Hashtagueule
/
htg-content
2
0
Fork 0
Code Issues Pull Requests 2 Releases Wiki Activity

finish wireguard article

This commit is contained in:
raspbeguy 2020-05-15 16:59:20 +02:00
parent 6286b2eee8
commit e2dfdd3d81
2 changed files with 224 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
assets/wireguard-le-vpn-sauce-kiss/wg-rw.svg Normal file
View File

@ -0,0 +1,107 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created by diasvg.py -->
<svg width="22.150cm" height="10.850cm" viewBox="39.700 17.400 61.850 28.250"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
<line x1="51.700" y1="17.450" x2="60.800" y2="17.450" stroke="#000000" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round"/>
<line x1="51.700" y1="28.200" x2="60.800" y2="28.200" stroke="#000000" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round"/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round" d ="M 51.700,17.450 A 1.000,1.000 0 0,0 50.700,18.450 "/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round" d ="M 61.800,18.450 A 1.000,1.000 0 0,0 60.800,17.450 "/>
<line x1="50.700" y1="18.450" x2="50.700" y2="27.200" stroke="#000000" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round"/>
<line x1="61.800" y1="18.450" x2="61.800" y2="27.200" stroke="#000000" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round"/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round" d ="M 50.700,27.200 A 1.000,1.000 0 0,0 51.700,28.200 "/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-dasharray="0.10,0.10" stroke-linejoin="round" d ="M 60.800,28.200 A 1.000,1.000 0 0,0 61.800,27.200 "/>
<line x1="40.750" y1="19.925" x2="49.700" y2="19.925" stroke="#000000" stroke-width="0.100" stroke-linejoin="round"/>
<line x1="40.750" y1="25.725" x2="49.700" y2="25.725" stroke="#000000" stroke-width="0.100" stroke-linejoin="round"/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-linejoin="round" d ="M 40.750,19.925 A 1.000,1.000 0 0,0 39.750,20.925 "/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-linejoin="round" d ="M 50.700,20.925 A 1.000,1.000 0 0,0 49.700,19.925 "/>
<line x1="39.750" y1="20.925" x2="39.750" y2="24.725" stroke="#000000" stroke-width="0.100" stroke-linejoin="round"/>
<line x1="50.700" y1="20.925" x2="50.700" y2="24.725" stroke="#000000" stroke-width="0.100" stroke-linejoin="round"/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-linejoin="round" d ="M 39.750,24.725 A 1.000,1.000 0 0,0 40.750,25.725 "/>
<path stroke="#000000" fill="none" stroke-width="0.100" stroke-linejoin="round" d ="M 49.700,25.725 A 1.000,1.000 0 0,0 50.700,24.725 "/>
<rect x="49.663" y="23.486" width="1.990" height="0.791" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<rect x="49.663" y="23.486" width="1.990" height="0.791" fill="none" stroke="#FFFFFF" stroke-width="0.100" />
<rect x="50.279" y="21.406" width="0.789" height="1.842" fill="#B3B3B3" stroke="none" stroke-width="0"/>
<rect x="50.279" y="21.406" width="0.789" height="1.842" fill="none" stroke="#000000" stroke-width="0.080" />
<rect x="50.358" y="21.516" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="50.358" y="21.727" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="50.358" y="21.937" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="50.358" y="22.148" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="50.358" y="22.400" width="0.395" height="0.126" fill="none" stroke="#000000" stroke-width="0.010" />
<ellipse cx="50.950" cy="22.421" rx="0.028" ry="0.028" fill="#00FF00" stroke="none" /><ellipse cx="50.950" cy="22.421" rx="0.028" ry="0.028" fill="none" stroke="#000000" stroke-width="0.010" /><ellipse cx="50.950" cy="22.506" rx="0.028" ry="0.028" fill="#FFFF00" stroke="none" /><ellipse cx="50.950" cy="22.506" rx="0.028" ry="0.028" fill="none" stroke="#000000" stroke-width="0.010" /><rect x="50.792" y="22.442" width="0.095" height="0.084" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<rect x="50.792" y="22.442" width="0.095" height="0.084" fill="none" stroke="#000000" stroke-width="0.010" />
