Wiretrustee支持NAT穿透,如果NAT穿透失败还可以回退到使用TURN服务器来连接。
下面我演示一下如何用Wiretrustee将你的设备连接到一起(组网)
演示环境有三台机器:openSUSE15.3/Debian10/Windows10。
openSUSE用来搭建TURN服务和Wiretrustee信号服务同时用作客户端,其他两台机器仅客户端。
首先搭建STUN/TURN服务,在openSUSE上安装coturn:
sudo zypper in coturn
编辑coturn的配置文件:
sudo nano /etc/coturn/turnserver.conf
去掉如下配置的注释并进行相应的修改:
listening-port=3478 listening-ip=0.0.0.0 min-port=49152 max-port=65535 verbose fingerprint lt-cred-mech user=imlala:password // 设置你的账号和密码 realm=turn.233.fi // 设置你的域名
启动coturn并查看运行状态:
sudo systemctl enable --now coturn.service sudo systemctl status coturn.service
打开如下网址测试你搭建的TURN服务是否可用:
https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
配置格式:
STUN or TURN URI: turn:turn.233.fi:3478 TURN username: imlala TURN password: password
如有类似下图的回显说明正常:
现在安装Wiretrustee:
sudo zypper in https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.8/wiretrustee_0.0.8_linux_amd64.rpm
现在配置Wiretrustee信号服务,安装supervisor用于守护Wiretrustee信号服务的进程:
sudo zypper in supervisor
新建一个supervisor配置文件:
sudo nano /etc/supervisord.d/signal.conf
写入如下配置:
[program:signal] command=/usr/local/bin/wiretrustee signal --log-level INFO user=imlala autostart=true autorestart=true
更新supervisor配置:
sudo supervisorctl update
注意:信号服务默认监听10000端口,建议解析一个域名用于访问。
现在需要配置一下openSUSE防火墙,开的端口太多了,所以我这里直接允许所有流量:
sudo firewall-cmd --set-default-zone=trusted sudo firewall-cmd --reload
现在初始化Wiretrustee:
sudo wiretrustee init \ --stunURLs stun:stun.233.fi:3478,stun:stun.l.google.com:19302 \ --turnURLs imlala:password@turn:turn.233.fi:3478 \ --signalAddr signal.233.fi:10000 \ --wgLocalAddr 10.30.30.1/24 \ --log-level info
会回显给你一个公钥,复制保存下载,这是后续建立peer所需的。
重启Wiretrustee并设置开机自启:
sudo systemctl restart wiretrustee.service sudo systemctl enable wiretrustee.service
查看是否有一个wiretrustee0的接口:
ip a
如果正常的话,会有类似如下回显:
53: wiretrustee0:mtu 1280 qdisc fq state UNKNOWN group default qlen 500 link/none inet 10.30.30.1/24 brd 10.30.30.255 scope global wiretrustee0 valid_lft forever preferred_lft forever inet6 fe80::56f4:26fd:768f:3b6e/64 scope link stable-privacy valid_lft forever preferred_lft forever
至此openSUSE上的配置就全部完成了。接下来配置Debian10的客户端。
为保证最佳的性能,这里使用内核自带的WireGuard模块。Debian10默认的4.19内核是没有内置WireGuard模块的,所以这里安装一个新内核。
编辑源配置文件:
apt edit-sources
添加buster-backports源:
deb http://deb.debian.org/debian buster-backports main
更新源信息/安装新内核/重启:
apt -y update apt install -t buster-backports linux-image-amd64 reboot
查看内核版本:
uname -a
正常回显如下,可以看到是5.10的内核了:
Linux imlala 5.10.0-0.bpo.7-amd64 #1 SMP Debian 5.10.40-1~bpo10+1 (2021-06-04) x86_64 GNU/Linux
WireGuard模块默认是没有加载的,需要手动加载:
modprobe wireguard
验证模块是否正常工作:
lsmod | grep wireguard
如果正常会有类似回显:
wireguard 94208 0 libchacha20poly1305 16384 1 wireguard ip6_udp_tunnel 16384 1 wireguard udp_tunnel 20480 1 wireguard libblake2s 16384 1 wireguard curve25519_x86_64 49152 1 wireguard libcurve25519_generic 49152 2 curve25519_x86_64,wireguard
下载并安装Wiretrustee:
wget https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.8/wiretrustee_0.0.8_linux_amd64.deb dpkg -i wiretrustee_0.0.8_linux_amd64.deb
初始化Wiretrustee:
