WireGuard笔记
|
Linux,Network

370 字
|
10 分钟

依赖配置

推荐系统:Debian10

推荐系统内核:Linux kernel 4.19 +

安装

在Debian 10上安装WireGuard

可从Debian backports存储库中获取WireGuard,要将存储库添加到您的系统,请运行:

echo 'deb http://ftp.debian.org/debian buster-backports main' | tee /etc/apt/sources.list.d/buster-backports.list

启用存储库后,更新apt缓存并安装WireGuard模块和工具:

apt update
apt install wireguard

加载内核模块

modprobe wireguard
lsmod | grep wireguard

生成公钥私钥

生成一对公私钥:

cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

创建文件 /etc/wireguard/wg0.conf 并且添加如下的内容。

PrivateKey配置项处输入私钥,并在Address配置项处输入它的私有地址。

文件配置方式

[Interface]
PrivateKey = <Private Key>
Address = 10.0.0.1/24, fd86:ea04:1115::/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true

配置详解

PrivateKey:之前生成的服务器的私钥
Address:网卡地址
ListenPort:指定了WireGuard应当使用哪一个接口作为入站的连接。默认值为51820,您在此处设置的值会影响到之后您对应防火墙规则的设置。
PostUp和PostDown分别定义了开启或是关闭网关时需要执行的步骤。
SaveConfig:当服务正在运行时,新添加的节点会自动更新至配置文件中去。

启动 WireGuard

wg-quick up wg0

wg-quickwg中许多常用功能的封装。您可以使用wg-quick down wg0来关闭 wg0 接口。

设置 WireGuard 服务为开机自启

systemctl enable wg-quick@wg0

检查是否运行成功

wg show

输出:

user@debian:/# wg show
interface: wg0
  public key: Nrl2nVQxSwrKrvz6jQcrsziuVRPWT9N1Q8/yaQkAXUg=
  private key: (hidden)
  listening port: 51820

命令行配置方式

#
ip link add dev wg0 type wireguard
ip addr add 172.26.254.1/24 dev wg0
ip link set wg0 up  mtu 1432
#
# 配置监听的端口以及私钥
wg set wg0 listen-port 27626  private-key /etc/wireguard/privatekey
# 
# 添加peer
wg set wg0 peer IgLgNKzbACcnFVAue4QUpGTq70LQDL0oaJHK+7ZtkA4= allowed-ips 172.29.254.3 persistent-keepalive 30 endpoint 1.1.1.1:5201

注意:基于命令行的配置会在重启后失效,想要持久化配置,可用wg-quickl写入配置文件

# 新建和网卡名一致的配置文件
mkdir -p /etc/wireguard/wg0.cof
# 保存配置
wg-quick save wg0

命令行帮助

wg命令帮助

root@debian10:~# wg -h
Usage: wg <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.

wg set命令行帮助

root@debian10:~# wg set -h
Usage: wg set <interface> [listen-port <port>] [fwmark <mark>] [private-key <file path>] [peer <base64 public key> [remove] [preshared-key <file path>] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...] ]...

wg-quick 命令帮助

root@debian10:~# wg-quick -h
Usage: wg-quick [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ]

  CONFIG_FILE is a configuration file, whose filename is the interface name
  followed by `.conf'. Otherwise, INTERFACE is an interface name, with
  configuration found at /etc/wireguard/INTERFACE.conf. It is to be readable
  by wg(8)'s `setconf' sub-command, with the exception of the following additions
  to the [Interface] section, which are handled by wg-quick:

  - Address: may be specified one or more times and contains one or more
    IP addresses (with an optional CIDR mask) to be set for the interface.
  - DNS: an optional DNS server to use while the device is up.
  - MTU: an optional MTU for the interface; if unspecified, auto-calculated.
  - Table: an optional routing table to which routes will be added; if
    unspecified or `auto', the default table is used. If `off', no routes
    are added.
  - PreUp, PostUp, PreDown, PostDown: script snippets which will be executed
    by bash(1) at the corresponding phases of the link, most commonly used
    to configure DNS. The string `%i' is expanded to INTERFACE.
  - SaveConfig: if set to `true', the configuration is saved from the current
    state of the interface upon shutdown.

See wg-quick(8) for more info and examples.
上一篇
下一篇