WireGuard服务器安装
WireGuard VPN 服务器部署与管理手册
系统要求
-
Ubuntu 22.04 LTS 服务器
-
使用 root 权限
第一部分:服务器安装与配置
1. 系统更新与依赖安装
sudo apt update
sudo apt upgrade -y
sudo apt install -y wireguard qrencode iptables net-tools curl2. 启用内核转发
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf
# 增加连接跟踪表大小
sudo echo "net.netfilter.nf_conntrack_max=262144" >> /etc/sysctl.conf
# 提高UDP缓冲区大小
sudo echo "net.core.rmem_max=2500000" >> /etc/sysctl.conf
sudo echo "net.core.wmem_max=2500000" >> /etc/sysctl.conf
# 应用修改
sudo sysctl -p3. 防火墙配置
sudo ufw allow 51820/udp
sudo ufw allow in on wg0
sudo ufw reload4. 生成服务器密钥
sudo umask 077
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key5. 创建服务器配置文件
sudo vi /etc/wireguard/wg0.conf文件内容:
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
#<粘贴 /etc/wireguard/server_private.key 的内容>
PrivateKey = xxxxxxxxxxxxxxxtMkxxxxiaxxx5bxGY=
SaveConfig = false
# 防火墙规则 - 替换 eth1 为您的公网接口名
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE6. 启动 WireGuard 服务
sudo systemctl enable --now wg-quick@wg0
sudo systemctl status wg-quick@wg0第二部分:用户管理脚本
1. 创建用户管理脚本
sudo vi /usr/local/bin/wg-user-manager脚本内容:
#!/bin/bash
# 检查root权限
if [ "$(id -u)" -ne 0 ]; then
echo "该脚本必须以root用户运行!" >&2
exit 1
fi
# 主菜单
show_menu() {
clear
echo "============================="
echo " WireGuard 用户管理工具"
echo "============================="
echo "1. 添加新用户"
echo "2. 删除用户"
echo "3. 列出所有用户"
echo "4. 清理接口残留"
echo "5. 查看服务器配置"
echo "6. 查看服务状态"
echo "0. 退出"
echo "============================="
echo -n "请选择操作 [0-6]: "
}
# 添加用户函数
add_user() {
if [ -z "$1" ]; then
echo -n "输入用户名: "
read CLIENT
else
CLIENT=$1
fi
CLIENT_DIR="/etc/wireguard/clients/$CLIENT"
# 检查用户是否存在
if [ -d "$CLIENT_DIR" ]; then
echo "错误:用户 '$CLIENT' 已经存在!" >&2
return 1
fi
# 创建用户目录
mkdir -p "$CLIENT_DIR" || return 1
# 生成客户端密钥
wg genkey | tee "$CLIENT_DIR/private.key" | wg pubkey | tee "$CLIENT_DIR/public.key" >/dev/null
# 自动分配IP地址
# 获取最后一个分配的IP地址的数字部分
LAST_IP=$(grep -Po '10\.8\.0\.\K\d+(?=\/32)' /etc/wireguard/wg0.conf | sort -n | tail -1)
LAST_IP=${LAST_IP:-1} # 默认为1
NEW_IP_NUM=$((LAST_IP + 1))
NEW_IP="10.8.0.$NEW_IP_NUM/32"
# 获取服务器公网IP
SERVER_IP=$(curl -s -4 --retry 3 icanhazip.com)
if [ -z "$SERVER_IP" ]; then
echo "警告:无法获取服务器公网IP,使用配置文件中的设置" >&2
SERVER_IP="<SERVER_PUBLIC_IP>"
fi
# 创建客户端配置文件
cat > "$CLIENT_DIR/client.conf" <<EOF
[Interface]
PrivateKey = $(cat "$CLIENT_DIR/private.key")
Address = $NEW_IP
DNS = 8.8.8.8,8.8.4.4
[Peer]
PublicKey = $(cat /etc/wireguard/server_public.key)
Endpoint = $SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF
# 添加到服务器配置
echo -e "\n[Peer]" >> /etc/wireguard/wg0.conf
echo "# $CLIENT - 添加于 $(date '+%Y-%m-%d %H:%M:%S')" >> /etc/wireguard/wg0.conf
echo "PublicKey = $(cat "$CLIENT_DIR/public.key")" >> /etc/wireguard/wg0.conf
echo "AllowedIPs = $NEW_IP" >> /etc/wireguard/wg0.conf
# 重启服务使配置生效
systemctl restart wg-quick@wg0.service
# 显示信息
echo -e "\n✅ 用户 $CLIENT 添加成功!"
