project

20210924 (금) docker-compose를 이용한 wireguard vpn 서비스

gusalstm 2021. 9. 24. 11:36
반응형

0. os 환경 :

 1) 서버 : ubuntu20.04

 2) 클라이언트

   2-1) 리눅스 : ubuntu20.04

   2-2) windows : windows10

 

1. vpn서버를 통해 일반망에서 사내망으로 전환하여 인트라넷 사용이 가능하도록 vpn서버 구축

 

 

※ wireguard : UDP 기반 통신으로 VPN서비스를 제공하며, 키기반 인증을 통한 보안 기능과 IPsec, OpenVPN보다 나은 성능을 목표로 개발중인 오픈소스 소프트웨어.

 

※ docker-compose를 통한 프로비저닝된 서버 구축과 컨테이너 영역에서 서버를 구동함으로써 격리성 보장. 

 

2. 서버

 1) docker, docker-compose 설치

======docker 설치 및 유저 설정 ======

user01@VPNserver:~/work$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
user01@VPNserver:~/work$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
user01@VPNserver:~/work$ sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io
user01@VPNserver:~/work$ sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
user01@VPNserver:~/work$ sudo usermod -aG docker $USER
user01@VPNserver:~/work$ sudo tail -n 5 /etc/group
lxd:x:132:user01
user01:x:1000:
sambashare:x:133:user01
systemd-coredump:x:999:
docker:x:998:user01
user01@VPNserver:~/work$ sudo chmod o+x /usr/local/bin/docker-compose
user01@VPNserver:~/work$ docker-compose version
docker-compose version 1.26.2, build eefe0d31
docker-py version: 4.2.2
CPython version: 3.7.7
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019
user01@VPNserver:~/work$ docker-compose version
docker-compose version 1.26.2, build eefe0d31
docker-py version: 4.2.2
CPython version: 3.7.7
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019
user01@VPNserver:~/work$ sudo mkdir /opt/wireguard-server
user01@VPNserver:~/work$ sudo chown user01:user01 /opt/wireguard-server/

======docker-compose 프로비저닝 ======
user01@VPNserver:/opt/wireguard-server$ cat docker-compose.yaml
---
version: "2.1"
services:
  wireguard:                              
    image: ghcr.io/linuxserver/wireguard  # dockerhub의 image주소
    container_name: wireguard             # container의 이름
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000                         # user01의 uid, gid
      - PGID=1000
      - TZ=Asia/Seoul
      - SERVERURL=192.168.56.39 #optional # server의 ip
      - SERVERPORT=51820 #optional        # default port = 51820
      - PEERS=1 #optional                 # 접속가능한 peer의 숫자
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
    volumes:
      - /opt/wireguard-server/config:/config  # 컨픽디렉터리
      - /lib/modules:/lib/modules             # 모듈디렉터리
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: always
user01@VPNserver:/opt/wireguard-server$ docker-compose up -d
user01@VPNserver:/opt/wireguard-server$ docker exec -ti wireguard wg
interface: wg0
  public key: v26GMk4fE3EM/x8LTVK4dhH3lCEu/h+mWikCCVBPN1k=
  private key: (hidden)
  listening port: 51820

peer: tsgiTcbJw72jVpKAHRD/c36prnu2Wfuq45IMs3zHRCQ=
  allowed ips: 10.13.13.2/32

# [PEERS를 1개에서 3개로 수정하여 프로비저닝 후 재적용 (--force-recreate)]
user01@VPNserver:/opt/wireguard-server$ docker-compose up -d --force-recreate
Recreating wireguard ... done
user01@VPNserver:/opt/wireguard-server$ docker exec -ti wireguard wg
interface: wg0
  public key: v26GMk4fE3EM/x8LTVK4dhH3lCEu/h+mWikCCVBPN1k=
  private key: (hidden)

  listening port: 51820

peer: tsgiTcbJw72jVpKAHRD/c36prnu2Wfuq45IMs3zHRCQ=
  allowed ips: 10.13.13.2/32

peer: gVgxGmFRwdUQLyb2YXVR+KmO4mWdTQ/ohfQRkSExhUo=
  allowed ips: 10.13.13.3/32

peer: 7U5YNDajkQwgyj8EcKn+RXhVo7AhLp1lqAqBswItsAg=
  allowed ips: 10.13.13.4/32
user01@VPNserver:/opt/wireguard-server$ cd config/peer1
(클라이언트 user01 홈디렉터리 아래에 work디렉터리 생성)
user01@VPNserver:/opt/wireguard-server/config/peer1$ scp peer1.conf user01@192.168.56.40:~/work/
user01@192.168.56.40's password:
peer1.conf                                                                            100%  246   340.4KB/s   00:00

