WireGuard 作为即将进入 Linux 内核的 VPN 新宠,以其简单优雅的设计和实现得到了 Linus Torvalds 的肯定。本文介绍如何通过WireGuard搭建一个安全、可用的VPN网络。
CentOS7安装WireGuard
CentOS 7安装WireGuard很简单,可以通过这个一键安装脚本(https://github.com/angristan/wireguard-install)进行安装。
支持平台:
- Ubuntu >= 16.04
- Debian 10
- Fedora
- CentOS
- Arch Linux
安装过程:
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh
MAC端安装client
Mac下必须把brew的源换成aliyun的源(清华大学的源也不行),然后再安装。
更换阿里云源
# 查看 brew.git 当前源
$ cd "$(brew --repo)" && git remote -v
origin https://github.com/Homebrew/brew.git (fetch)
origin https://github.com/Homebrew/brew.git (push)
# 查看 homebrew-core.git 当前源
$ cd "$(brew --repo homebrew/core)" && git remote -v
origin https://github.com/Homebrew/homebrew-core.git (fetch)
origin https://github.com/Homebrew/homebrew-core.git (push)
# 修改 brew.git 为阿里源
$ git -C "$(brew --repo)" remote set-url origin https://mirrors.aliyun.com/homebrew/brew.git
# 修改 homebrew-core.git 为阿里源
$ git -C "$(brew --repo homebrew/core)" remote set-url origin https://mirrors.aliyun.com/homebrew/homebrew-core.git
# zsh 替换 brew bintray 镜像
$ echo 'export HOMEBREW_BOTTLE_DOMAIN=https://mirrors.aliyun.com/homebrew/homebrew-bottles' >> ~/.zshrc
$ source ~/.zshrc
# bash 替换 brew bintray 镜像
$ echo 'export HOMEBREW_BOTTLE_DOMAIN=https://mirrors.aliyun.com/homebrew/homebrew-bottles' >> ~/.bash_profile
$ source ~/.bash_profile
# 刷新源
$ brew update
然后通过以下命令安装wireguard客户端即可。
$ brew install wireguard-tools
安装结束后,通过以下命令生成密码对:
$ mkdir ~/wireguard | cd ~/wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey
$ cat privatekey #提供在下文的隧道配置文件中
$ cat publickey #提供给服务器端注册
下载Mac版的Wireguard GUI程序,从文件导入隧道…,隧道文件如下:
[Interface]
PrivateKey = [客户端生成的私钥]
ListenPort = 51820
Address = 172.27.0.25/24
[Peer]
PublicKey = [服务器端生成的公钥]
AllowedIPs = 172.27.0.5/32, 192.168.1.150/32, 192.168.1.0/24, 172.26.1.0/24 [允许访问的IP列表]
Endpoint = 您的公网IP或域名:8443 [服务端端点]
PersistentKeepalive = 15
参考资料
- 服务器端配置模板:
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT; iptables -A FORWARD -i ens3 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT; iptables -D FORWARD -i ens3 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE;
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = [************Server PrivateKey**********]
[Peer]
PublicKey = [*********Client PublicKey***********]
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25
- 客户端配置模板:
[Interface]
PrivateKey = [***********Client PrivateKey***********]
Address = 10.0.0.3/24
DNS = 8.8.8.8
[Peer]
PublicKey = [************Server PublicKey************]
AllowedIPs = 0.0.0.0/0
Endpoint = [Server IP]:[Port]
PersistentKeepalive = 25
评论区