chchang
/
hugo_backup
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9a91ddce71'
${ noResults }
hugo_backup/public/post/site-to-site-vpn-using-wire.../index.html

621 lines
22 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<html class="no-js" lang="tw">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="Eric Chang">
<meta name="description" content="Whats the Worst That Could Happen?">
<meta name="keywords" content="linux,blog,responsive,search,font awesome,pages,posts,multilingual,highlight.js,syntax highlighting,premium,shortcuts">
<meta content="" name="keywords">
<meta name="generator" content="Hugo 0.50" />
<title> [筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters | MCの飄狂山莊㊣</title>
<meta name="description" content="[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters - Whats the Worst That Could Happen?">
<meta itemprop="name" content="[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters">
<meta itemprop="description" content="[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters - Whats the Worst That Could Happen?">
<meta property="og:title" content="[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters">
<meta property="og:description" content="[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters - Whats the Worst That Could Happen?">
<meta property="og:image" content="https://h.cowbay.org/images/post-default-5.jpg">
<meta property="og:url" content="https://h.cowbay.org/post/site-to-site-vpn-using-wireguard-in-two-edgerouters/">
<meta property="og:site_name" content="MCの飄狂山莊㊣">
<meta property="og:type" content="article">
<link rel="icon" type="image/png" href="https://h.cowbay.org/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="https://h.cowbay.org/favicon-16x16.png" sizes="16x16">
<link rel="stylesheet" href="https://h.cowbay.org/sass/combined.min.a89dfa577f701bffe9659f476ef61241cb2a3452b913e793463b0074a10c0a59.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
</head>
<body class="bilberry-hugo-theme">
<nav class="permanentTopNav">
<div class="container">
<ul class="topnav">
</ul>
<div id="search-box" class="search">
<i class="fa fa-search"></i>
<input id="search" type="text" placeholder="">
</div>
</div>
</nav>
<header>
<div class="container">
<div class="logo">
<a href="/" class="logo">
<img src="https://www.gravatar.com/avatar/e4eb1f8e016ffb73e9889f87d16e15f0?d=mm&size=200" alt="">
<span class="overlay"><i class="fa fa-home"></i></span>
</a>
</div>
<div class="titles">
<h3 class="title"><a href="/">MCの飄狂山莊㊣</a></h3>
<span class="subtitle">Whats the Worst That Could Happen?</span>
</div>
<div class="toggler permanentTopNav">
<i class="fa fa-bars" aria-hidden="true"></i>
</div>
</div>
</header>
<div class="main container">
<div class="article-wrapper u-cf single">
<a class="bubble" href="/post/site-to-site-vpn-using-wireguard-in-two-edgerouters/">
<i class="fa fa-fw fa-pencil"></i>
</a>
<article class="default article">
<div class="featured-image">
<a href="/post/site-to-site-vpn-using-wireguard-in-two-edgerouters/">
<img src="/images/post-default-5.jpg" alt="">
</a>
</div>
<div class="content">
<h3><a href="/post/site-to-site-vpn-using-wireguard-in-two-edgerouters/">[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters</a></h3>
<div class="meta">
<span class="date moment">2019-08-06</span>
<span class="categories">
<a href="/categories/%E7%AD%86%E8%A8%98">筆記</a>
</span>
<span class="author"><a href="/author/eric-chang">Eric Chang</a></span>
</div>
<p>之前總部和分公司之間 是用buffalo 的小AP 灌 openwrt</p>
<p>然後用strongswan 來打 IPSEC site to site VPN</p>
<p>config 看起來不是很難 (只是看起來)</p>
<p>但是實際上已經找不到當初的文件</p>
<p>所以要維護很困難(光那些RSA KEY 就不知道為何、如何產生)</p>
<p>後來採購了兩台edgerouter X 做測試</p>
<p>也用openvpn 成功的建立了 site to site VPN</p>
<p>本來想說 openvpn 已經夠簡單了</p>
<p>今天看到文章說用wireguard 可以更簡單</p>
<p>於是研究了一下,發現還真的很簡單!</p>
<p></p>
<h3 id="download-deb-for-your-edgerouter">download deb for your edgerouter</h3>
<h4 id="go-check-https-github-com-lochnair-vyatta-wireguard-first">go check <a href="https://github.com/Lochnair/vyatta-wireguard">https://github.com/Lochnair/vyatta-wireguard</a> first</h4>
<pre><code>curl -L -O https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20190702-1/wireguard-v2.0-e50-0.0.20190702-1.deb
dpkg -i wireguard-v2.0-e50-0.0.20190702-1.deb
</code></pre>
<p>process log</p>
<pre><code>root@ubnt112:~# dpkg -i wireguard-v2.0-e50-0.0.20190702-1.deb
Selecting previously unselected package wireguard.