echo "配置文件: $CLIENT_DIR/client.conf"
echo "分配IP: $NEW_IP"
# 显示二维码
if command -v qrencode &> /dev/null; then
echo -e "\n扫描二维码快速添加配置:"
qrencode -t ansiutf8 < "$CLIENT_DIR/client.conf"
fi
}
# 删除用户函数
delete_user() {
echo -n "输入要删除的用户名: "
read CLIENT
CLIENT_DIR="/etc/wireguard/clients/$CLIENT"
# 检查用户是否存在
if [ ! -d "$CLIENT_DIR" ]; then
echo "错误:用户 '$CLIENT' 不存在!" >&2
return 1
fi
# 获取公钥
USER_PUBKEY=$(cat "$CLIENT_DIR/public.key")
# 从服务器配置中移除
sudo wg set wg0 peer "$USER_PUBKEY" remove
sudo wg-quick save wg0
# 备份删除
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
mv "$CLIENT_DIR" "/etc/wireguard/clients/.deleted_${CLIENT}_$TIMESTAMP"
echo "✅ 用户 $CLIENT 已删除(配置已备份)"
}
# 列出用户函数
list_users() {
echo -e "\n已配置用户:"
grep -A2 '# Peer' /etc/wireguard/wg0.conf | awk -F '# ' '/# /{print $2}' | sed 's/ - 添加于 .*//' | sort | uniq
echo -e "\n磁盘上存储的用户配置:"
ls /etc/wireguard/clients
}
# 清理接口函数
clean_interface() {
echo "开始清理 WireGuard 接口..."
systemctl stop wg-quick@wg0.service
ip link delete dev wg0 2>/dev/null
rm -f /var/run/wireguard/wg0.sock
systemctl start wg-quick@wg0.service
echo "✅ 接口清理完成"
}
# 主循环
while true; do
show_menu
read OPTION
case $OPTION in
1)
echo -n "是否批量添加用户? (y/N) "
read BATCH
if [[ "$BATCH" == [Yy]* ]]; then
echo -n "输入用户名列表(空格分隔): "
read -a USERS
for USER in "${USERS[@]}"; do
add_user "$USER"
done
else
add_user
fi
;;
2) delete_user ;;
3)
list_users
echo -n "按Enter返回..."
read
;;
4) clean_interface ;;
5)
echo -e "\n服务器配置:"
cat /etc/wireguard/wg0.conf
echo -n "按Enter返回..."
read
;;
6)
echo -e "\nWireGuard 服务状态:"
systemctl status wg-quick@wg0.service --no-pager
echo -e "\n接口状态:"
sudo wg show wg0
echo -n "按Enter返回..."
read
;;
0)
echo "退出"
exit 0
;;
*)
echo "无效选择"
sleep 1
;;
esac
done2. 设置脚本权限
sudo chmod +x /usr/local/bin/wg-user-manager3. 创建用户配置目录
sudo mkdir -p /etc/wireguard/clientssudo wg-user-manager配置文件路径:
/etc/wireguard/clients/<用户名>/client.conf3. 客户端
下载安装:https://www.wireguard.com/install/
第二部分:用户管理脚本
1. 异常处理服务停用启动失败
sudo tee /usr/local/bin/wg-clean <<'EOF'
#!/bin/bash
# 停止服务
systemctl stop wg-quick@wg0 2>/dev/null
# 移除接口
wg-quick down wg0 2>/dev/null
ip link delete dev wg0 2>/dev/null
# 清除残留
rm -f /var/run/wireguard/wg0.sock
# 重启服务
systemctl start wg-quick@wg0
EOF
# 设置权限
sudo chmod +x /usr/local/bin/wg-clean使用方法: 当再次出现接口问题时:
sudo wg-clean
浙公网安备 33010602011771号