wiretrustee init \ --stunURLs stun:stun.233.fi:3478,stun:stun.l.google.com:19302 \ --turnURLs imlala:password@turn:turn.233.fi:3478 \ --signalAddr signal.233.fi:10000 \ --wgLocalAddr 10.30.30.2/24 \ --log-level info
这里需要注意的是同一个网络内,每台机器的IP地址必须是不同的,比如我之前openSUSE上配置的IP是10.30.30.1,那么这里就配置成10.30.30.2。
然后还需要交换密钥才能建立连接,首先在这台Debian10上执行如下命令:
wiretrustee add-peer --allowedIPs 10.30.30.1/32 --key 'openSUSE机器的公钥'
重启Wiretrustee生效:
systemctl restart wiretrustee.service
openSUSE这边也需要同样的操作:
sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key 'Debian机器的公钥'
重启Wiretrustee生效:
sudo systemctl restart wiretrustee.service
至此openSUSE和Debian的连接就建立好了,接下来配置Windows10的客户端。
首先在这里下载Windows的客户端:
https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.8/wiretrustee_0.0.8_windows_amd64.tar.gz
用管理员身份打开PowerShell,假设你把文件解压到如下目录:
cd D:\wiretrustee
安装为服务:
.\wiretrustee.exe service install
初始化Wiretrustee:
.\wiretrustee.exe init ` --stunURLs stun:stun.233.fi:3478,stun:stun.l.google.com:19302 ` --turnURLs imlala:password@turn:turn.233.fi:3478 ` --signalAddr signal.233.fi:10000 ` --wgLocalAddr 10.30.30.3/24 ` --log-level info
与openSUSE和Debian交换密钥:
.\wiretrustee.exe add-peer --allowedIPs 10.30.30.1/32 --key 'openSUSE机器的公钥' .\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key 'Debian机器的公钥'
启动服务:
.\wiretrustee.exe service start
同样的openSUSE也需要相同的操作:
sudo wiretrustee add-peer --allowedIPs 10.30.30.3/32 --key 'Windows机器的公钥'
重启生效:
sudo systemctl restart wiretrustee.service
Debian也一样:
wiretrustee add-peer --allowedIPs 10.30.30.3/32 --key 'Windows机器的公钥'
重启生效:
systemctl restart wiretrustee.service
最后简单测试一下,实际上我是4台机器,文章内少配置了1台,因为步骤都是一样的,可以看到我4台机器都是可以PING通的。
--------------------
Connect your devices into a single secure private WireGuard®-based mesh network.
https://wiretrustee.com/
Wiretrustee
A WireGuard®-based mesh network that connects your devices into a single private network.
Why using Wiretrustee?
- Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
- No need to open ports and expose public IPs on the device.
- Automatically reconnects in case of network failures or switches.
- Automatic NAT traversal.
- Relay server fallback in case of an unsuccessful peer-to-peer connection.
- Private key never leaves your device.
- Works on ARM devices (e.g. Raspberry Pi).
A bit on Wiretrustee internals
- Wiretrustee uses WebRTC ICE implemented in pion/ice library to discover connection candidates when establishing a peer-to-peer connection between devices.
- A connection session negotiation between peers is achieved with the Wiretrustee Signalling server signal
- Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them. The routing of the messages on a Signalling server is based on public Wireguard keys.
- Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT). For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server. Coturn is the one that has been successfully used for STUN and TURN in Wiretrustee setups.
What Wiretrustee is not doing:
- Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step. This feature is on the roadmap.
- Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee. This feature is on the roadmap.
