{"id":191,"date":"2023-03-28T15:29:35","date_gmt":"2023-03-28T07:29:35","guid":{"rendered":"http:\/\/idc.birk.cn\/?p=191"},"modified":"2023-03-29T14:47:27","modified_gmt":"2023-03-29T06:47:27","slug":"wireguard-vpn%e6%90%ad%e5%bb%ba%e6%96%b9%e6%b3%95%e4%b8%8e%e4%bd%bf%e7%94%a8%e6%95%99%e7%a8%8b","status":"publish","type":"post","link":"https:\/\/idc.birk.cn\/?p=191","title":{"rendered":"WireGuard vpn\u642d\u5efa\u65b9\u6cd5\u4e0e\u4f7f\u7528\u6559\u7a0b"},"content":{"rendered":"

wireguard\u662f\u4e00\u6b3elinus\u90fd\u63a8\u8350\u7684vpn\u5de5\u5177\uff0c\u5efa\u8bae\u4f7f\u7528<\/p>\n

<\/a>1 \u3001 WireGuard \u7b80\u4ecb<\/h2>\n

WireGuard \u662f\u4e00\u4e2a\u5229\u7528\u73b0\u6709\u793e\u4f1a\u6700\u5148\u8fdb\u7684\u52a0\u5bc6\u6280\u672f\u800c\u4ea7\u751f\u7684\u975e\u5e38\u7b80\u5355\u548c\u5feb\u6377\u7684 VPN \u5de5\u5177\u3002\u5b83\u7684\u76ee\u6807\u662f\u6bd4 IPsec \u66f4\u5feb\uff0c\u66f4\u7b80\u5355\uff0c\u66f4\u7cbe\u7b80\uff0c\u66f4\u6613\u7528\uff0c\u540c\u65f6\u907f\u514d\u5927\u89c4\u6a21\u914d\u7f6e IPsec \u7684\u9ebb\u70e6\u4e8b\u3002\u540c\u65f6 WireGuard \u4e5f\u6253\u7b97\u6bd4 OpenVPN \u66f4\u9ad8\u6548\u3002 WireGuard \u8bbe\u8ba1\u4e3a\u901a\u7528 VPN\uff0c\u53ef\u5728\u5d4c\u5165\u5f0f\u8bbe\u5907\u548c\u5e38\u89c1\u8ba1\u7b97\u673a\u4e0a\u8fd0\u884c\uff0c\u9002\u7528\u4e8e\u591a\u79cd\u4e0d\u540c\u60c5\u51b5\u3002 WireGuard \u6700\u521d\u662f\u4e3a Linux \u5185\u6838\u53d1\u5e03\u7684\uff0c\u800c\u73b0\u5728 WireGuard \u5df2\u7ecf\u53ef\u5e7f\u6cdb\u90e8\u7f72\u5e76\u4e14\u8de8\u5e73\u53f0\u652f\u6301\u3002 WireGuard \u76ee\u524d\u6b63\u5728\u5927\u529b\u53d1\u5c55\uff0c\u4f46 WireGuard \u5df2\u7ecf\u88ab\u8ba4\u4e3a\u662f\u4e1a\u5185\u6700\u5b89\u5168\uff0c\u6700\u6613\u7528\u548c\u6700\u7b80\u5355\u7684 VPN \u89e3\u51b3\u65b9\u6848\u3002<\/p>\n

 <\/p>\n

<\/a>2 \u3001 WireGuard \u57fa\u672c\u6982\u5ff5<\/h2>\n

\u9996\u5148\u4f7f\u7528 WireGuard \u4f60\u9700\u8981\u5728\u7cfb\u7edf\u4e2d\u521b\u5efa\u4e00\u5757\u865a\u62df\u7f51\u5361\uff0c\u5e76\u914d\u7f6e\u597d\u8fd9\u4e2a\u865a\u62df\u7f51\u5361\u7684 IP \u5730\u5740\uff0c\u63a9\u7801\uff0c\u7f51\u5173\u4e0d\u9700\u8981\u914d\u7f6e\uff08\u53ef\u4ee5\u4f7f\u7528\u00a0wg-quick@\u00a0\u81ea\u52a8\u5316\uff09<\/p>\n

\u7136\u540e\u4f60\u4f7f\u7528 WireGuard \u8fde\u63a5\u53e6\u4e00\u53f0\u8bbe\u5907\uff0c\u4e24\u53f0\u4e92\u76f8 peer \u5bf9\u65b9\u5e76\u9a8c\u8bc1\u5404\u81ea\u7684\u516c\u94a5\u79c1\u94a5\u662f\u5426\u6b63\u786e\uff0c\u5168\u90e8\u6b63\u786e\u540e\u6210\u529f\u5efa\u7acb peer\uff08\u53ef\u4ee5\u4f7f\u7528\u00a0wg-quick@\u00a0\u81ea\u52a8\u5316\uff09<\/p>\n

