Skip to content

Wireguard Instruments

https://www.wireguard.com/ https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g

Install

https://www.wireguard.com/install/

  • Ubuntu/Deian
sudo apt install wireguard
  • Alpine
apk add -U wireguard-tools
  • Mac
brew install wireguard-tools

Config

Raw Steps

  • peerA:
# step 1
$ wg genkey > private
# step 3
$ ip link add wg0 type wireguard
$ ip addr add 10.0.0.1/24 dev wg0
$ ip set wg0 private-key ./private
$ ip link set wg0 up
# step 5
$ ip addr
$ wg
$ wg set wg0 peer [peerB public key] allowed-ips 10.0.0.2/32 endpoint 192.168.1.2:51820
  • peerB:
# step 2
$ wg genkey > private
$ cat private
$ wg pubkey < private>
# step 4
$ ip link add wg0 type wireguard
$ ip addr add 10.0.0.2/24 dev wg0
$ ip set wg0 private-key ./private
$ ip link set wg0 up
# step 6
$ ip addr
$ wg
$ wg set wg0 peer [peerB public key] allowed-ips 10.0.0.1/32 endpoint 192.168.1.1:51820

Quick Steps(wg-quick)

# Change to the root user
sudo -s

# Make sure files created after this point are accessible only to the root user
umask 077

# Generate keys in /etc/wireguard
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
  • edit

vim /etc/wireguard/wg0.conf

# /etc/wireguard/wg0.conf on the server
[Interface]
Address = 10.0.0.1/24
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = [private key]

[Peer]
PublicKey = [public key]
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

peer:

[Interface]
Address = 10.0.0.2/24
ListenPort = 33664
PrivateKey = [private key]

[Peer]
PublicKey = [public key]
AllowedIPs = 10.0.0.1/32
Endpoint = 121.89.226.106:51820
  • start
# This will run a few commands with "ip" and "wg" to
# create the interface and configure it
wg-quick up wg0

# To see the WireGuard-specific details of the interface
wg

# To start the VPN on boot
systemctl enable wg-quick@wg0
  • restart
wg-quick down wg0 && wg-quick up wg0
# or avoid intrupt
wg syncconf wg0 <(wg-quick strip wg0)

Problem

  • IP 转发
$ vim /etc/sysctl.conf

# add
net.ipv4.ip_forward=1

$ sysctl -p
  • tcpdump
sudo tcpdump -nn -i wg0
sudo tcpdump -nn -i eth0 udp and port 51820

VPN-Proxy

local-server > Server A > Server B

  • Server A
# Server A: 10.0.0.1
# /etc/wireguard/wg0.conf on the server
[Interface]
Address = 10.0.0.1/24
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = 2FyX+OfwWBGaAX3lgfYf***********

# wenbin
[Peer]
PublicKey = YvgdU4YY7NY2ZUFtx***************
AllowedIPs = 10.0.0.11/32
PersistentKeepalive = 25


[Peer]
PublicKey = EMk/hsoDfFypgAoger****************
AllowedIPs = 10.0.0.100/32
PersistentKeepalive = 25
  • Server B: peer 对象为 Server A, 保证了 A和B的互通, 同时需要能够接收来自其他IP的请求。
# Server B: 10.0.0.100
[Interface]
Address = 10.0.0.100/24
PrivateKey = OB4upHrKSUclIgDN6**************

# ServerA
[Peer]
PublicKey = YBz65SbkU6lc2FUT+**********
AllowedIPs = 10.0.0.1/32, 10.0.0.11/32, 10.0.0.13/32
Endpoint = 39.106.151.111:51820
PersistentKeepalive = 25
  • local server: 配置能够相应IP,需要配置Server A和Server B的ip
[Interface]
PrivateKey = +Idtq2SGv0z5Vfh20F************
Address = 10.0.0.11/24

[Peer]
PublicKey = YBz65SbkU6lc2FUT**********
AllowedIPs = 10.0.0.1/32, 10.0.0.100/32
Endpoint = 39.106.151.218:51820
  • warn: restart the wg
wg syncconf wg0 <(wg-quick strip wg0)