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 50.411,22.695 L 50.411,23.156 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 50.542,22.695 L 50.542,23.156 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 50.674,22.695 L 50.674,23.156 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 50.805,22.695 L 50.805,23.156 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 50.937,22.695 L 50.937,23.156 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 51.068,22.695 L 51.068,23.156 "/>
<polygon fill="#999999" stroke="none" stroke-width="0.010" points="50.121,23.406 50.279,23.090 50.279,23.248 51.068,23.248 51.068,23.090 51.279,23.406 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.010" points="50.121,23.406 50.279,23.090 50.279,23.248 51.068,23.248 51.068,23.090 51.279,23.406 "/>
<text x="50.700" y="24.052" fill="#000000" text-anchor="middle" font-size="0.80" font-family="sans" font-style="normal" font-weight="400">
Carol</text>
<rect x="41.562" y="21.387" width="0.789" height="1.842" fill="#B3B3B3" stroke="none" stroke-width="0"/>
<rect x="41.562" y="21.387" width="0.789" height="1.842" fill="none" stroke="#000000" stroke-width="0.080" />
<rect x="41.641" y="21.497" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="41.641" y="21.708" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="41.641" y="21.918" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="41.641" y="22.129" width="0.632" height="0.211" fill="none" stroke="#000000" stroke-width="0.010" />
<rect x="41.641" y="22.382" width="0.395" height="0.126" fill="none" stroke="#000000" stroke-width="0.010" />
<ellipse cx="42.233" cy="22.403" rx="0.028" ry="0.028" fill="#00FF00" stroke="none" /><ellipse cx="42.233" cy="22.403" rx="0.028" ry="0.028" fill="none" stroke="#000000" stroke-width="0.010" /><ellipse cx="42.233" cy="22.487" rx="0.028" ry="0.028" fill="#FFFF00" stroke="none" /><ellipse cx="42.233" cy="22.487" rx="0.028" ry="0.028" fill="none" stroke="#000000" stroke-width="0.010" /><rect x="42.075" y="22.424" width="0.095" height="0.084" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<rect x="42.075" y="22.424" width="0.095" height="0.084" fill="none" stroke="#000000" stroke-width="0.010" />
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 41.694,22.676 L 41.694,23.137 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 41.825,22.676 L 41.825,23.137 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 41.957,22.676 L 41.957,23.137 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 42.088,22.676 L 42.088,23.137 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 42.220,22.676 L 42.220,23.137 "/>
<path stroke="#000000" fill="none" stroke-width="0.010" d="M 42.352,22.676 L 42.352,23.137 "/>
<polygon fill="#999999" stroke="none" stroke-width="0.010" points="41.404,23.387 41.562,23.071 41.562,23.229 42.352,23.229 42.352,23.071 42.562,23.387 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.010" points="41.404,23.387 41.562,23.071 41.562,23.229 42.352,23.229 42.352,23.071 42.562,23.387 "/>
<text x="41.983" y="24.034" fill="#000000" text-anchor="middle" font-size="0.80" font-family="sans" font-style="normal" font-weight="400">
Dave</text>
<rect x="57.844" y="18.481" width="2.034" height="1.525" fill="#B3B3B3" stroke="none" stroke-width="0"/>
<rect x="57.844" y="18.481" width="2.034" height="1.525" fill="none" stroke="#000000" stroke-width="0.050" />
<rect x="58.064" y="18.701" width="1.593" height="1.051" fill="#000000" stroke="none" stroke-width="0"/>
<polygon fill="#B3B3B3" stroke="none" stroke-width="0.050" points="58.119,20.007 59.166,20.007 59.166,20.244 58.174,20.244 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.050" points="58.119,20.007 59.166,20.007 59.166,20.244 58.174,20.244 "/>
<polygon fill="#B3B3B3" stroke="none" stroke-width="0.050" points="59.166,20.007 59.602,20.007 59.547,20.244 59.166,20.244 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.050" points="59.166,20.007 59.602,20.007 59.547,20.244 59.166,20.244 "/>
<rect x="59.237" y="20.078" width="0.095" height="0.095" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<rect x="59.237" y="20.078" width="0.095" height="0.095" fill="none" stroke="#000000" stroke-width="0.025" />
