root@wg-srv:~#nano/etc/ssh/sshd_config $OpenBSD:sshd_config,v1.1032018/04/0920:41:22tjExp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options override the# default value.Include/etc/ssh/sshd_config.d/*.conf#Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_ecdsa_key#HostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying#RekeyLimit default none# Logging#SyslogFacility AUTH#LogLevel INFO# Authentication:#LoginGraceTime 2mPermitRootLoginno#StrictModes yes#MaxAuthTries 6#MaxSessions 10#PubkeyAuthentication yes# Expect .ssh/authorized_keys2 to be disregarded by default in future.#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!PasswordAuthenticationno#PermitEmptyPasswords no# Change to yes to enable challenge-response passwords (beware issues with# some PAM modules and threads)ChallengeResponseAuthenticationno# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no# GSSAPI options#GSSAPIAuthentication no#GSSAPICleanupCredentials yes#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.UsePAMyes#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts noX11Forwardingyes#X11DisplayOffset 10#X11UseLocalhost yes#PermitTTY yesPrintMotdno#PrintLastLog yes#TCPKeepAlive yes#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#UseDNS no#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none#VersionAddendum none# no default banner path#Banner none# Allow client to pass locale environment variablesAcceptEnvLANGLC_*# override default of no subsystemsSubsystemsftp/usr/lib/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# PermitTTY no# ForceCommand cvs serverroot@wg-srv:~#su-tylatyla@wg-srv:~$mkdir.sshtyla@wg-srv:~$logoutroot@wg-srv:~#cp.ssh/authorized_keys/home/tyla/.ssh/authorized_keysroot@wg-srv:~#cd/home/tyla/.sshroot@wg-srv:/home/tyla/.ssh#chowntyla:tylaauthorized_keysroot@wg-srv:/home/tyla/.ssh#lltotal12drwxrwxr-x2tylatyla4096Feb721:40./drwxr-xr-x4tylatyla4096Feb721:40../-rw-------1tylatyla389Feb721:40authorized_keysroot@wg-srv:/home/tyla/.ssh#systemctlrestartsshdroot@wg-srv:/home/tyla/.ssh#systemctlstatussshd●ssh.service-OpenBSDSecureShellserverLoaded:loaded (/lib/systemd/system/ssh.service; enabled; vendorpreset:enabled)Active:active (running) since Sun 2021-02-07 21:53:32 UTC; 7sagoDocs:man:sshd(8)man:sshd_config(5)Process:2001ExecStartPre=/usr/sbin/sshd-t (code=exited, status=0/SUCCESS)MainPID:2013 (sshd)Tasks:1 (limit: 1074)Memory:1.4MCGroup:/system.slice/ssh.service└─2013sshd:/usr/sbin/sshd-D [listener] 0 of 10-100 startupsFeb0721:53:31wg-srvsystemd[1]:StartingOpenBSDSecureShellserver...Feb0721:53:32wg-srvsshd[2013]:Serverlisteningon0.0.0.0port22.Feb0721:53:32wg-srvsshd[2013]:Serverlisteningon::port22.Feb0721:53:32wg-srvsystemd[1]:StartedOpenBSDSecureShellserver.Feb 07 21:53:37 wg-srv sshd[2014]: Unable to negotiate with 167.99.41.124 port 45520: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diff>
lines1-17/17 (END)
tyla@wg-srv:~$ sudo -i
[sudo] password for tyla: [Enter your sudoer password]
# Generating public and private keys under /etc/wireguard directory
root@wg-srv:~# cd /etc/wireguard/
root@wg-srv:~# wg genkey | tee privatekey | wg pubkey > publickey
# Creating wg0.conf file for WireGuard configuration
root@wg-srv:~# vi wg0.conf
# this section is for local wg0 interface
[Interface]
# local wg0 interface IP address
Address = 10.1.10.1
# local wg server node's private key
PrivateKey = cC6caA87hRNhOYYLFRawzWCOxMHEzzxJCJKibDasPng=
# default wg listen port
ListenPort = 51820
# wg0 up post action on iptabes to activate redirecting all traffic
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
# wg0 down post action on iptabes to deactivate redirecting all traffic
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
# this section is for remote peer wg0 interface
[Peer]
# remote peer's wg public key
PublicKey = LEQj4f1sNfrF7c+7tjTFBQ8GJjL8gog+ozj4QFgYcn8=
# remote peer's wg0 interface ip address
AllowedIPs = 10.1.10.2/32
# activate the wireguard wg0 interface
root@wg-srv:~# wg-quick up wg0
tyla@wg-cl-node:~$ sudo -i
[sudo] password for tyla: [Enter your sudoer password]
# Generating public and private keys under /etc/wireguard directory
root@wg-cl-node:~# cd /etc/wireguard/
root@wg-cl-node:~# wg genkey | tee privatekey | wg pubkey > publickey
# Creating wg0.conf file for WireGuard configuration
root@wg-cl-node:~# vi wg0.conf
# this section is for local wg0 interface
[Interface]
# local wg0 interface ip address
Address = 10.1.10.2
# local wg client node's private key
PrivateKey = aCKXChbpzlvJtdOpnYLmc/fEGH+5W7Tx/ZveSqczYVA=
# this section is for wireguard server node's wg0 interface
[Peer]
# wireguard server node's public key
PublicKey = X8pnECl9ha2CX0JI7GsI1ygjRF4Mu1e+Lyira3EE4j0=
# wireguard server node's public ip address with port number 51820
Endpoint = 156.215.24.12:51820
# all traffic redirect thru wireguard server node
AllowedIPs = 0.0.0.0/0
# every 25 seconds to check the wg connection status for persistence
PersistentKeepalive = 25
# activate the wireguard wg0 interface
root@wg-cl-node:~# wg-quick up wg0
ကိုယ်က LAN မှာရှိတဲ့ device တွေကို remote access လုပ်ချင်ရင် ဒီအဆင့်က မလိုအပ်ပါဘူး။ ဒါမှမဟုတ်ပဲနဲ့ internet traffic ကိုပါ ကိုယ့် VPN server ကနေထွက်စေချင်ရင်တော့ အောက်ကအတိုင်း ip forwarding ကို ပြင်ပေးရပါလိမ့်မယ်။
root@wg-srv-node:~# nano /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438
Line 30 မှာရှိတဲ့ net.ipv4.ip_forward=1 ဆိုတဲ့တခုကို uncomment လုပ်ပေးပြီးတော့ 1 လို့ ပြောင်းပေးလိုက်ပါ။
ကိုယ်က mobile phone မှာ Wireguard app ကို အသုံးပြုတဲအခါမှာ client side ဘက်က configuration တွေကိုကူးယူပြီးတော့ ထည့်ရတာ တော်တော်လေးလက်ဝင်ပါတယ်။ အထူးသဖြင့် public/private keys တွေကိုတစ်ခုချင်းစီရိုက်ထည့်ရတာ မလွယ်ပါဘူး။ အဲ့ဒီအတွက် ကိုယ်ရဲ့ Wireguard client configuration ကို QR Code အနေနဲ့ ပြောင်းပြီးတော့ mobile phone camera နဲ့ scan ဖတ်ပြီးတော့ configure လုပ်ရတာ ပိုပြီးတော့ အဆင်ပြေပါတယ်။ အောက်ကအတိုင်း လိုက်ပြီးတော့ install လုပ်၊ QR code ကို issue လုပ်လို့ ရပါတယ်။
