涛子 - 简单就是美

成单纯魁增,永继振国兴,克复宗清政,广开家必升
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
rocky linux 安装配置 wireguard

参考

https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
https://www.vultr.com/docs/how-to-install-wireguard-vpn-server-on-rocky-linux
https://www.linode.com/docs/guides/centos-wireguard-installation-and-configuration/

1. 服务端安装

# dnf install elrepo-release epel-release
# dnf install kmod-wireguard wireguard-tools

2. 生成密钥对

# wg genkey | tee /etc/wireguard/server.pri
uNnY4UPjDcIToFfTB4Lt6gGmXVKRFwPwgWsVKe3G60w=

# cat /etc/wireguard/server.pri | wg pubkey | tee /etc/wireguard/server.pub
1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=

# wg genkey | tee /etc/wireguard/client.pri
4IeTpQFqCmKO3ggqdvLOeM+i0aKqDrt48LvQNozJX1k=

#  cat /etc/wireguard/client.pri | wg pubkey | tee /etc/wireguard/client.pub
yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=

# chmod 600 /etc/wireguard/server.* /etc/wireguard/client.*

6. 服务端配置文件

# cat > /etc/wireguard/wg0.conf << EOF
[Interface]
# 服务端私匙
PrivateKey = uNnY4UPjDcIToFfTB4Lt6gGmXVKRFwPwgWsVKe3G60w=

# 服务端使用的vpn内网地址
Address = 10.8.0.1

# 服务端UDP端口
ListenPort = 61820

# 防火墙转发策略 [wg0] vpn接口名称 [eth0] vps的物理接口名称
PostUp = firewall-cmd --zone=public --add-masquerade; firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE; firewall-cmd --add-port=61820/udp
PostDown = firewall-cmd --zone=public --remove-masquerade; firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth0 -j ACCEPT; firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE; firewall-cmd --remove-port=61820/udp

[Peer]
# 客户端公匙
PublicKey = yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=

# 客户端的VPN内网地址
AllowedIPs = 10.8.0.2, 10.8.0.3
EOF

7. 服务端设置ip转发

# cat >> /etc/sysctl.conf << EOF

net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1
EOF

# sysctl -p

9. 启动服务

# systemctl enable wg-quick@wg0 && systemctl restart wg-quick@wg0

# wg
interface: wg0
  public key: 1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=
  private key: (hidden)
  listening port: 61820

peer: yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=
  allowed ips: 10.8.0.2/32, 10.8.0.3/32

11. 客户端(ubuntu)安装

sudo apt-get install wireguard

11. 客户端配置文件

# sudo cat > /etc/wireguard/wg0.conf << EOF
[Interface]
# 客户端私匙
PrivateKey = 4IeTpQFqCmKO3ggqdvLOeM+i0aKqDrt48LvQNozJX1k=

# 客户端VPN内网地址
Address = 10.8.0.2/32

[Peer]
# 服务端公匙
PublicKey = 1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=

# 服务端地址,可设置为单个地址,子网,或者0.0.0.0/0,表示全部流量从VPN通过,这个用途你知道
AllowedIPs = 10.8.0.0/24

# 如果客户端没有对外公网地址,在防火墙或者路由器内网,需要每25秒和服务端通讯一次
PersistentKeepalive = 25

# 服务端的公网地址和服务端口
EndPoint = xxx.xxx.xxx.xxx:61820
EOF

12. 客户端启动连接

$ wg-quick up wg0

$ sudo wg
interface: wg0
  public key: yZFuuK7u0/Yrtotgs/keq2tmogbCA0c+btolxo2tmDQ=
  private key: (hidden)
  listening port: 53579

peer: 1T9UAnFbMGq+dA6VLUNLTz/mIWpPdpc7dvAjZ7c/+mQ=
  endpoint: xxx.xxx.xxx.xxx:61820
  allowed ips: 10.8.0.1/32

$ wg-quick down wg0
posted on 2022-07-22 13:39  北京涛子  阅读(1639)  评论(0)    收藏  举报