阿凯的博客

Posts

    多peer组网-wireguard使用

    强调 从写文章开始使用,到今天3.7日,运营商已经ban掉wg的udp端口了,无法直接连接,详情请查阅运营商封锁udp

    简要

    我有两台服务器,一台Linux台式机,一台笔记本,一台Windows台式机,现在需要组网,思前想后,决定用开源方案,可控可玩。

    wireguard简单理解就是非对称加密的peer-2-peer连接,所以配置依赖公私钥.

    使用

    使用wireguard生成公私钥.

    生成密钥对

    wg genkey | sudo tee /etc/wireguard/src_private.key
    sudo cat /etc/wireguard/src_private.key | wg pubkey | sudo tee /etc/wireguard/srv_public.key

    服务器端配置

    /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $(cat src_private.key)
Address = 10.8.0.1/24, fd0d:86fa:c3bc::1/64
ListenPort = 51820
SaveConfig = true

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer] # client 1
PublicKey = client1_pub.key's content
AllowedIPs = 10.8.0.2/32, fd0d:86fa:c3bc::/64
Endpoint = 203.0.113.1:51820
[Peer] # client 2
PublicKey = client2_pub.key's content
AllowedIPs = 10.8.0.3/32, fd0d:86fa:c3bc::/64
Endpoint = 203.0.113.1:51820
[Peer]  # client 3 
PublicKey = client3_pub.key's content
AllowedIPs = 10.8.0.4/32, fd0d:86fa:c3bc::/64
Endpoint = 203.0.113.1:51820

    系统配置: 

    sudo nano /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

    启动:
    wg-quick up wg0

    停止:
    wg-quick down wg0

    peer配置

    key-pair

    wg genkey | sudo tee /etc/wireguard/cli_private.key sudo cat /etc/wireguard/cli_private.key | wg pubkey | sudo tee /etc/wireguard/cli_public.key

    wg配置

    sudo nano /etc/wireguard/wg0.conf
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = client1's private key.
Address = 10.8.0.2/24
Address = fd0d:86fa:c3bc::2/64
MTU = 1280

[Peer]
PublicKey = srv's public key.
AllowedIPs = 10.8.0.0/24, fd0d:86fa:c3bc::/64
Endpoint = 203.0.113.1:51820
PersistentKeepalive = 25

    启动和暂停和服务器一样。

    第二个peer配置

    sudo nano /etc/wireguard/wg0.conf
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = client2's private key.
Address = 10.8.0.3/24
Address = fd0d:86fa:c3bc::2/64
MTU = 1280


[Peer]
PublicKey = srv's public key.
AllowedIPs = 10.8.0.0/24, fd0d:86fa:c3bc::/64
Endpoint = 203.0.113.1:51820
PersistentKeepalive = 25

    第三个peer配置第四个etc....

    这个配置和上边的Peer一样,需要修改的是Peer的私钥和IP.还有服务器端Peer的allowedIPs和Peer的公钥.

    测试

    ping 10.8.0.1
    ping 10.8.0.2
    ping 10.8.0.3
    ping 10.8.0.4

    troubleshooting

    stuck on some command

    设置MTU降低.就好了

    allowedips is none

    设置allowedips时候,使用的那个ip的流量和网段prefix,直接使用peer’s ip/32即可接受这个ip的所有流量.

    开机启动启动 autostar wg-quick after power up

    sudo systemctl enable --now wg-quick@wg0