Pages

Wednesday, 21 July 2021

Wiretrustee:一个基于WireGuard的Mesh Network(用来组网)

 Wiretrustee支持NAT穿透,如果NAT穿透失败还可以回退到使用TURN服务器来连接。

下面我演示一下如何用Wiretrustee将你的设备连接到一起(组网)

演示环境有三台机器:openSUSE15.3/Debian10/Windows10。

openSUSE用来搭建TURN服务和Wiretrustee信号服务同时用作客户端,其他两台机器仅客户端。

首先搭建STUN/TURN服务,在openSUSE上安装coturn:

sudo zypper in coturn

编辑coturn的配置文件:

sudo nano /etc/coturn/turnserver.conf

去掉如下配置的注释并进行相应的修改:

listening-port=3478
listening-ip=0.0.0.0
min-port=49152
max-port=65535
verbose
fingerprint
lt-cred-mech
user=imlala:password // 设置你的账号和密码
realm=turn.233.fi // 设置你的域名

启动coturn并查看运行状态:

sudo systemctl enable --now coturn.service
sudo systemctl status coturn.service

打开如下网址测试你搭建的TURN服务是否可用:

https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/

配置格式:

STUN or TURN URI: turn:turn.233.fi:3478
TURN username: imlala
TURN password: password

如有类似下图的回显说明正常:


现在安装Wiretrustee:

sudo zypper in https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.8/wiretrustee_0.0.8_linux_amd64.rpm

现在配置Wiretrustee信号服务,安装supervisor用于守护Wiretrustee信号服务的进程:

sudo zypper in supervisor

新建一个supervisor配置文件:

sudo nano /etc/supervisord.d/signal.conf

写入如下配置:

[program:signal]
command=/usr/local/bin/wiretrustee signal --log-level INFO
user=imlala
autostart=true
autorestart=true

更新supervisor配置:

sudo supervisorctl update

注意:信号服务默认监听10000端口,建议解析一个域名用于访问。

现在需要配置一下openSUSE防火墙,开的端口太多了,所以我这里直接允许所有流量:

sudo firewall-cmd --set-default-zone=trusted
sudo firewall-cmd --reload

现在初始化Wiretrustee:

sudo wiretrustee init \
 --stunURLs stun:stun.233.fi:3478,stun:stun.l.google.com:19302 \
 --turnURLs imlala:password@turn:turn.233.fi:3478  \
 --signalAddr signal.233.fi:10000  \
 --wgLocalAddr 10.30.30.1/24  \
 --log-level info

会回显给你一个公钥,复制保存下载,这是后续建立peer所需的。

重启Wiretrustee并设置开机自启:

sudo systemctl restart wiretrustee.service
sudo systemctl enable wiretrustee.service

查看是否有一个wiretrustee0的接口:

ip a

如果正常的话,会有类似如下回显:

53: wiretrustee0:  mtu 1280 qdisc fq state UNKNOWN group default qlen 500
    link/none 
    inet 10.30.30.1/24 brd 10.30.30.255 scope global wiretrustee0
       valid_lft forever preferred_lft forever
    inet6 fe80::56f4:26fd:768f:3b6e/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

至此openSUSE上的配置就全部完成了。接下来配置Debian10的客户端。

为保证最佳的性能,这里使用内核自带的WireGuard模块。Debian10默认的4.19内核是没有内置WireGuard模块的,所以这里安装一个新内核。

编辑源配置文件:

apt edit-sources

添加buster-backports源:

deb http://deb.debian.org/debian buster-backports main

更新源信息/安装新内核/重启:

apt -y update
apt install -t buster-backports linux-image-amd64
reboot

查看内核版本:

uname -a

正常回显如下,可以看到是5.10的内核了:

Linux imlala 5.10.0-0.bpo.7-amd64 #1 SMP Debian 5.10.40-1~bpo10+1 (2021-06-04) x86_64 GNU/Linux

WireGuard模块默认是没有加载的,需要手动加载:

modprobe wireguard

验证模块是否正常工作:

lsmod | grep wireguard

如果正常会有类似回显:

wireguard              94208  0
libchacha20poly1305    16384  1 wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard
libblake2s             16384  1 wireguard
curve25519_x86_64      49152  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard

下载并安装Wiretrustee:

wget https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.8/wiretrustee_0.0.8_linux_amd64.deb
dpkg -i wiretrustee_0.0.8_linux_amd64.deb

初始化Wiretrustee:

wiretrustee init \
 --stunURLs stun:stun.233.fi:3478,stun:stun.l.google.com:19302 \
 --turnURLs imlala:password@turn:turn.233.fi:3478  \
 --signalAddr signal.233.fi:10000  \
 --wgLocalAddr 10.30.30.2/24  \
 --log-level info

这里需要注意的是同一个网络内,每台机器的IP地址必须是不同的,比如我之前openSUSE上配置的IP是10.30.30.1,那么这里就配置成10.30.30.2。

然后还需要交换密钥才能建立连接,首先在这台Debian10上执行如下命令:

wiretrustee add-peer --allowedIPs 10.30.30.1/32 --key 'openSUSE机器的公钥'

重启Wiretrustee生效:

systemctl restart wiretrustee.service

openSUSE这边也需要同样的操作:

sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key 'Debian机器的公钥'

重启Wiretrustee生效:

sudo systemctl restart wiretrustee.service

至此openSUSE和Debian的连接就建立好了,接下来配置Windows10的客户端。

首先在这里下载Windows的客户端:

https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.8/wiretrustee_0.0.8_windows_amd64.tar.gz

用管理员身份打开PowerShell,假设你把文件解压到如下目录:

cd D:\wiretrustee

安装为服务:

.\wiretrustee.exe service install

初始化Wiretrustee:

.\wiretrustee.exe init `
 --stunURLs stun:stun.233.fi:3478,stun:stun.l.google.com:19302 `
 --turnURLs imlala:password@turn:turn.233.fi:3478  `
 --signalAddr signal.233.fi:10000  `
 --wgLocalAddr 10.30.30.3/24  `
 --log-level info

与openSUSE和Debian交换密钥:

.\wiretrustee.exe add-peer --allowedIPs 10.30.30.1/32 --key 'openSUSE机器的公钥'
.\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key 'Debian机器的公钥'

启动服务:

.\wiretrustee.exe service start

同样的openSUSE也需要相同的操作:

sudo wiretrustee add-peer --allowedIPs 10.30.30.3/32 --key 'Windows机器的公钥'

重启生效:

sudo systemctl restart wiretrustee.service

Debian也一样:

wiretrustee add-peer --allowedIPs 10.30.30.3/32 --key 'Windows机器的公钥'

重启生效:

systemctl restart wiretrustee.service

最后简单测试一下,实际上我是4台机器,文章内少配置了1台,因为步骤都是一样的,可以看到我4台机器都是可以PING通的。

--------------------

Connect your devices into a single secure private WireGuard®-based mesh network.

https://wiretrustee.com/

Wiretrustee

A WireGuard®-based mesh network that connects your devices into a single private network.

Why using Wiretrustee?

  • Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
  • No need to open ports and expose public IPs on the device.
  • Automatically reconnects in case of network failures or switches.
  • Automatic NAT traversal.
  • Relay server fallback in case of an unsuccessful peer-to-peer connection.
  • Private key never leaves your device.
  • Works on ARM devices (e.g. Raspberry Pi).

A bit on Wiretrustee internals

  • Wiretrustee uses WebRTC ICE implemented in pion/ice library to discover connection candidates when establishing a peer-to-peer connection between devices.
  • A connection session negotiation between peers is achieved with the Wiretrustee Signalling server signal
  • Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them. The routing of the messages on a Signalling server is based on public Wireguard keys.
  • Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT). For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server. Coturn is the one that has been successfully used for STUN and TURN in Wiretrustee setups.

What Wiretrustee is not doing:

  • Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step. This feature is on the roadmap.
  • Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee. This feature is on the roadmap.

