日度归档:2021年6月6日

安装并配置Wireguard,用做一个自用的管理用途VPN 2021-6-6

发表评论

需求描述
日常使用Wireguard,用于在外面登录自己家里,管理家庭内部的网络设备,非常稳定可靠,下面介绍配置和用法

Wireguard官网https://www.wireguard.com/

安装也都是比较简单的,参考https://www.wireguard.com/install/,有详细的步骤

我这里的家里的主机用的Debian 10,配置过程如下:

第一步, 添加backports源

添加deb http://deb.debian.org/debian buster-backports main 到/etc/apt/sources.list

第二步, 执行更新 

root@ServerX:~# apt-get update

第三步, 执行安装 

root@ServerX:~# apt install wireguard

第四步, 生成密钥 

root@ServerX:~# cd ~
root@ServerX:~# umask 077
root@ServerX:~# wg genkey > server_privatekey
root@ServerX:~# wg pubkey < server_privatekey > server_publickey
root@ServerX:~# wg genkey > client_privatekey
root@ServerX:~# wg pubkey < client_privatekey > client_publickey

第五步, 开启系统转发 

root@ServerX:~# 添加 net.ipv4.ip_forward = 1 到 /etc/sysctl.conf
root@ServerX:~# sysctl -p

第六步, 添加服务端的配置文件,我这里只自己一个人连接,客户端只配置一个IP

服务端的配置 名字 ~/wg0.conf
[Interface]
Address = 10.12.6.1/24
ListenPort = 11111
PrivateKey = 服务器私钥字符串
[Peer]
PublicKey = 客户端公钥字符串
AllowedIPs = 10.12.6.8/32
客户端的配置 名字 ~/wg92.conf
[Interface]
Address = 10.12.6.8/32
PrivateKey = 客户端私钥字符串
[Peer]
PublicKey = 服务器公钥字符串
AllowedIPs = 0.0.0.0/0, ::0/0
Endpoint = 118.12.3.25:11111
PersistentKeepalive = 25

第七步, 增加iptables转发,其中enp4s0需要修改到你自己的网卡名字

root@ServerX:~# iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
root@ServerX:~# iptables -A FORWARD -i wg0 -j ACCEPT
root@ServerX:~# iptables -A FORWARD -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root@ServerX:~# iptables -A FORWARD -i wg0 -o enp4s0 -j ACCEPT
root@ServerX:~# iptables -A FORWARD -i enp4s0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

第七步, 启动wireguard服务端,增加开机启动

root@ServerX:~# wg-quick up wg0
root@ServerX:~# systemctl enable wg-quick@wg0

备注, 安装Wireguard的常见报错及处理
故障情景,启动wireguard时候,报不支持的操作,
我这次报错是因为
已安装的linux-header版本为linux-headers-4.19.0-16-amd64
已安装的linux-image版本linux-image-4.19.0-9-amd64
解决的办法为: 安装一致的linux-image和linux-header

故障的样子:

root@ServerX:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
root@ServerX:~# modprobe wireguard
modprobe: FATAL: Module wireguard not found in directory /lib/modules/...
root@ServerX:~#

本次修复的步骤:

root@ServerX:~# dpkg --get-selections | grep linux   
binutils-x86-64-linux-gnu			install
console-setup-linux				install
firmware-linux-free				install
libselinux1:amd64				install
linux-base					install
linux-compiler-gcc-8-x86			install
linux-headers-4.19.0-16-amd64			install
linux-headers-4.19.0-16-common			install
linux-headers-amd64				install
linux-image-4.19.0-9-amd64			install
linux-image-amd64				install
linux-kbuild-4.19				install
linux-libc-dev:amd64				install
util-linux					install
root@ServerX:~# 
root@ServerX:~# apt-cache search linux-image-4.19.0-16-amd64
linux-headers-4.19.0-16-amd64 - Header files for Linux 4.19.0-16-amd64
linux-image-4.19.0-16-amd64-dbg - Debug symbols for linux-image-4.19.0-16-amd64
linux-image-4.19.0-16-amd64-unsigned - Linux 4.19 for 64-bit PCs
linux-image-4.19.0-16-amd64 - Linux 4.19 for 64-bit PCs (signed)
root@ServerX:~# apt-get install linux-image-4.19.0-16-amd64
root@ServerX:~# update-grub
root@ServerX:~# reboot
root@ServerX:~# dpkg -l | grep linux-image
root@ServerX:~# apt-get -y remove linux-image-4.19.0-9-amd64
root@ServerX:~# update-grub

附录1、如果系统是Debian 9 ,则需要添加一下 

apt update

apt upgrade

apt install linux-headers-$(uname -r)

echo "deb http://deb.debian.org/debian/ unstable main" | tee /etc/apt/sources.list.d/unstable-wireguard.list

echo -e "Package: *\nPin: release a=unstable\nPin-Priority: 150\n" | tee /etc/apt/preferences.d/limit-unstable

apt update

apt upgrade

apt install wireguard-dkms wireguard-tools

附录2、也可把IPv6加进来,且把防火墙重定向数据包的iptables命令写在配置文件里

服务端参考如下

[Interface]
PrivateKey = your server_private.key here
Address = 10.10.0.1/24
Address = fd86:ea04:1111::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
SaveConfig = true

附录3、可在客户端配置中,指定DNS

参考配置如下

[Interface]
Address = 10.10.0.2/32
Address = fd86:ea04:1111::2/128
SaveConfig = true
PrivateKey = your client_private.key here
DNS = 1.1.1.1

[Peer]
PublicKey = your server_public.key here
Endpoint = your server public ip:51820
AllowedIPs = 0.0.0.0/0, ::/0
Donate
云乞讨