<polygon fill="#B3B3B3" stroke="none" stroke-width="0.050" points="58.657,20.244 59.064,20.244 59.064,20.362 59.268,20.362 59.268,20.481 58.454,20.481 58.454,20.362 58.657,20.362 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.050" points="58.657,20.244 59.064,20.244 59.064,20.362 59.268,20.362 59.268,20.481 58.454,20.481 58.454,20.362 58.657,20.362 "/>
<text x="58.861" y="21.143" fill="#000000" text-anchor="middle" font-size="0.80" font-family="sans" font-style="normal" font-weight="400">
Alice</text>
<rect x="57.844" y="24.281" width="2.034" height="1.525" fill="#B3B3B3" stroke="none" stroke-width="0"/>
<rect x="57.844" y="24.281" width="2.034" height="1.525" fill="none" stroke="#000000" stroke-width="0.050" />
<rect x="58.064" y="24.501" width="1.593" height="1.051" fill="#000000" stroke="none" stroke-width="0"/>
<polygon fill="#B3B3B3" stroke="none" stroke-width="0.050" points="58.119,25.807 59.166,25.807 59.166,26.044 58.174,26.044 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.050" points="58.119,25.807 59.166,25.807 59.166,26.044 58.174,26.044 "/>
<polygon fill="#B3B3B3" stroke="none" stroke-width="0.050" points="59.166,25.807 59.602,25.807 59.547,26.044 59.166,26.044 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.050" points="59.166,25.807 59.602,25.807 59.547,26.044 59.166,26.044 "/>
<rect x="59.237" y="25.878" width="0.095" height="0.095" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<rect x="59.237" y="25.878" width="0.095" height="0.095" fill="none" stroke="#000000" stroke-width="0.025" />
<polygon fill="#B3B3B3" stroke="none" stroke-width="0.050" points="58.657,26.044 59.064,26.044 59.064,26.162 59.268,26.162 59.268,26.281 58.454,26.281 58.454,26.162 58.657,26.162 "/>
<polygon fill="none" stroke="#000000" stroke-width="0.050" points="58.657,26.044 59.064,26.044 59.064,26.162 59.268,26.162 59.268,26.281 58.454,26.281 58.454,26.162 58.657,26.162 "/>
<text x="58.861" y="26.943" fill="#000000" text-anchor="middle" font-size="0.80" font-family="sans" font-style="normal" font-weight="400">
Bob</text>
<rect x="51.218" y="22.270" width="1.640" height="0.394" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<text x="51.218" y="22.584" fill="#000000" text-anchor="start" font-size="0.42" font-family="monospace" font-style="normal" font-weight="400">
10.0.0.3</text>
<rect x="56.109" y="19.257" width="1.640" height="0.394" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<text x="57.749" y="19.572" fill="#000000" text-anchor="end" font-size="0.42" font-family="monospace" font-style="normal" font-weight="400">
10.0.0.1</text>
<rect x="56.124" y="25.147" width="1.640" height="0.394" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<text x="57.764" y="25.462" fill="#000000" text-anchor="end" font-size="0.42" font-family="monospace" font-style="normal" font-weight="400">
10.0.0.2</text>
<rect x="47.793" y="22.270" width="2.255" height="0.394" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<text x="50.048" y="22.584" fill="#000000" text-anchor="end" font-size="0.42" font-family="monospace" font-style="normal" font-weight="400">
192.168.0.1</text>
<rect x="42.482" y="22.271" width="2.255" height="0.394" fill="#FFFFFF" stroke="none" stroke-width="0"/>
<text x="42.482" y="22.585" fill="#000000" text-anchor="start" font-size="0.42" font-family="monospace" font-style="normal" font-weight="400">
192.168.0.2</text>
<text x="45.225" y="25.574" fill="#000000" text-anchor="middle" font-size="0.80" font-family="sans" font-style="normal" font-weight="400">
Réseau interne</text>
<text x="56.250" y="28.049" fill="#000000" text-anchor="middle" font-size="0.80" font-family="sans" font-style="normal" font-weight="400">
Réseau VPN</text>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

117
content/posts/wireguard-le-vpn-sauce-kiss.md
View File

@ -77,3 +77,120 @@ wg genkey | tee private.key | wg pubkey > public.key
`wg genkey` va générer une clef privée et `wg pubkey` va créer la clef publique correspondante.
