wireguard 入门

1.服务器端安装

sudo yum install wireguard-tools -y

2.服务端生成密钥对

umask 077
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

3.客户端安装与生成密钥对

略（使用 wireguard gui 程序，创建空白配置即可）

4.服务端配置

/etc/wireguard/wg0.conf

[Interface]
# 服务端的私钥
PrivateKey = <server_private_key>
# WireGuard 虚拟网卡 IP
Address = 10.0.0.1/24
ListenPort = 51061
# 允许转发
PostUp = sysctl -w net.ipv4.ip_forward=1
# 开放防火墙规则
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
# ens5 是服务端默认网卡
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT
# ens5 是服务端默认网卡
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens5 -j MASQUERADE

[Peer]
# 客户端的公钥
PublicKey = <client_public_key>
# 客户端虚拟网卡 IP
AllowedIPs = 10.0.0.2/32

5.服务端启动

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0

服务器需要添加安全组规则，允许 udp 端口 51061 可以访问

6.客户端配置

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
# AllowedIPs = 0.0.0.0/0, ::/0
# 如果你只想让客户端访问服务器内网资源而非全流量代理，可将 AllowedIPs 改成
AllowedIPs = 172.31.0.1/16
Endpoint = <your_server_public_ip>:51061
PersistentKeepalive = 25