236 lines
8.5 KiB
HTML
236 lines
8.5 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<title>Proxy reverso com WireGuard</title>
|
|
<meta name="author" content="Sergio Durigan Junior"/>
|
|
<meta name="description" content=""/>
|
|
<meta name="keywords" content=""/>
|
|
<style type="text/css">
|
|
.underline { text-decoration: underline; }
|
|
</style>
|
|
<link rel="stylesheet" href="reveal.js-master/dist/reveal.css"/>
|
|
|
|
<link rel="stylesheet" href="reveal.js-master/dist/theme/night.css" id="theme"/>
|
|
|
|
</head>
|
|
<body>
|
|
<div class="reveal">
|
|
<div class="slides">
|
|
<section id="sec-title-slide"><h2>Proxy reverso com WireGuard</h2><h6>Sergio Durigan Junior <<a href="mailto:sergiodj@debian.org">sergiodj@debian.org</a>></h6>
|
|
</section>
|
|
|
|
<section>
|
|
<section id="slide-org57a8a12">
|
|
<h2 id="org57a8a12"><span class="section-number-2">1.</span> WireGuard</h2>
|
|
<ul>
|
|
<li>Implementação de VPN moderna, simples e <b>rápida</b>.
|
|
<ul>
|
|
<li>Jason A. Donenfeld (<code>cgit</code>, <code>pass</code>, etc.), 2015.</li>
|
|
|
|
</ul></li>
|
|
<li>Remove bastante da complexidade de configurar uma VPN.</li>
|
|
<li>Estabelece apenas uma interface de rede.
|
|
<ul>
|
|
<li>Todo o resto é delegado para outras ferramentas (<code>ip</code>, <code>iptables</code>,
|
|
etc.)</li>
|
|
|
|
</ul></li>
|
|
|
|
</ul>
|
|
|
|
</section>
|
|
</section>
|
|
<section>
|
|
<section id="slide-org497ccb1">
|
|
<h2 id="org497ccb1"><span class="section-number-2">2.</span> Modo de usar</h2>
|
|
<ul>
|
|
<li>O conceito de servidor não é definido.</li>
|
|
<li>Geralmente usa-se o <code>wg-quick</code> (do pacote <code>wireguard-tools</code>).
|
|
<ul>
|
|
<li>Mas outras ferramentas suportam WireGuard: <code>systemd-networkd</code>,
|
|
<code>network-manager</code>.</li>
|
|
|
|
</ul></li>
|
|
<li>Gera-se um par de chaves (pense em <code>ssh</code>), distribui-se a chave
|
|
pública para os <i>peers</i>.</li>
|
|
<li>Arquivo de configuração (geralmente) fica em <code>/etc/wireguard/</code>
|
|
(nesse caso, há integração com o <code>wg-quick@.service</code>).</li>
|
|
|
|
</ul>
|
|
|
|
</section>
|
|
<section id="slide-org6f9b5ff">
|
|
<h3 id="org6f9b5ff"><span class="section-number-3">2.1.</span> Exemplo de configuração</h3>
|
|
<pre class="example" >
|
|
# cat /etc/wireguard/wg0.conf
|
|
[Interface]
|
|
PrivateKey = eJdSgoS7BZ/uWkuSREN+vhCJPPr3M3UlB3v1Su/amWk=
|
|
ListenPort = 51000
|
|
Address = 10.10.11.10/24
|
|
|
|
[Peer]
|
|
# office
|
|
PublicKey = xeWmdxiLjgebpcItF1ouRo0ntrgFekquRJZQO+vsQVs=
|
|
Endpoint = wg.example.com:51000
|
|
AllowedIPs = 10.10.11.0/24, 10.10.10.0/24
|
|
</pre>
|
|
|
|
</section>
|
|
<section id="slide-orgceb2589">
|
|
<h3 id="orgceb2589"><span class="section-number-3">2.2.</span> Habilitando a interface</h3>
|
|
<pre class="example" >
|
|
# wg-quick up wg0
|
|
[#] ip link add wg0 type wireguard
|
|
[#] wg setconf wg0 /dev/fd/63
|
|
[#] ip -4 address add 10.10.11.10/24 dev wg0
|
|
[#] ip link set mtu 1420 up dev wg0
|
|
[#] ip -4 route add 10.10.10.0/24 dev wg0
|
|
</pre>
|
|
|
|
</section>
|
|
</section>
|
|
<section>
|
|
<section id="slide-org1ad9583">
|
|
<h2 id="org1ad9583"><span class="section-number-2">3.</span> Exemplos de topologia de rede</h2>
|
|
<div class="outline-text-2" id="text-3">
|
|
</div>
|
|
</section>
|
|
<section id="slide-orgfff7f54">
|
|
<h3 id="orgfff7f54"><span class="section-number-3">3.1.</span> Wireguard no roteador</h3>
|
|
<pre class="example" >
|
|
internet ┌─── wg0 10.10.11.1/24
|
|
10.10.11.2/24 │ VPN network
|
|
home0│ xxxxxx ppp0 ┌───────┴┐
|
|
┌─┴──┐ xx xxxxx ──────┤ router │
|
|
│ ├─wlan0 xx xx └───┬────┘ home network, .home domain
|
|
│ │ xx x │.1 10.10.10.0/24
|
|
│ │ xxx xxx └───┬─────────┬─────────┐
|
|
└────┘ xxxxxx │ │ │
|
|
Laptop ┌─┴─┐ ┌─┴─┐ ┌─┴─┐
|
|
(Coffee shop) │ │ │ │ │ │
|
|
│pi4│ │NAS│ │...│
|
|
│ │ │ │ │ │
|
|
└───┘ └───┘ └───┘
|
|
</pre>
|
|
|
|
</section>
|
|
<section id="slide-orge9ad030">
|
|
<h3 id="orge9ad030"><span class="section-number-3">3.2.</span> WireGuard dentro da rede interna</h3>
|
|
<pre class="example" >
|
|
internet
|
|
10.10.10.3/24
|
|
home0│ xxxxxx ppp0 ┌────────┐
|
|
┌─┴──┐ xx xxxxx ──────┤ router │
|
|
│ ├─ppp0 xxx xx └───┬────┘ home network, .home domain
|
|
│ │ xx x │ 10.10.10.0/24
|
|
│ │ xxx xxx └───┬─────────┬─────────┐
|
|
└────┘ xxxxxx │ │ │
|
|
┌─┴─┐ ┌─┴─┐ ┌─┴─┐
|
|
wg0 ──┤ │ │ │ │ │
|
|
10.10.10.10/32 │pi4│ │NAS│ │...│
|
|
│ │ │ │ │ │
|
|
└───┘ └───┘ └───┘
|
|
Reservado para VPN:
|
|
10.10.10.2-9
|
|
</pre>
|
|
|
|
</section>
|
|
<section id="slide-org6d1a1fb">
|
|
<h3 id="org6d1a1fb"><span class="section-number-3">3.3.</span> WireGuard ponto-a-ponto (nosso caso)</h3>
|
|
<pre class="example" >
|
|
internet
|
|
10.20.30.2/32
|
|
home0│ xxxxxx ppp0 ┌────────┐
|
|
┌─┴──┐ xx xxxxx ──────┤ router │
|
|
│ ├─ppp0 xxx xx └───┬────┘ home network
|
|
│ │ xx x │ 10.10.10.0/24
|
|
│ │ xxx xxx └───┬
|
|
└────┘ xxxxxx │
|
|
┌─┴─────┐
|
|
wg0 ──┤ │
|
|
10.20.30.1/32 │Service│
|
|
│ │
|
|
└───────┘
|
|
</pre>
|
|
|
|
</section>
|
|
</section>
|
|
<section>
|
|
<section id="slide-org4f24033">
|
|
<h2 id="org4f24033"><span class="section-number-2">4.</span> Por que fazer (em casa)?</h2>
|
|
<ul>
|
|
<li>Controle sobre a localidade dos dados.</li>
|
|
<li>Controle da máquina onde o serviço está rodando.</li>
|
|
<li>Gasto menor com servidores.</li>
|
|
|
|
</ul>
|
|
|
|
</section>
|
|
</section>
|
|
<section>
|
|
<section id="slide-org15dc58e">
|
|
<h2 id="org15dc58e"><span class="section-number-2">5.</span> Por que <b>NÃO</b> fazer (em casa)?</h2>
|
|
<ul>
|
|
<li><b>Aumento da superfície de ataque à sua rede doméstica</b>.</li>
|
|
<li>Consumo de banda/dados.</li>
|
|
<li>Gasto com energia elétrica.</li>
|
|
<li>Menos <i>uptime</i>.</li>
|
|
|
|
</ul>
|
|
|
|
</section>
|
|
</section>
|
|
<section>
|
|
<section id="slide-org30e8f84">
|
|
<h2 id="org30e8f84"><span class="section-number-2">6.</span> Cuidados</h2>
|
|
<ul>
|
|
<li>Proteja sua rede interna!
|
|
<ul>
|
|
<li>Firewall, VLAN, fail2ban, etc.</li>
|
|
|
|
</ul></li>
|
|
<li>Isole o serviço!
|
|
<ul>
|
|
<li>VM, container, chroot, etc.</li>
|
|
|
|
</ul></li>
|
|
<li>Use SSL/TLS no proxy reverso.
|
|
<ul>
|
|
<li>Lembre-se que o servidor onde o proxy está rodando é o <i>SSL termination</i>!</li>
|
|
|
|
</ul></li>
|
|
|
|
</ul>
|
|
|
|
</section>
|
|
</section>
|
|
<section>
|
|
<section id="slide-org87a06bc">
|
|
<h2 id="org87a06bc"><span class="section-number-2">7.</span> Referências</h2>
|
|
<ul>
|
|
<li><a href="https://www.wireguard.com/">https://www.wireguard.com/</a></li>
|
|
<li><a href="https://ubuntu.com/server/docs/wireguard-vpn-introduction">https://ubuntu.com/server/docs/wireguard-vpn-introduction</a></li>
|
|
|
|
</ul>
|
|
</section>
|
|
</section>
|
|
</div>
|
|
</div>
|
|
<script src="reveal.js-master/dist/reveal.js"></script>
|
|
<script src="reveal.js-master/plugin/markdown/markdown.js"></script>
|
|
<script src="reveal.js-master/plugin/zoom/zoom.js"></script>
|
|
<script src="reveal.js-master/plugin/notes/notes.js"></script>
|
|
|
|
|
|
<script>
|
|
// Full list of configuration options available here:
|
|
// https://github.com/hakimel/reveal.js#configuration
|
|
Reveal.initialize({
|
|
plugins: [RevealMarkdown, RevealZoom, RevealNotes],
|
|
transition:'concave', slideNumber:"c/t", hash:true, center:true
|
|
});
|
|
|
|
</script>
|
|
</body>
|
|
</html>
|