参考
https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
https://www.vultr.com/docs/how-to-install-wireguard-vpn-server-on-rocky-linux
https://www.linode.com/docs/guides/centos-wireguard-installation-and-configuration/
1. 服务端安装
# dnf install elrepo-release epel-release
# dnf install kmod-wireguard wireguard-tools
2. 生成密钥对
# wg genkey | tee /etc/wireguard/server.pri
uNnY4UPjDcIToFfTB4Lt6gGmXVKRFwPwgWsVKe3G60w=
# cat /etc/wireguard/server.pri | wg pubkey | tee /etc/wireguard/server.pub
1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=
# wg genkey | tee /etc/wireguard/client.pri
4IeTpQFqCmKO3ggqdvLOeM+i0aKqDrt48LvQNozJX1k=
# cat /etc/wireguard/client.pri | wg pubkey | tee /etc/wireguard/client.pub
yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=
# chmod 600 /etc/wireguard/server.* /etc/wireguard/client.*
6. 服务端配置文件
# cat > /etc/wireguard/wg0.conf << EOF
[Interface]
# 服务端私匙
PrivateKey = uNnY4UPjDcIToFfTB4Lt6gGmXVKRFwPwgWsVKe3G60w=
# 服务端使用的vpn内网地址
Address = 10.8.0.1
# 服务端UDP端口
ListenPort = 61820
# 防火墙转发策略 [wg0] vpn接口名称 [eth0] vps的物理接口名称
PostUp = firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE; firewall-cmd --add-port=61820/udp
PostDown = firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE; firewall-cmd --remove-port=61820/udp
[Peer]
# 客户端公匙
PublicKey = yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=
# 客户端的VPN内网地址
AllowedIPs = 10.8.0.2, 10.8.0.3
EOF
7. 服务端设置ip转发
# cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1
EOF
# sysctl -p
9. 启动服务
# systemctl enable wg-quick@wg0 && systemctl restart wg-quick@wg0
# wg
interface: wg0
public key: 1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=
private key: (hidden)
listening port: 61820
peer: yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=
allowed ips: 10.8.0.2/32, 10.8.0.3/32
11. 客户端(ubuntu)安装
sudo apt-get install wireguard
11. 客户端配置文件
# sudo cat > /etc/wireguard/wg0.conf << EOF
[Interface]
# 客户端私匙
PrivateKey = 4IeTpQFqCmKO3ggqdvLOeM+i0aKqDrt48LvQNozJX1k=
# 客户端VPN内网地址
Address = 10.8.0.2/32
[Peer]
# 服务端公匙
PublicKey = 1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=
# 服务端地址,可设置为单个地址,子网,或者0.0.0.0/0,表示全部流量从VPN通过,这个用途你知道
AllowedIPs = 10.8.0.0/24
# 如果客户端没有对外公网地址,在防火墙或者路由器内网,需要每25秒和服务端通讯一次
PersistentKeepalive = 25
# 服务端的公网地址和服务端口
EndPoint = xxx.xxx.xxx.xxx:61820
EOF
12. 客户端启动连接
$ wg-quick up wg0
$ sudo wg
interface: wg0
public key: yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=
private key: (hidden)
listening port: 53579
peer: 1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=
endpoint: xxx.xxx.xxx.xxx:61820
allowed ips: 10.8.0.1/32
$ wg-quick down wg0
标签:
wireguard
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 【译】Visual Studio 中新的强大生产力特性
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构
· AI与.NET技术实操系列(六):基于图像分类模型对图像进行分类
2015-07-22 python多线程