(Reading database ... 37024 files and directories currently installed.)
Preparing to unpack wireguard-v2.0-e50-0.0.20190702-1.deb ...
Adding 'diversion of /opt/vyatta/share/perl5/Vyatta/Interface.pm to /opt/vyatta/share/perl5/Vyatta/Interface.pm.vyatta by wireguard'
Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def.vyatta by wireguard'
Unpacking wireguard (0.0.20190702-1) ...
Setting up wireguard (0.0.20190702-1) ...
</code></pre>
<h4 id="generate-private-public-key-in-left-router">generate private/public key in left router</h4>
<pre><code>wg genkey | tee /dev/tty | wg pubkey
</code></pre>
<p>first one in private key and the next one is public key of this router</p>
<pre><code>QGAUHJSDFAdkfjskdjo1DP8H1NuLTrXH6kue6kphaQk/iAkc=
ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU=
</code></pre>
<h4 id="configure-left-site-edgerouter">configure left site edgerouter</h4>
<pre><code>configure
set interfaces wireguard wg0 address 192.168.99.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
### paster your private key which was just been generate
set interfaces wireguard wg0 private-key QGAUHJSDFAdkfjskdjo1DP8H1NuLTrXH6kue6kphaQk/iAkc=
</code></pre>
<h4 id="generate-private-public-key-in-right-router">generate private/public key in right router</h4>
<pre><code>wg genkey | tee /dev/tty | wg pubkey
</code></pre>
<p>first one in private key and the next one is public key of this router</p>
<pre><code>UBzmPabcdefghijklmnopqrlbi5tnsQqjoJ4+H4=
tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk=
</code></pre>
<h4 id="configure-right-site-edgerouter">configure right site edgerouter</h4>
<pre><code>configure
set interfaces wireguard wg0 address 192.168.99.2/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
### paster your private key which was just been generate
set interfaces wireguard wg0 private-key UBzmPabcdefghijklmnopqrlbi5tnsQqjoJ4+H4=
</code></pre>
<p>now , configure both router to talk to each other</p>
<h4 id="configure-in-left-router">configure in left router</h4>
<pre><code>### use the right router public key here
set interfaces wireguard wg0 peer tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk= allowed-ips 192.168.99.0/16
set interfaces wireguard wg0 peer tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk= endpoint 222.222.222.222:51820
set interfaces wireguard wg0 peer tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk= persistent-keepalive 15
</code></pre>
<h4 id="configre-in-right-router">configre in right router</h4>
<pre><code>### use the left router public key here
set interfaces wireguard wg0 peer ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU= allowed-ips 192.168.99.0/16
set interfaces wireguard wg0 peer ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU= endpoint 111.111.111.111:51280
set interfaces wireguard wg0 peer ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU= persistent-keepalive 15
</code></pre>
<h4 id="configure-firewall-policy-in-left-site-router">configure firewall policy in left site router</h4>
<pre><code>### change 40 to your own rule number
set firewall name WAN_LOCAL rule 40 source port 51820
set firewall name WAN_LOCAL rule 40 destination port 51820
</code></pre>
<h4 id="configure-firewall-policy-in-right-site-router">configure firewall policy in right site router</h4>
<pre><code>### change 40 to your own rule number
set firewall name WAN_LOCAL rule 40 source port 51820
set firewall name WAN_LOCAL rule 40 destination port 51820
</code></pre>
<p>then finally , commit these changes on both side router</p>
<pre><code>commit
### and save if you want
save
</code></pre>
<h4 id="oops-one-more-step-add-static-route">oops , one more step , add static route</h4>
<h5 id="manually-add-static-route-in-left-router">manually add static route in left router</h5>
<pre><code>ip route add 192.168.111.0/24 dev wg0
</code></pre>
<h5 id="manually-add-static-route-in-right-router">manually add static route in right router</h5>
<pre><code>ip route add 192.168.112.0/24 dev wg0
</code></pre>
