wireguard配置

server-peer

# 定义网络接口
[Interface]
# 定义wireguard的内网IP
Address = 10.10.10.1/24
# 内网转发规则，将数据包做MASQUERADE源地址转换，并通过eth0转发出去
# eth0根据实际情况修改，ifconfig可查看
PostUp   = iptables -A FORWARD -i %i -j ACCEPT
PostUp   = iptables -A FORWARD -o %i -j ACCEPT
PostUp   = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# 在wireguard关闭时清除这些iptables转发规则
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# 定义固定监听端口，让主动连接的一方配置
ListenPort = 10240 
PrivateKey = 4OkitX1lqS4fuB44c0cE55K1rNka7CMh8BG3vs40LU0=

# 定义peer
[Peer]
PublicKey = qcCY+K//y5i4voD0hYtR4do9hyG722Ht4F1OBUQADzY=
# 非常重要，AllowedIPs本质上是路由规则，表示目标地址为10.10.10.2的数据包都往该peer发送
# AllowedIPs支持列表，如AllowedIPs = 10.10.10.2/32,192.168.2.0/24
AllowedIPs = 10.10.10.2/32

client-peer

[Interface]
Address = 10.10.10.2/24
PrivateKey = ELxkrRlutZYgWgIGnqf61nvUWPZuu0U=

[Peer]
PublicKey = TSvjFnAIUoGi0t8OEk3hOuD/XI=
# 定义需要链接的服务端的IP和端口
Endpoint = 192.168.0.1:10240
AllowedIPs = 10.10.10.1/32,172.19.47.0/24

密钥生成

wg genkey | tee wg-prikey | wg pubkey > wg-pubkey

开启IP地址转发

sysctl net.ipv4.ip_forward

如果显示net.ipv4.ip_forward = 1则说明已开启IP地址转发，显示net.ipv4.ip_forward = 0则说明没有开启IP地址转发。
修改/etc/sysctl.conf

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

设置IP地址伪装

# 允许防火墙伪装IP
firewall-cmd --add-masquerade
# 检查是否允许伪装IP
firewall-cmd --query-masquerade
# 禁止防火墙伪装IP
firewall-cmd --remove-masquerade