Ensuite, les deux pairs doivent s'échanger leur clefs publiques par les moyens qu'ils estiment les plus adéquats (vérification en personne, mail, SMS, télégramme, fax...).
Disons qu'Alice et Bob souhaitent devenir pairs l'un de l'autre. Chacun se crée une paire de clef.
* Pour Alice :
- Clef privée : `6JcAuA98HpuSqfvOaZjcwK5uMmqD2ue/Qh+LRZEIiFs=`
- Clef publique : `gYgGMxOLbdcwAVN8ni7A17lo3I7hNYb0Owgp3nyr0mE=`
* Pour Bob :
- Clef privée : `yC4+YcRd4SvawcfTmpa0uFiUnl/5GR1ZxxIHvLvgqks=`
- Clef publique : `htjM/99P5Y0z4cfolqPfKqvsWb5VdLP6xMjflyXceEo=`
Alice et Bob vont ensuite s'échanger leurs clefs publiques.
Notez comme la tête d'une clef privée ressemble à celle d'une clef privée. C'est tentant de confondre les deux. Mais ne le faîtes pas, ce serait mauvais pour votre karma.
Ensuite Alice et Bob vont constituer leurs fichiers de configuration, à placer dans `/etc/wireguard/wg0.conf`. Le fichier n'est pas obligé de s'appeler `wg0.conf`, il doit juste se terminer par `.conf`.
Pour Alice :
```ini
[Interface]
PrivateKey = 6JcAuA98HpuSqfvOaZjcwK5uMmqD2ue/Qh+LRZEIiFs=
Address = 10.0.0.1/16
[Peer]
PublicKey = htjM/99P5Y0z4cfolqPfKqvsWb5VdLP6xMjflyXceEo=
AllowedIPs = 10.0.0.2/32
```
Pour Bob :
```ini
[Interface]
PrivateKey = yC4+YcRd4SvawcfTmpa0uFiUnl/5GR1ZxxIHvLvgqks=
Address = 10.0.0.2/16
[Peer]
PublicKey = gYgGMxOLbdcwAVN8ni7A17lo3I7hNYb0Owgp3nyr0mE=
AllowedIPs = 10.0.0.1/32
```
Trois remarques :
* Seule la clef publique permet de différencier les pairs. Il n'y a pas de champs pour un nom ou un éventuel commentaire.
* L'IP ou la plage IP définie dans `AllowedIPs` correspond à toutes les adresses IP cibles des paquets qui seront envoyées à ce pair, et à toutes les adresses IP sources des paquets susceptibles d'être reçus par ce pair. On en reparle plus tard.
* En l'état, le VPN ne pourra pas marcher : ni Alice ni Bob ne sais où trouver l'autre pair. Il faut qu'au moins un des deux pairs ait un point d'accès, comme nous l'avons expliqué plus haut. S'il est décidé qu'Alice communique son point d'accès, Alice devra ajouter un champ `ListenPort` à ta rubrique `Interface`, et Bob ajoutera un champ `Endpoint` à la déclaration du pair correspondant à Alice.
