« ^ »
[WIP]

WireGuardを使う

所要時間: 約 3分

インストール

https://www.wireguard.com/install/に各環境のインストール手順が記述されている。

macOS

brew install wireguard-tools

Ubuntu

sudo apt install wireguard

デモ環境への接続

vagrantの環境を起動して既に用意されているデモ環境に接続できることを確認する。 接続のための手順はDemo Serverをそのまま実施した。

vagrantを起動する。

$ vagrant status
Current machine states:

default                   poweroff (virtualbox)

The VM is powered off. To restart the VM, simply run `vagrant up`

Process vagrant: In /opt/ng/symdon/pages/posts/1615012512/ finished

$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 51820 (guest) => 51820 (host) (adapter 1)
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: The guest additions on this VM do not match the installed version of
    default: VirtualBox! In most cases this is fine, but in rare cases it can
    default: prevent things such as shared folders from working properly. If you see
    default: shared folder errors, please make sure the guest additions within the
    default: virtual machine match the version of VirtualBox you have installed on
    default: your host and reload your VM.
    default:
    default: Guest Additions Version: 5.1.38
    default: VirtualBox Version: 6.1
==> default: Mounting shared folders...
    default: /vagrant => /opt/ng/symdon/pages/posts/1615012512
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: flag to force provisioning. Provisioners marked to run always will still run.

Process vagrant: In /opt/ng/symdon/pages/posts/1615012512/ finished
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 51820 (guest) => 51820 (host) (adapter 1)
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: The guest additions on this VM do not match the installed version of
    default: VirtualBox! In most cases this is fine, but in rare cases it can
    default: prevent things such as shared folders from working properly. If you see
    default: shared folder errors, please make sure the guest additions within the
    default: virtual machine match the version of VirtualBox you have installed on
    default: your host and reload your VM.
    default:
    default: Guest Additions Version: 5.1.38
    default: VirtualBox Version: 6.1
==> default: Mounting shared folders...
    default: /vagrant => /opt/ng/symdon/pages/posts/1615012512
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: flag to force provisioning. Provisioners marked to run always will still run.

Process vagrant: In /opt/ng/symdon/pages/posts/1615012512/ finished

vagrantにsshでログインする。

$ vagrant ssh
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-203-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 of these updates are security updates.

New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Sun Mar  7 04:05:10 2021 from 10.0.2.2

今回の操作はほとんどsudoで行うことを要求されるので、sudoを宣言する面倒を省略するために横着して sudo -s する。

vagrant@ubuntu-xenial:~$ sudo -s

デモ用のスクリプトをダウンロードする。

root@ubuntu-xenial:~# curl -o client.sh https://git.zx2c4.com/wireguard-tools/plain/contrib/ncat-client-server/client.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1061  100  1061    0     0    400      0  0:00:02  0:00:02 --:--:--   400

デモ用のスクリプトを実行してセットアップを行う。

root@ubuntu-xenial:~# bash client.sh

ネットワーク・インターフェースを確認するとwg0というネットワーク・インターフェースが追加されていることがわかる。

root@ubuntu-xenial:~# ip show link
Object "show" is unknown, try "ip help".
root@ubuntu-xenial:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 02:49:cb:75:7f:af brd ff:ff:ff:ff:ff:ff
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/none

ICMPパケットをpingを用いて送信する。

root@ubuntu-xenial:~# ping 192.168.4.1
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_seq=1 ttl=64 time=272 ms
64 bytes from 192.168.4.1: icmp_seq=2 ttl=64 time=295 ms
64 bytes from 192.168.4.1: icmp_seq=3 ttl=64 time=316 ms
64 bytes from 192.168.4.1: icmp_seq=4 ttl=64 time=339 ms
64 bytes from 192.168.4.1: icmp_seq=5 ttl=64 time=361 ms
64 bytes from 192.168.4.1: icmp_seq=6 ttl=64 time=365 ms
64 bytes from 192.168.4.1: icmp_seq=7 ttl=64 time=285 ms
64 bytes from 192.168.4.1: icmp_seq=8 ttl=64 time=303 ms
64 bytes from 192.168.4.1: icmp_seq=9 ttl=64 time=316 ms
64 bytes from 192.168.4.1: icmp_seq=10 ttl=64 time=340 ms
64 bytes from 192.168.4.1: icmp_seq=11 ttl=64 time=363 ms
64 bytes from 192.168.4.1: icmp_seq=12 ttl=64 time=280 ms
64 bytes from 192.168.4.1: icmp_seq=13 ttl=64 time=303 ms
^C
--- 192.168.4.1 ping statistics ---
14 packets transmitted, 13 received, 7% packet loss, time 13162ms
rtt min/avg/max/mdev = 272.380/318.787/365.456/31.106 ms

ルーティングの設定を行う。

root@ubuntu-xenial:~# bash client.sh default-route

インターネットに接続した際の経路を確認する。

root@ubuntu-xenial:~# curl zx2c4.com/ip
163.172.161.0
demo.wireguard.com
curl/7.47.0

demo.wireguard.comを経由して接続したことがわかる。

以下はメモ

手順

wg genkey > private
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.

環境

Simple

ip link add wg0 type wireguard

wg set wg0 private-key /tmp/key peer PUBLIC_KEY endpoint demo.wireguard.io:12912 allowed-ops 192.168.4.0/24

ip addr add 192.168.4.2/24 dev wg0

ip link set wg0 up

Linux

Ubuntu Xenial

バーチャルリンクを作成する。(関連情報 OSPF)

ip link add wg0 type wireguard

IPアドレスを割り当てる。

ip address add dev wg0 10.0.0.1/24

ip address add dev wg0 192.168.2.1 peer 192.168.2.2

wg setconf wg0 myconfig.conf

wg set wg0 listen-port 51820 private-key /path/to/private-key peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint 209.202.254.14:8172

ip link set up dev wg0