Linux 部署 WireGuard

安装

CentOS

sudo yum install epel-release elrepo-release
sudo yum install yum-plugin-elrepo
sudo yum install kmod-wireguard wireguard-tools

Ubuntu

sudo apt install wireguard

若内核太老不想升级,可以使用 wireguard-go 代替。

配置

  1. 创建 Wireguard 目录:
mkdir /etc/wireguard/
cd /etc/wireguard/
  1. 生成密钥对
wg genkey | tee privatekey | wg pubkey > publickey
  1. 编辑配置文件
vi wg0.conf

内容模板:

[Interface]
Address = 10.100.100.3/32
PrivateKey = KEY
ListenPort = 21841
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = PUB
Endpoint = IP
AllowedIPs = 10.100.100.3/24
PersistentKeepalive = 25

若防火墙已经手动配置好,则不需要PostUpPostDown两句。关于AllowedIPs的简单解析:

It acts as a routing table when sending, and an ACL when receiving. When a peer tries to send a packet to an IP, it will check AllowedIPs, and if the IP appears in the list, it will send it through the WireGuard interface. When it receives a packet over the interface, it will check AllowedIPs again, and if the packet’s source address is not in the list, it will be dropped.

  1. 开启 IP 转发
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sysctl -p
  1. 启动服务
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service
  1. 添加 DNS 脚本

如果连接时使用了域名,WireGuard 连接时会自动解析成 IP。但当域名的 IP 发生变动时,WireGuard 并不会重新解析域名。所以对于使用 DDNS 的用户,必须添加一个 DNS 解析脚本:

wget https://raw.githubusercontent.com/WireGuard/wireguard-tools/master/contrib/reresolve-dns/reresolve-dns.sh
crontab -e

计划任务添加一行:

*/1 * * * * sh /etc/wireguard/reresolve-dns.sh wg0

注意reresolve-dns.sh脚本里用到的$EPOCHSECONDS这个变量,如果你的系统不支持,需要替换成$(date +%s)

参考

[1] How to easily configure WireGuard

延伸阅读