介绍
WireGuard 是一个易于配置、快速且安全的开源 VPN,它利用了最新的加密技术。
目的是提供一种更快、更简单、更精简的通用 VPN,它可以轻松地在树莓派这类低端设备到高端服务器上部署。
此文介绍如何在VPS部署WireGuard
安装
CentOS 7
1
2
3
4
5
6
7
8
| $ yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
$ yum install yum-plugin-elrepo
$ yum install kmod-wireguard wireguard-tools
# 如果你使用的是非标准内核,需要安装 DKMS 包
$ yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ yum install wireguard-dkms wireguard-tools
|
CentOS 8
1
2
3
| $ sudo yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
$ sudo yum install yum-plugin-elrepo
$ sudo yum install kmod-wireguard wireguard-tools
|
Ubuntu 18
1
2
3
4
5
6
7
| # Ubuntu ≥ 18.04
$ apt install wireguard
# Ubuntu ≤ 16.04
$ add-apt-repository ppa:wireguard/wireguard
$ apt-get update
$ apt-get install wireguard
|
Windows
https://download.wireguard.com/windows-client/wireguard-amd64-0.1.1.msi
MacOS
1
| $ brew install wireguard-tools
|
配置
提前配置
1
2
3
| $ echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
$ echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
$ sysctl -p /etc/sysctl.conf
|
1
2
3
4
5
| iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
# 需要把 eth0 改成你实际使用的网卡接口名称
iptables -t nat -A POSTROUTING -s 192.0.2.0/24 -o eth0 -j MASQUERADE
|
编辑配置
服务端
1
2
| $ cd /etc/wireguard
$ umask 077
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| # 生成私钥、公钥
$ wg genkey | tee 私钥 | wg pubkey > 公钥
# 生成口令(每个peer一个)
wg genpsk > presharedkey
$ vim /etc/wireguard/wg0.conf
# 服务器配置文件设置
cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.8.1/24
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820 # 注意该端口是UDP端口
PrivateKey = 服务器私钥
[Peer]
PublicKey = 客户端公钥
PresharedKey = 口令
AllowedIPs = 192.168.8.10/32
|
开启关闭wg指令:
1
2
| wg-quick up wg0
wg-quick down wg0
|
客户端
Windows
新建conf文件,编辑如下
1
2
3
4
5
6
7
8
9
10
11
| [Interface]
PrivateKey = 客户端私钥
Address = 192.168.8.10/32
DNS = 114.114.114.114
[Peer]
PublicKey = 服务器公钥
PresharedKey = 口令
AllowedIPs = 0.0.0.0/0
Endpoint = 服务器IP:服务器端口
PersistentKeepalive = 30
|
鸣谢