root@wg-srv:~# nano /etc/ssh/sshd_config
$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
root@wg-srv:~# su - tyla
tyla@wg-srv:~$ mkdir .ssh
tyla@wg-srv:~$ logout
root@wg-srv:~# cp .ssh/authorized_keys /home/tyla/.ssh/authorized_keys
root@wg-srv:~# cd /home/tyla/.ssh
root@wg-srv:/home/tyla/.ssh# chown tyla:tyla authorized_keys
root@wg-srv:/home/tyla/.ssh# ll
total 12
drwxrwxr-x 2 tyla tyla 4096 Feb 7 21:40 ./
drwxr-xr-x 4 tyla tyla 4096 Feb 7 21:40 ../
-rw------- 1 tyla tyla 389 Feb 7 21:40 authorized_keys
root@wg-srv:/home/tyla/.ssh# systemctl restart sshd
root@wg-srv:/home/tyla/.ssh# systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-02-07 21:53:32 UTC; 7s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 2001 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 2013 (sshd)
Tasks: 1 (limit: 1074)
Memory: 1.4M
CGroup: /system.slice/ssh.service
└─2013 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Feb 07 21:53:31 wg-srv systemd[1]: Starting OpenBSD Secure Shell server...
Feb 07 21:53:32 wg-srv sshd[2013]: Server listening on 0.0.0.0 port 22.
Feb 07 21:53:32 wg-srv sshd[2013]: Server listening on :: port 22.
Feb 07 21:53:32 wg-srv systemd[1]: Started OpenBSD Secure Shell server.
Feb 07 21:53:37 wg-srv sshd[2014]: Unable to negotiate with 167.99.41.124 port 45520: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diff>
lines 1-17/17 (END)
tyla@wg-srv:~$ sudo -i
[sudo] password for tyla: [Enter your sudoer password]
# Generating public and private keys under /etc/wireguard directory
root@wg-srv:~# cd /etc/wireguard/
root@wg-srv:~# wg genkey | tee privatekey | wg pubkey > publickey
# Creating wg0.conf file for WireGuard configuration
root@wg-srv:~# vi wg0.conf
# this section is for local wg0 interface
[Interface]
# local wg0 interface IP address
Address = 10.1.10.1
# local wg server node's private key
PrivateKey = cC6caA87hRNhOYYLFRawzWCOxMHEzzxJCJKibDasPng=
# default wg listen port
ListenPort = 51820
# wg0 up post action on iptabes to activate redirecting all traffic
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
# wg0 down post action on iptabes to deactivate redirecting all traffic
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
# this section is for remote peer wg0 interface
[Peer]
# remote peer's wg public key
PublicKey = LEQj4f1sNfrF7c+7tjTFBQ8GJjL8gog+ozj4QFgYcn8=
# remote peer's wg0 interface ip address
AllowedIPs = 10.1.10.2/32
# activate the wireguard wg0 interface
root@wg-srv:~# wg-quick up wg0
tyla@wg-cl-node:~$ sudo -i
[sudo] password for tyla: [Enter your sudoer password]
# Generating public and private keys under /etc/wireguard directory
root@wg-cl-node:~# cd /etc/wireguard/
root@wg-cl-node:~# wg genkey | tee privatekey | wg pubkey > publickey
# Creating wg0.conf file for WireGuard configuration
root@wg-cl-node:~# vi wg0.conf
# this section is for local wg0 interface
[Interface]
# local wg0 interface ip address
Address = 10.1.10.2
# local wg client node's private key
PrivateKey = aCKXChbpzlvJtdOpnYLmc/fEGH+5W7Tx/ZveSqczYVA=
# this section is for wireguard server node's wg0 interface
[Peer]
# wireguard server node's public key
PublicKey = X8pnECl9ha2CX0JI7GsI1ygjRF4Mu1e+Lyira3EE4j0=
# wireguard server node's public ip address with port number 51820
Endpoint = 156.215.24.12:51820
# all traffic redirect thru wireguard server node
AllowedIPs = 0.0.0.0/0
# every 25 seconds to check the wg connection status for persistence
PersistentKeepalive = 25
# activate the wireguard wg0 interface
root@wg-cl-node:~# wg-quick up wg0
ကိုယ်က LAN မှာရှိတဲ့ device တွေကို remote access လုပ်ချင်ရင် ဒီအဆင့်က မလိုအပ်ပါဘူး။ ဒါမှမဟုတ်ပဲနဲ့ internet traffic ကိုပါ ကိုယ့် VPN server ကနေထွက်စေချင်ရင်တော့ အောက်ကအတိုင်း ip forwarding ကို ပြင်ပေးရပါလိမ့်မယ်။
root@wg-srv-node:~# nano /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438
Line 30 မှာရှိတဲ့ net.ipv4.ip_forward=1 ဆိုတဲ့တခုကို uncomment လုပ်ပေးပြီးတော့ 1 လို့ ပြောင်းပေးလိုက်ပါ။
ကိုယ်က mobile phone မှာ Wireguard app ကို အသုံးပြုတဲအခါမှာ client side ဘက်က configuration တွေကိုကူးယူပြီးတော့ ထည့်ရတာ တော်တော်လေးလက်ဝင်ပါတယ်။ အထူးသဖြင့် public/private keys တွေကိုတစ်ခုချင်းစီရိုက်ထည့်ရတာ မလွယ်ပါဘူး။ အဲ့ဒီအတွက် ကိုယ်ရဲ့ Wireguard client configuration ကို QR Code အနေနဲ့ ပြောင်းပြီးတော့ mobile phone camera နဲ့ scan ဖတ်ပြီးတော့ configure လုပ်ရတာ ပိုပြီးတော့ အဆင်ပြေပါတယ်။ အောက်ကအတိုင်း လိုက်ပြီးတော့ install လုပ်၊ QR code ကို issue လုပ်လို့ ရပါတယ်။