<h4 id="check-wireguard-status-in-both-router">check wireguard status in both router</h4>
<h5 id="left">left</h5>
<pre><code> root@ubnt112:~# sudo wg
interface: wg0
public key: ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU=
private key: (hidden)
listening port: 51820
peer: tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk=
endpoint: 111.111.111.111:51820
allowed ips: 192.168.99.0/16
latest handshake: 1 minute, 19 seconds ago
transfer: 7.49 MiB received, 195.86 MiB sent
persistent keepalive: every 15 seconds
root@ubnt112:~#
</code></pre>
<h5 id="right">right</h5>
<pre><code>interface: wg0
public key: tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk=
private key: (hidden)
listening port: 51820
peer: ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU=
endpoint: 222.222.222.222:51820
allowed ips: 192.168.99.0/16
latest handshake: 1 minute, 48 seconds ago
transfer: 195.60 MiB received, 8.07 MiB sent
persistent keepalive: every 15 seconds
root@ubnt111:~#
</code></pre>
<h3 id="need-more-edgerouter-and-lease-line-to-try-multiple-site-to-site-vpn-using-wideguard">need more edgerouter and lease line to try multiple site to site VPN using wideguard</h3>
<h5 id="need-to-study-about-allowed-ips">need to study about allowed-ips</h5>
<h3 id="sort-out-scripts">sort out scripts</h3>
<h5 id="left-router">left router</h5>
<pre><code>wg genkey | tee /dev/tty | wg pubkey
QGAUHJSDFAdkfjskdjo1DP8H1NuLTrXH6kue6kphaQk/iAkc=
ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU=
configure
set interfaces wireguard wg0 address 192.168.99.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key QGAUHJSDFAdkfjskdjo1DP8H1NuLTrXH6kue6kphaQk/iAkc=
set interfaces wireguard wg0 peer tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk= allowed-ips 192.168.99.0/16
set interfaces wireguard wg0 peer tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk= endpoint 222.222.222.222:51820
set interfaces wireguard wg0 peer tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk= persistent-keepalive 15
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 40 source port 51820
set firewall name WAN_LOCAL rule 40 destination port 51820
commit
save
ip route add 192.168.111.0/24 dev wg0
</code></pre>
<h5 id="right-router">right router</h5>
<pre><code>wg genkey | tee /dev/tty | wg pubkey
UBzmPabcdefghijklmnopqrlbi5tnsQqjoJ4+H4=
tmlrPSabcdefghijklmnopqrIb1Enzf+108yotkhdRmk=
configure
set interfaces wireguard wg0 address 192.168.99.2/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key UBzmPabcdefghijklmnopqrlbi5tnsQqjoJ4+H4=
set interfaces wireguard wg0 peer ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU= allowed-ips 192.168.99.0/16
set interfaces wireguard wg0 peer ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU= endpoint 111.111.111.111:51280
set interfaces wireguard wg0 peer ta+GJCWNUHJSDFAdkfjskdjnkppY5FpsIs3a8dc4oArtV8FU= persistent-keepalive 15
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 40 source port 51820
set firewall name WAN_LOCAL rule 40 destination port 51820
commit
save
ip route add 192.168.112.0/24 dev wg0
</code></pre>
</div>
<div class="footer">
<div class="tags">
<i class="fa fa-tags"></i>
<div class="links">
<a href="/tags/vpn">vpn</a>
<a href="/tags/edgerouter">edgerouter</a>
</div>
</div>
</div>
</article>
</div>
<div id="disqus_thread"></div>
<script type="application/javascript">
var disqus_config = function () {
};
(function() {
if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) {
document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.';
return;
}
var d = document, s = d.createElement('script'); s.async = true;
s.src = '//' + "h-cowbay-org-1" + '.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</div>
<footer>
<div class="container">
<div class="recent-posts">
<strong></strong>
<ul>
<li>
<a href="/post/do-no-use-10-0-0-0-private-ipaddr-in-gcp/">[筆記] 在gcp 中用wireguard建立VPN時不要用 10.0.0.0/16 網段/Do No Use 10 0 0 0 Private Ipaddr in GCP</a>
</li>
<li>
<a href="/post/multiple-site-to-site-vpn-using-wireguard/">[筆記] 透過 wireguard 建立多點 site to site VPN / Multiple Site to Site VPN Using Wireguard</a>