Product Roadmap

Client Installation

Linux

  1. Checkout Wiretrustee releases
  2. Download the latest release (Switch VERSION to the latest):

Debian packages

wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.deb
  1. Install the package
sudo dpkg -i wiretrustee_<VERSION>_linux_amd64.deb

Fedora/Centos packages

wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.rpm
  1. Install the package
sudo rpm -i wiretrustee_<VERSION>_linux_amd64.rpm

MACOS

  1. Checkout Wiretrustee releases
  2. Download the latest release (Switch VERSION to the latest):
curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
  1. Decompress
tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
sudo mv wiretrusee /usr/local/bin/wiretrustee
chmod +x /usr/local/bin/wiretrustee

After that you may need to add /usr/local/bin in your MAC's PATH environment variable:

export PATH=$PATH:/usr/local/bin

Windows

  1. Checkout Wiretrustee releases
  2. Download the latest Windows release wiretrustee_<VERSION>_windows_amd64.tar.gz (Switch VERSION to the latest):
  3. Decompress and move to a more fixed path in your system
  4. Open Powershell
  5. For Windows systems, we can use the service command to configure Wiretrustee as a service by running the following commands in Powershell:
cd C:\path\to\wiretrustee\bin
.\wiretrustee.exe service --help
.\wiretrustee.exe service install # This will prompt for administrator permissions in order to install a new service

You may need to run Powershell as Administrator

  1. After installing you can follow the Client Configuration steps.
  2. To uninstall the service simple run the command above with the uninstall flag:
.\wiretrustee.exe service uninstall

Client Configuration

  1. Initialize Wiretrustee:

For Unix systems:

sudo wiretrustee init \
 --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
 --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  \
 --signalAddr signal.wiretrustee.com:10000  \
 --wgLocalAddr 10.30.30.1/24  \
 --log-level info

For Windows systems:

.\wiretrustee.exe init `
 --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 `
 --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  `
 --signalAddr signal.wiretrustee.com:10000  `
 --wgLocalAddr 10.30.30.1/24  `
 --log-level info

It is important to mention that the wgLocalAddr parameter has to be unique across your network. E.g. if you have Peer A with wgLocalAddr=10.30.30.1/24 then another Peer B can have wgLocalAddr=10.30.30.2/24

If for some reason, you already have a generated Wireguard key, you can specify it with the --wgKey parameter. If not specified, then a new one will be generated, and its corresponding public key will be output to the log. A new config will be generated and stored under /etc/wiretrustee/config.json

  1. Add a peer to connect to.

For Unix systems:

sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'

For Windows systems:

.\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
  1. Restart Wiretrustee to reload changes For MACOS you will just start the service:
sudo wiretrustee up --log-level info 
# or
sudo wiretrustee up --log-level info & # to run it in background

For Linux systems:

sudo systemctl restart wiretrustee.service
sudo systemctl status wiretrustee.service 

For Windows systems:

.\wiretrustee.exe service start

You may need to run Powershell as Administrator

Running the Signal service

After installing the application, you can run the signal using the command below:

/usr/local/bin/wiretrustee signal --log-level INFO

This will launch the Signal server on port 10000, in case you want to change the port, use the flag --port.

Docker image

We have packed the Signal server into docker image. You can pull the image from Docker Hub and execute it with the following commands:

docker pull wiretrustee/wiretrustee:signal-latest
docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest

The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:

docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG

Running Signal and Coturn

Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Signal server and an instance of Coturn, it also provides a turnserver.conf file as a simple example of Coturn configuration. You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to proper credentials.

The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#Running the Signal service) and the Coturn official documentation here.

Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.

Also, if you have an SSL certificate you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow Certbot's official documentation to generate one from Let’s Encrypt, or, we found that the example provided by BigBlueButton covers the basics to configure Coturn with Let's Encrypt certs.

Simple docker-composer execution:

cd infrastructure_files
docker-compose up -d

You can check logs by running:

cd infrastructure_files
docker-compose logs signal
docker-compose logs coturn

If you need to stop the services, run the following:

cd infrastructure_files
docker-compose down
from https://github.com/wiretrustee/wiretrustee




No comments:

Post a Comment