Product Roadmap
Client Installation
Linux
- Checkout Wiretrustee releases
- Download the latest release (Switch VERSION to the latest):
Debian packages
wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.deb
- Install the package
sudo dpkg -i wiretrustee_<VERSION>_linux_amd64.deb
Fedora/Centos packages
wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.rpm
- Install the package
sudo rpm -i wiretrustee_<VERSION>_linux_amd64.rpm
MACOS
- Checkout Wiretrustee releases
- Download the latest release (Switch VERSION to the latest):
curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
- Decompress
tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
sudo mv wiretrusee /usr/local/bin/wiretrustee
chmod +x /usr/local/bin/wiretrustee
After that you may need to add /usr/local/bin in your MAC's PATH environment variable:
export PATH=$PATH:/usr/local/bin
Windows
- Checkout Wiretrustee releases
- Download the latest Windows release
wiretrustee_<VERSION>_windows_amd64.tar.gz
(Switch VERSION to the latest): - Decompress and move to a more fixed path in your system
- Open Powershell
- For Windows systems, we can use the service command to configure Wiretrustee as a service by running the following commands in Powershell:
cd C:\path\to\wiretrustee\bin
.\wiretrustee.exe service --help
.\wiretrustee.exe service install # This will prompt for administrator permissions in order to install a new service
You may need to run Powershell as Administrator
- After installing you can follow the Client Configuration steps.
- To uninstall the service simple run the command above with the uninstall flag:
.\wiretrustee.exe service uninstall
Client Configuration
- Initialize Wiretrustee:
For Unix systems:
sudo wiretrustee init \
--stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
--turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468 \
--signalAddr signal.wiretrustee.com:10000 \
--wgLocalAddr 10.30.30.1/24 \
--log-level info
For Windows systems:
.\wiretrustee.exe init `
--stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 `
--turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468 `
--signalAddr signal.wiretrustee.com:10000 `
--wgLocalAddr 10.30.30.1/24 `
--log-level info
It is important to mention that the wgLocalAddr
parameter has to be unique across your network. E.g. if you have Peer A with wgLocalAddr=10.30.30.1/24
then another Peer B can have wgLocalAddr=10.30.30.2/24
If for some reason, you already have a generated Wireguard key, you can specify it with the --wgKey
parameter. If not specified, then a new one will be generated, and its corresponding public key will be output to the log. A new config will be generated and stored under /etc/wiretrustee/config.json
- Add a peer to connect to.
For Unix systems:
sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
For Windows systems:
.\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
- Restart Wiretrustee to reload changes For MACOS you will just start the service:
sudo wiretrustee up --log-level info
# or
sudo wiretrustee up --log-level info & # to run it in background
For Linux systems:
sudo systemctl restart wiretrustee.service
sudo systemctl status wiretrustee.service
For Windows systems:
.\wiretrustee.exe service start
You may need to run Powershell as Administrator
Running the Signal service
After installing the application, you can run the signal using the command below:
/usr/local/bin/wiretrustee signal --log-level INFO
This will launch the Signal server on port 10000, in case you want to change the port, use the flag --port.
Docker image
We have packed the Signal server into docker image. You can pull the image from Docker Hub and execute it with the following commands:
docker pull wiretrustee/wiretrustee:signal-latest
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest
The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG
Running Signal and Coturn
Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Signal server and an instance of Coturn, it also provides a turnserver.conf file as a simple example of Coturn configuration. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to proper credentials.
The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#Running the Signal service) and the Coturn official documentation here.
Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
Also, if you have an SSL certificate you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow Certbot's official documentation to generate one from Let’s Encrypt, or, we found that the example provided by BigBlueButton covers the basics to configure Coturn with Let's Encrypt certs.
Simple docker-composer execution:
cd infrastructure_files
docker-compose up -d
You can check logs by running:
cd infrastructure_files
docker-compose logs signal
docker-compose logs coturn
If you need to stop the services, run the following:
cd infrastructure_files
docker-compose down
from https://github.com/wiretrustee/wiretrustee
No comments:
Post a Comment