</li>
<li>
<a href="/post/site-to-site-vpn-using-wireguard-in-two-edgerouters/">[筆記] 在edgerouter上用wireguard 建立site to site VPN / Site to Site Vpn Using Wireguard in Two Edgerouters</a>
</li>
<li>
<a href="/post/another-way-to-keep-ansible-log/">[筆記] 為了保存log 用script 指令執行ansible / Another Way to Keep Ansible Log using script command</a>
</li>
<li>
<a href="/post/send-mail-to-notify-after-pxe-install/">[筆記] 用pxe 安裝系統,完成後送出郵件通知 / send mail notification after pxe install</a>
</li>
<li>
<a href="/post/ansible-run-task-depends-on-ipaddr/">[ansible] 用 ip 位置判斷是否要執行task /ansible run task depends on ipaddr</a>
</li>
<li>
<a href="/post/ansible-selectattr-from-list-in-dictionary/">[ansible] 引用事先定義好的yaml檔裡面的變數 - Ansible Selectattr From List in Dictionary file</a>
</li>
</ul>
</div>
<div class="categories">
<a href="/categories/"><strong></strong></a>
<ul>
<li>
<a href="/categories/%E7%AD%86%E8%A8%98">筆記 (24)</a>
</li>
<li>
<a href="/categories/ansible">Ansible (3)</a>
</li>
<li>
<a href="/categories/linux">Linux (1)</a>
</li>
<li>
<a href="/categories/proxmox">Proxmox (1)</a>
</li>
<li>
<a href="/categories/ps">Ps (1)</a>
</li>
<li>
<a href="/categories/%E7%A2%8E%E5%BF%B5">碎念 (1)</a>
</li>
<li>
<a href="/categories/%E7%BE%A4%E6%9A%89">群暉 (1)</a>
</li>
</ul>
</div>
<div class="right">
<div class="external-profiles">
<strong></strong>
<a href="https://www.facebook.com/mariahchang" target="_blank"><i class="fa fa-facebook-adblock-proof"></i></a>
<a href="https://twitter.com/changchichung" target="_blank"><i class="fa fa-twitter-adblock-proof"></i></a>
<a href="https://github.com/changchichung" target="_blank"><i class="fa fa-github"></i></a>
<a href="https://www.yapee.tw/mvc/onlinePay/webLink?key=lMC74kucH21JChCR77-wJ80ZZ-Poh11amP24BwiDdHw" target="_blank"><img border="0" src="https://www.yapee.tw/mvc/file/publicFile?pathType=data/linkLogo/B0S0F0002585.jpg"></img></a>
</div>
</div>
</div>
</footer>
<div class="credits">
<div class="container">
<div class="copyright">
<a href="https://github.com/Lednerb" target="_blank">
&copy;
2017
by Lednerb
</a>
</div>
<div class="author">
<a href="https://www.yapee.tw/mvc/onlinePay/webLink?key=lMC74kucH21JChCR77-wJ80ZZ-Poh11amP24BwiDdHw" target="_blank">Bilberry Hugo Theme</a>
</div>
</div>
</div>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
ga('create', 'UA-138954876-1', 'auto');
ga('send', 'pageview');
}
</script>
<script async src='https://www.google-analytics.com/analytics.js'></script>
<script type="text/javascript" src="https://h.cowbay.org/js/externalDependencies.39c47e10e241eae2947b3fe21809c572.js" integrity="md5-OcR&#43;EOJB6uKUez/iGAnFcg=="></script>
<script type="text/javascript" src="https://h.cowbay.org/js/theme.ff50ae6dc1bfc220b23bf69dbb41b54e.js" integrity="md5-/1CubcG/wiCyO/adu0G1Tg=="></script>
<script>
$(".moment").each(function() {
$(this).text(
moment( $(this).text() )
.locale( "tw" )
.format('LL')
);
});
$(".footnote-return sup").html("");
</script>
<script>
var client = algoliasearch("2XL0P8XDCY", "4ef65b37b627bb886b46c34a10e63aa6");
var index = client.initIndex("h_cowbay_org");
$('#search').autocomplete({ hint: false, autoselect: true, debug: false },
[
{
source: $.fn.autocomplete.sources.hits(index, { hitsPerPage: 10 }),
displayKey: function(suggestion) {
return suggestion.title || suggestion.author
},
templates: {
suggestion: function(suggestion) {
return "<span class='entry " + suggestion.type + "'>"
+ "<span class='title'>" + suggestion.title + "</span>"
+ "<span class='fa fa-fw " + suggestion.iconClass + "'></span>"
+ "</span>"
;
},
empty: function() {
return "<span class='empty'></span>"
},
footer: function() {
return '<div class="branding">Powered by <img src="https:\/\/h.cowbay.org\/dist\/algolia-logo-light.svg" /></div>'
}
},
}
])
.on('autocomplete:selected', function(event, suggestion, dataset) {
window.location = (suggestion.url);
})
.keypress(function (event, suggestion) {
if (event.which == 13) {
window.location = (suggestion.url);
}
});
</script>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink