansible playbook for this</li>
</ol>
<h4 id="update">Update</h4>
<h5 id="strongswan-ipsec-vs-wireguard">strongswan IPSEC VS wireguard</h5>
<p><strong>wireguard almost twice faster than strongswan</strong></p>
<p>iperf test with wireguard VPN 30 seconds benchmark</p>
<pre><code>root@sdvpn:~# iperf -c 192.168.40.7 -t 30
------------------------------------------------------------
Client connecting to 192.168.40.7, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 10.0.0.80 port 48270 connected with 192.168.40.7 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.1 sec 65.1 MBytes 18.1 Mbits/sec
root@sdvpn:~#
</code></pre>
<p>iperf test with strongswan VPN</p>
<pre><code>root@sdvpn:~# iperf -c 192.168.40.7 -t 30
------------------------------------------------------------
Client connecting to 192.168.40.7, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.80.4 port 57806 connected with 192.168.40.7 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-30.1 sec 35.6 MBytes 9.94 Mbits/sec
root@sdvpn:~#
</code></pre>
</div>
<div class="footer">
<div class="tags">
<i class="fa fa-tags"></i>
<div class="links">
<a href="/tags/vpn">vpn</a>
<a href="/tags/ubuntu">ubuntu</a>
<a href="/tags/wireguard">wireguard</a>
</div>
</div>
</div>
</article>
</div>
<div id="disqus_thread"></div>
<script type="application/javascript">
var disqus_config = function () {
};
(function() {
if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) {
document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.';
return;
}
var d = document, s = d.createElement('script'); s.async = true;
s.src = '//' + "h-cowbay-org-1" + '.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</div>
<footer>
<div class="container">
<div class="recent-posts">
<strong></strong>
<ul>
<li>
<a href="/post/pgbarman-in-ubuntu-1804-postgresql-10-via-ssh/">[筆記] 在Ubuntu 18.04 下 透過 pgbarman rsync/ssh backup 備份 postgresql 10 / backup postgresql 10 with pgbarman via ssh/rsync in ubuntu 18.04</a>
</li>
<li>
<a href="/post/pgbarman-in-ubuntu-1804-postgresql-10/">[筆記] 在Ubuntu 18.04 下 透過 pgbarman streaming backup 備份 postgresql 10/ backup postgresql 10 with pgbarman straming backup in ubuntu 18.04</a>
</li>
<li>
<a href="/post/install-nvidia-driver-cuda-pgstrom-in-ubuntu-1804/">[筆記] 在ubuntu 18.04 下安裝nvidia 顯示卡驅動程式以及 pgstrom / Install Nvidia Driver Cuda Pgstrom in Ubuntu 1804</a>
</li>
<li>
<a href="/post/do-no-use-10-0-0-0-private-ipaddr-in-gcp/">[筆記] 在gcp 中用wireguard建立VPN時不要用 10.0.0.0/16 網段/Do No Use 10 0 0 0 Private Ipaddr in GCP</a>
</li>
<li>
<a href="/post/multiple-site-to-site-vpn-using-wireguard/">[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard</a>
</li>
<li>
<a href="/post/site-to-site-vpn-using-wireguard-in-two-edgerouters/">[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters</a>
</li>
<li>
<a href="/post/another-way-to-keep-ansible-log/">[筆記] 為了保存log 用script 指令執行ansible / Another Way to Keep Ansible Log using script command</a>
</li>
</ul>
</div>
<div class="categories">
<a href="/categories/"><strong></strong></a>
<ul>
<li>
<a href="/categories/%E7%AD%86%E8%A8%98">筆記 (27)</a>
</li>
<li>
<a href="/categories/ansible">Ansible (3)</a>
</li>
<li>
<a href="/categories/linux">Linux (1)</a>
</li>
<li>
<a href="/categories/proxmox">Proxmox (1)</a>
</li>
<li>
<a href="/categories/ps">Ps (1)</a>
</li>
<li>
<a href="/categories/%E7%A2%8E%E5%BF%B5">碎念 (1)</a>
</li>
<li>
<a href="/categories/%E7%BE%A4%E6%9A%89">群暉 (1)</a>
</li>
</ul>
</div>
<div class="right">
<div class="external-profiles">
<strong></strong>
<a href="https://www.facebook.com/mariahchang" target="_blank"><i class="fa fa-facebook-adblock-proof"></i></a>
<a href="https://twitter.com/changchichung" target="_blank"><i class="fa fa-twitter-adblock-proof"></i></a>
<a href="https://github.com/changchichung" target="_blank"><i class="fa fa-github"></i></a>
<a href="https://www.yapee.tw/mvc/onlinePay/webLink?key=lMC74kucH21JChCR77-wJ80ZZ-Poh11amP24BwiDdHw" target="_blank"><img border="0" src="https://www.yapee.tw/mvc/file/publicFile?pathType=data/linkLogo/B0S0F0002585.jpg"></img></a>
</div>
</div>
</div>
</footer>
<div class="credits">
<div class="container">
<div class="copyright">
<a href="https://github.com/Lednerb" target="_blank">
&copy;
2017
by Lednerb
</a>
</div>
<div class="author">
<a href="https://www.yapee.tw/mvc/onlinePay/webLink?key=lMC74kucH21JChCR77-wJ80ZZ-Poh11amP24BwiDdHw" target="_blank">Bilberry Hugo Theme</a>
</div>
</div>
</div>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-138954876-1', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script type="text/javascript" src="https://h.cowbay.org/js/externalDependencies.39c47e10e241eae2947b3fe21809c572.js" integrity="md5-OcR&#43;EOJB6uKUez/iGAnFcg=="></script>
<script type="text/javascript" src="https://h.cowbay.org/js/theme.ff50ae6dc1bfc220b23bf69dbb41b54e.js" integrity="md5-/1CubcG/wiCyO/adu0G1Tg=="></script>
<script>
$(".moment").each(function() {
$(this).text(
moment( $(this).text() )
.locale( "tw" )
.format('LL')
);
});
$(".footnote-return sup").html("");
</script>
<script>
var client = algoliasearch("2XL0P8XDCY", "4ef65b37b627bb886b46c34a10e63aa6");
var index = client.initIndex("h_cowbay_org");
$('#search').autocomplete({ hint: false, autoselect: true, debug: false },
[
{
source: $.fn.autocomplete.sources.hits(index, { hitsPerPage: 10 }),
displayKey: function(suggestion) {
return suggestion.title || suggestion.author
},
templates: {
suggestion: function(suggestion) {
return "<span class='entry " + suggestion.type + "'>"
+ "<span class='title'>" + suggestion.title + "</span>"
+ "<span class='fa fa-fw " + suggestion.iconClass + "'></span>"
+ "</span>"
;
},
empty: function() {
return "<span class='empty'></span>"
},
footer: function() {
return '<div class="branding">Powered by <img src="https:\/\/h.cowbay.org\/dist\/algolia-logo-light.svg" /></div>'
}
},
}
])
.on('autocomplete:selected', function(event, suggestion, dataset) {
window.location = (suggestion.url);
})
.keypress(function (event, suggestion) {
if (event.which == 13) {
window.location = (suggestion.url);
}
});
</script>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink