笔记 | @sskaje

iOS 8/9 SDK

By @sskaje
Link: https://sskaje.me/2017/07/ios-89-sdk/

Xcode 8.3.3 自带的iPhone SDK不支持32位的armv7和armv7s了。想在越狱的iPhone 4s搞点小玩意儿，但是make时提示 -lcrt1.3.1.o 出错。所以研究了下怎么把老版本SDK安装上，最后发现还是只能从老版本的Xcode上提取。

Xcode 7.3.1是7系列最后一个版本，自带的SDK是 iPhoneOS9.3.sdk，Xcode 6.4是6系列最后一个版本，自带的SDK是 iPhone8.4.sdk。
提取时只需要把dmg里 Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs 下的目录copy到当前系统安装的Xcode的同一目录里，但是别用旧版本覆盖了新版本。

下载地址：https://dl.sskaje.me/ios-sdks/

下载执行

sudo tar -C /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/ -xvf iPhoneOS9.3.sdk.tar.gz

1	sudo tar -C /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/ -xvf iPhoneOS9.3.sdk.tar.gz

iOS 8/9 SDK by @sskaje: https://sskaje.me/2017/07/ios-89-sdk/

EdgeRouter 部署 WireGuard

By @sskaje
Link: https://sskaje.me/2017/06/deploy-wireguard-on-edgerouter/

安装

从 https://github.com/Lochnair/vyatta-wireguard/releases 下载对应的包
ERL, ER等 mips架构的，下载 octeon 版本
ERX 下载 ralink版本。

可以选择上传到路由上，或者ssh登录路由，sudo su到root，执行类似如下的命令

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

或

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

下载完成后

dpkg -i xxx.deb

1	dpkg -i xxx.deb

配置

执行下列命令生成私钥、共享密钥，公钥

wg genkey > /config/auth/wg.private
wg genpsk > /config/auth/wg.psk
chmod 0600 /config/auth/wg.*
wg pubkey < /config/auth/wg.private

wg genkey > /config/auth/wg.private

wg genpsk > /config/auth/wg.psk

chmod 0600 /config/auth/wg.*

wg pubkey < /config/auth/wg.private

将最后一个命令的输出复制下来，配置到服务器端

获取服务器端的公钥，替换下文的“公钥”并执行命令

configure
set interfaces wireguard wg0 address 192.168.10.40/24
set interfaces wireguard wg0 listen-port 本地端口
set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'
set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk
set interfaces wireguard wg0 private-key /config/auth/wg.private
set interfaces wireguard wg0 route-allowed-ips false
commit
save

configure

set interfaces wireguard wg0 address 192.168.10.40/24

set interfaces wireguard wg0 listen-port 本地端口

set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0

set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'

set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk

set interfaces wireguard wg0 private-key /config/auth/wg.private

set interfaces wireguard wg0 route-allowed-ips false

commit

save

配置好设备后，配置nat服务

configure
set service nat rule 5032 outbound-interface wg0
set service nat rule 5032 type masquerade
commit 
save

configure

set service nat rule 5032 outbound-interface wg0

set service nat rule 5032 type masquerade

commit

save

剩下就是配置路由规则了，可以参考我的其他blog.

EdgeRouter 部署 WireGuard by @sskaje: https://sskaje.me/2017/06/deploy-wireguard-on-edgerouter/

Incoming search terms:

Ubuntu部署WireGuard

By @sskaje
Link: https://sskaje.me/2017/06/deploy-wireguard-on-ubuntu/

安装WireGuard

按照官方说明，可以使用下列命令装依赖，不够的自己看着装

apt-get install libmnl-dev linux-headers-$(uname -r) build-essential pkg-config

1	apt-get install libmnl-dev linux-headers-$(uname -r) build-essential pkg-config

直接从git里拉。

git clone https://git.zx2c4.com/WireGuard

1	git clone https://git.zx2c4.com/WireGuard

直接make就行

cd WireGuard/src
make
make install

cd WireGuard/src

make

make install

配置

参考前一篇文章“WireGuard wg-quick PostUp的高级玩法”，可以直接无视官方和其他各种第三方给的教程。

前文给了一个参考的配置。

[Interface]
Address = 192.168.10.1/24
MTU = 1500
PrivateKey = xxx
PostUp = echo -n "hello" > /dev/udp/192.168.1.1/80; echo -n "hello" > /dev/udp/192.168.2.1/80
 
[Peer]
PublicKey = xxx
AllowedIPs = 192.168.10.40/32, 192.168.1.0/24
Endpoint = 2.2.2.2:12345
 
[Peer]
PublicKey = xxx
AllowedIPs = 192.168.10.50/32, 192.168.2.0/24
Endpoint = 3.3.3.3:12345

[Interface]

Address = 192.168.10.1/24

MTU = 1500

PrivateKey = xxx

PostUp = echo -n "hello" > /dev/udp/192.168.1.1/80; echo -n "hello" > /dev/udp/192.168.2.1/80

[Peer]

PublicKey = xxx

AllowedIPs = 192.168.10.40/32, 192.168.1.0/24

Endpoint = 2.2.2.2:12345

[Peer]

PublicKey = xxx

AllowedIPs = 192.168.10.50/32, 192.168.2.0/24

Endpoint = 3.3.3.3:12345

按上述配置，假定的网络环境如下：
服务器：IP 1.1.1.1，WireGuard内网 IP 192.168.10.1，公网环境
节点1: IP 2.2.2.2，WireGuard内网 IP 192.168.10.40，LAN IP 192.168.1.0/24
节点2: IP 3.3.3.3，WireGuard内网 IP 192.168.10.50，LAN IP 192.168.2.0/24

此处，服务器、节点1、节点2均有公网IP。

如果节点IP不固定，或者是没有公网IP，那就改为如下配置

[Interface]
Address = 192.168.10.1/24
MTU = 1500
PrivateKey = xxx
ListenPort = 54321
 
[Peer]
PublicKey = xxx
AllowedIPs = 192.168.10.40/32, 192.168.1.0/24
 
[Peer]
PublicKey = xxx
AllowedIPs = 192.168.10.50/32, 192.168.2.0/24

[Interface]

Address = 192.168.10.1/24

MTU = 1500

PrivateKey = xxx

ListenPort = 54321

[Peer]

PublicKey = xxx

AllowedIPs = 192.168.10.40/32, 192.168.1.0/24

[Peer]

PublicKey = xxx

AllowedIPs = 192.168.10.50/32, 192.168.2.0/24

VPS上，将配置文件保存为 /etc/wireguard/wg0.conf，执行下列命令，启用Wireguard：

wg-quick up wg0

1	wg-quick up wg0

为了让网络正常工作，还需要在VPS的公网接口上启用NAT

iptables -F FORWARD
iptables -A FORWARD -j ACCEPT
 
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

iptables -F FORWARD

iptables -A FORWARD -j ACCEPT

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

修改 /etc/sysctl.conf，启用 ‘net.ipv4.ip_forward=1‘，然后执行 ‘sysctl -p‘

接下来是大招

You are not authorised to read all content in this post.

Please login…

Ubuntu部署WireGuard by @sskaje: https://sskaje.me/2017/06/deploy-wireguard-on-ubuntu/

WireGuard wg-quick PostUp的高级玩法

By @sskaje
Link: https://sskaje.me/2017/06/wireguard-wg-quick-postup%e7%9a%84%e9%ab%98%e7%ba%a7%e7%8e%a9%e6%b3%95/

真的很高级。

wg-quick是WireGuard用来启动网络设备的**脚本**。

注意了，迄今为止，wg-quick是用bash写的一个脚本，不知道未来会不会变，至少目前shebang是

!#/bin/bash

1	!#/bin/bash

Continue reading “WireGuard wg-quick PostUp的高级玩法” »

WireGuard wg-quick PostUp的高级玩法 by @sskaje: https://sskaje.me/2017/06/wireguard-wg-quick-postup%e7%9a%84%e9%ab%98%e7%ba%a7%e7%8e%a9%e6%b3%95/

EdgeRouter 策略路由实现分析

By @sskaje
Link: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

最近家里的路由规则越来越复杂，而且越来越好用。正好昨天跟朋友讨论他的家用路由改造方案，所以研究了一下EdgeRouter的策略路由（Policy-based Routing，PBR）的实现。

我家里的路由是EdgeRouter Lite，固件1.9.1.1，这个实现跟固件关系不大。

首先，我们可以参考一下官方的文档：EdgeRouter – Policy-based routing (source address based)

Continue reading “EdgeRouter 策略路由实现分析” »

EdgeRouter 策略路由实现分析 by @sskaje: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/