Pour Alice, sa configuration devient :
```ini
[Interface]
PrivateKey = 6JcAuA98HpuSqfvOaZjcwK5uMmqD2ue/Qh+LRZEIiFs=
Address = 10.0.0.1/16
ListenPort = 51820
[Peer]
PublicKey = htjM/99P5Y0z4cfolqPfKqvsWb5VdLP6xMjflyXceEo=
AllowedIPs = 10.0.0.2/16
```
Pour Bob :
```ini
[Interface]
PrivateKey = yC4+YcRd4SvawcfTmpa0uFiUnl/5GR1ZxxIHvLvgqks=
Address = 10.0.0.2/16
[Peer]
PublicKey = gYgGMxOLbdcwAVN8ni7A17lo3I7hNYb0Owgp3nyr0mE=
AllowedIPs = 10.0.0.1/32
Endpoint = alice.example.com:51820
```
# Routage des pairs
La signification du champ `AllowedIPs` est un peu subtile, car elle concerne les deux sens de circulation des paquets. C'est à la fois utilisé pour filtrer les paquets arrivant pour vérifier qu'ils utilisent une IP attendue et pour router les paquets sortants vers ce pair.
On est pas obligé de ne mettre que l'adresse VPN du pair. D'ailleurs, notament dans le scénario *roadwarrior*, il faut que les machines mobiles configurent le pair correspondant à la passerelle d'accès avec un champ `AllowedIPs` correspondant au réseau VPN entier, par exemple 10.0.0.0/16.
Reprenons notre scénario *roadwarrior* avec Alice et Bob en pair mobile et Carol en passerelle d'accès. On définit le réseau VPN 10.0.0.0/16. D'autre part, disons que le réseau interne auquel Carol doit servir de passerelle est en 192.168.0.0/16 et contient une machine Dave.
![](%assets_dir%/wireguard-le-vpn-sauce-kiss/wg-rw.svg)
Carol a donc une paire de clef :
* Clef privée : `8NnK2WzbsDNVXNK+KOxffeQyxecxUALv3vqnMFASDX0=`
* Clef publique : `u8MYP4ObUBmaro5mSFojD6FJFC3ndaJFBgfx3XnvDCM=`
La configuration de Carol ressemble alors à ceci :
```ini
[Interface]
PrivateKey = 8NnK2WzbsDNVXNK+KOxffeQyxecxUALv3vqnMFASDX0=
Address = 10.0.0.1/16
ListenPort = 51820
[Peer] # Alice
PublicKey = gYgGMxOLbdcwAVN8ni7A17lo3I7hNYb0Owgp3nyr0mE=
AllowedIPs = 10.0.0.1/32
[Peer] # Bob
PublicKey = htjM/99P5Y0z4cfolqPfKqvsWb5VdLP6xMjflyXceEo=
AllowedIPs = 10.0.0.2/16
```
Celle d'Alice et Bob ne contiennent d'un seul pair correspondant à Carol et ressemblant à ceci :
```ini
[Peer]
PublicKey = u8MYP4ObUBmaro5mSFojD6FJFC3ndaJFBgfx3XnvDCM=
AllowedIPs = 10.0.0.0/16, 192.168.0.0/16
Endpoint = vpn.example.com:51820
```
La valeur d'`AllowedIPs` signifie que des paquets en 10.0.0.0/16 et 192.168.0.0/16 vont arriver en provenance de Carol, et que les paquets vers ces même plages IP seront acheminés vers ce pair. On retrouve alors bien le fait que si Alice désire parler à Bob, elle ne le pourra le faire qu'en passant par Carol. Mais ce genre de besoin est rare en *roadwarrior*.
Dans un futur article j'aborderai la configuration d'une telle passerelle et les subtilités de routages VPN.