ubuntu 22.04 部署 wireguard

查看系统信息

查看route

# ip route
default via 172.16.18.1 dev eth0 proto static  
172.16.18.0/24 dev eth0 proto kernel scope link src 172.16.18.54

查看路由表

# ip route list table main default
default via 172.16.18.1 dev eth0 proto static

查看IP地址

# ip -brief address show eth0
eth0             UP             172.16.18.54/24 fe80::5054:ff:fed7:b031/64

查看DNS

# resolvectl dns eth0
Link 2 (eth0): 10.42.255.1 10.42.255.2 114.114.114.114

安装 wireguard

# apt -y install wireguard resolvconf

生成密钥

为服务器密钥

# wg genkey | tee server_privatekey | wg pubkey > server_publickey

为客户端密钥

# wg genkey | tee client01_privatekey | wg pubkey > client01_publickey

配置 WireGuard

wg0.conf

# vim /etc/wireguard/wg0.conf

[Interface]
# 指定为服务器生成的私钥
PrivateKey = `cat /etc/wireguard/server_privatekey`  
# VPN 接口的 IP 地址
Address = 10.10.10.1 
# UDP 端口 WireGuard 服务器监听
ListenPort = 51820 
# DNS = 10.42.255.1,10.42.255.2,114.114.114.114
# 可以在 WireGuard 启动/停止后设置任何命令
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
# PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
# PostUp = ip rule add table 200 from 172.16.18.54
# PostUp = ip route add table 200 default via 172.16.18.1

# PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# PreDown = ip rule delete table 200 from 172.16.18.54
# PreDown = ip route delete table 200 default via 172.16.18.1


[Peer] 
# 为客户端指定公钥
PublicKey =  `cat /etc/wireguard/client01_publickey`
# 你允许连接的客户端的VPN IP地址
# 可以指定子网⇒ [172.16.100.0/24] 不能与宿主机在同网段 
AllowedIPs = 10.10.11.0/24,172.16.1.1

[Peer]
# 为客户端指定公钥
PublicKey =  `cat /etc/wireguard/client02_publickey`
# 你允许连接的客户端的VPN IP地址
# 可以指定子网⇒ [172.16.100.0/24] 不能与宿主机在同网段 
AllowedIPs = 10.10.12.0/24,172.16.2.1

运行服务

# systemctl start wg-quick@wg0

Apr 14 18:37:50 172-16-18-54 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] ip link add wg0 type wireguard
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] wg setconf wg0 /dev/fd/63
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] ip -4 address add 10.10.10.1 dev wg0
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] ip link set mtu 1372 up dev wg0
Apr 14 18:37:50 172-16-18-54 wg-quick[45753]: [#] resolvconf -a tun.wg0 -m 0 -x
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] ip -4 route add 10.10.11.0/24 dev wg0
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] echo 1 > /proc/sys/net/ipv4/ip_forward
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
Apr 14 18:37:50 172-16-18-54 wg-quick[45729]: [#] ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
Apr 14 18:37:50 172-16-18-54 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

WireGuard Client Windows

下载地址

https://download.wireguard.com/windows-client/wireguard-installer.exe

设置 Client Windows

wg0.conf

[Interface]
# 指定为客户端私钥
PrivateKey = `cat /etc/wireguard/client01_privatekey`
# VPN 接口的 IP 地址
Address = 10.10.11.0/24
DNS = 10.10.10.1    # dnsmasq和wireguard 在同一主机


[Peer] 
# 服务器公钥
PublicKey = `cat /etc/wireguard/server_publickey` 
# wg0 10.10.10.1
# eth0  172.16.0.0/16
AllowedIPs = 10.10.10.0/24
EndPoint = xxxxxxx:51820