======클라이언트 ======
# 서버에서 받아온 peer1.conf(wg.conf로 변경) 을 실행하면 접속
# 명령어 : wg-quick 

user01@client:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

user01@client:~$ mkdir work
user01@client:~$ cd work
user01@client:~/work$ sudo apt install wireguard resolvconf
user01@client:~/work$ sudo mv peer1.conf /etc/wireguard/wg.conf
user01@client:~/work$ wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.13.2 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

====== 클라이언트 결과 확인 ======

user01@client:~/work$ ip a
…생략…
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.13.13.2/32 scope global wg0
       valid_lft forever preferred_lft forever
user01@client:~/work$ sudo wg
interface: wg0
  public key: tsgiTcbJw72jVpKAHRD/c36prnu2Wfuq45IMs3zHRCQ=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: v26GMk4fE3EM/x8LTVK4dhH3lCEu/h+mWikCCVBPN1k=
  endpoint: 192.168.56.39:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 16 seconds ago
  transfer: 2.61 KiB received, 2.38 KiB sent


====== 서버에서 peer 접속 확인 ======
user01@VPNserver:/opt/wireguard-server/config/peer1$ docker exec -ti wireguard wg
interface: wg0
  public key: v26GMk4fE3EM/x8LTVK4dhH3lCEu/h+mWikCCVBPN1k=
  private key: (hidden)
  listening port: 51820

peer: tsgiTcbJw72jVpKAHRD/c36prnu2Wfuq45IMs3zHRCQ=
  endpoint: 192.168.56.40:51820
  allowed ips: 10.13.13.2/32
  latest handshake: 27 seconds ago
  transfer: 2.07 KiB received, 2.61 KiB sent

peer: gVgxGmFRwdUQLyb2YXVR+KmO4mWdTQ/ohfQRkSExhUo=
  allowed ips: 10.13.13.3/32

peer: 7U5YNDajkQwgyj8EcKn+RXhVo7AhLp1lqAqBswItsAg=
  allowed ips: 10.13.13.4/32
user01@VPNserver:/opt/wireguard-server/config/peer1$



====== windows 클라이언트에서 접속 ======

#1 url : wireguard.com/install
#2 windows용 클라이언트 다운 peer2.conf 파일 scp
#3 리눅스와 마찬가지로 peer2.conf(wg.conf) 를 복사하여 클라이언트에서 import하여 activate

PS C:\Users\user> scp user01@192.168.56.39:/opt/wireguard-server/config/peer2/peer2.conf .
user01@192.168.56.39's password:
peer2.conf                                                                            100%  246   123.0KB/s   00:00

PS C:\Users\user> ipconfig

Windows IP Configuration


Unknown adapter wg0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.13.13.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

user01@VPNserver:~$ docker exec -ti wireguard wg
interface: wg0
  public key: v26GMk4fE3EM/x8LTVK4dhH3lCEu/h+mWikCCVBPN1k=
  private key: (hidden)
  listening port: 51820

peer: gVgxGmFRwdUQLyb2YXVR+KmO4mWdTQ/ohfQRkSExhUo=
  endpoint: 192.168.56.1:51820
  allowed ips: 10.13.13.3/32
  latest handshake: 24 seconds ago
  transfer: 28.65 KiB received, 2.93 KiB sent

peer: tsgiTcbJw72jVpKAHRD/c36prnu2Wfuq45IMs3zHRCQ=
  endpoint: 192.168.56.40:51820
  allowed ips: 10.13.13.2/32
  latest handshake: 2 minutes, 42 seconds ago
  transfer: 5.23 KiB received, 5.92 KiB sent

peer: 7U5YNDajkQwgyj8EcKn+RXhVo7AhLp1lqAqBswItsAg=
  allowed ips: 10.13.13.4/32

 

wireguard windows 클라이언트를 실행한 모습 : Import tunnel(s) from file 을 통해 파일을 불러온다.

 

wg0 작업이 불러와진 모습 : Activate 버튼을 통해 VPN서버에 접속한다.

 

접속된 화면

 

728x90