\u5efa\u7acb\u6210\u529f\u540e\uff0c\u6240\u6709\u524d\u5f80\u865a\u62df\u7f51\u5361\u7684\u6d41\u91cf\u90fd\u5c06\u88ab\u91cd\u65b0\u5c01\u88c5\u540e\u53d1\u5f80\u53e6\u4e00\u53f0\u8bbe\u5907\uff0c\u7531\u53e6\u4e00\u53f0\u8bbe\u5907\u89e3\u5c01\u88c5\u7136\u540e\u5f97\u5230\u6570\u636e\u62a5\u6587\u5e76\u5728\u5185\u90e8\u67e5\u627e\u8def\u7531\u5e76\u5339\u914d\u62a5\u6587\u76ee\u7684\u5730\u3002\uff08\u53ef\u4ee5\u4f7f\u7528\u00a0wg-quick@\u00a0\u81ea\u52a8\u5316\uff09<\/p>\n

\u4ee5\u4e0a\u4e3a\u5efa\u7acb\u4e00\u4e2a WireGuard VPN \u94fe\u63a5\u7684\u8fc7\u7a0b\uff0c\u5efa\u7acb\u597d\u540e\uff0cA \u8bbe\u5907\u4e0e B \u8bbe\u5907\u4e92\u76f8\u9700\u8981\u4fdd\u8bc1\u865a\u62df\u7f51\u5361\u7684 IP \u5728\u76f8\u540c\u7f51\u7edc\u4f4d\u7684\u5730\u5740\u6bb5\u4e2d\uff0c\u5e76\u4e14\u8fd9\u4e2a\u5730\u5740\u6bb5\u88ab WireGuard \u7684\u914d\u7f6e\u6587\u4ef6 AllowedIPs \u6240\u5141\u8bb8\u901a\u8fc7<\/strong><\/p>\n

\u5982\u679c\u4f60\u8bd5\u56fe\u4ece A \u8bbe\u5907\u4e0b\u5c5e\u5b50\u7f51\u8bbf\u95ee B \u8bbe\u5907\u7684\u5bf9\u7aef\u5b50\u7f51\uff0c\u4f60\u9700\u8981\u5728 A \u8bbe\u5907\u4e0a\u914d\u7f6e\u7cfb\u7edf\u8def\u7531\uff0c\u5c06\u7cfb\u7edf\u4e09\u5c42\u7f51\u7edc\u7684\u8def\u7531\u76ee\u7684\u5730\u6307\u5411\u5bf9\u7aef\u865a\u62df IP \u5730\u5740\uff0c\u51fa\u63a5\u53e3\u4e3a\u865a\u62df\u7f51\u5361\uff0c\u5e76\u4e14\u8fd9\u4e2a\u5730\u5740\u6bb5\u5fc5\u987b\u88ab\u5bf9\u65b9 WireGuard \u7684\u914d\u7f6e\u6587\u4ef6 AllowedIPs \u6240\u5141\u8bb8\u901a\u8fc7
\n\uff08\u5f53\u7136\u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528 SNAT \u8fdb\u884c\u5730\u5740\u4f2a\u88c5\uff0c\u901a\u5e38\u6765\u8bf4\u9632\u706b\u5899\u914d\u7f6e masquerade \u5373\u53ef\uff0c\u8fd8\u9700\u8981 ip_forward\uff09<\/p>\n

\u6700\u540e\uff0c\u5728 WireGuard \u4e2d\u7684\u6240\u6709\u6570\u636e\u62a5\u6587\uff0c\u90fd\u91c7\u7528\u00a0UDP<\/span><\/strong>\u00a0\u7684\u65b9\u5f0f\u53d1\u9001\u3002<\/p>\n

\uff08\u4e2a\u4eba\u89c2\u611f\uff1aOSPF Area = WG Config | OSPF Peer = WG Peer | OSPF route = WG AllowedIPs\uff09<\/p>\n

\n

<\/a>3 \u3001 WireGuard \u5b89\u88c5<\/h2>\n

\u5b98\u65b9\u7684\u5b89\u88c5\u6559\u7a0b\u4e3a [\u00a0\u94fe\u63a5<\/a>\u00a0]<\/p>\n

\u6ce8\u610f windows \u6ca1\u6709\u5b98\u65b9\u7a0b\u5e8f<\/s>\u00a0\u5b98\u65b9\u5de5\u5177 Windows \u7248\u672c\u5efa\u8bae\u4e0b\u8f7d MSI\uff0c\u672c\u4f8b\u4f7f\u7528\u7b2c\u4e09\u65b9\u5236\u4f5c\u7684 TunSafe \u7a0b\u5e8f [\u00a0\u94fe\u63a5<\/a>\u00a0]<\/p>\n

TunSafe \u5728 Windows \u73af\u5883\u4e2d\u5b89\u88c5\u65f6\uff0c\u9700\u8981\u5b89\u88c5 TunSafe Client \u4e0e TunSafe-TAP Ethernet Adapter (GPL) \u4e24\u4e2a\u7a0b\u5e8f
\n\u524d\u8005\u662f GUI \u754c\u9762\uff0c\u540e\u8005\u662f\u7a0b\u5e8f\u6240\u5fc5\u9700\u7684 TAP \u7f51\u5361\uff08\u5e76\u4e14\u9700\u8981\u7ffb\u5899\u4e0b\u8f7d\u5b89\u88c5\u5305\uff09<\/p>\n

\n
\"WireGuard<\/figure>\n<\/div>\n

\u5b89\u88c5\u597d\u540e\u53ef\u4ee5\u8bbe\u7f6e\u6210\u81ea\u52a8\u5f00\u542f\uff0c\u5e76\u914d\u7f6e\u4e3a\u7cfb\u7edf\u670d\u52a1<\/p>\n

\n
\"WireGuard<\/figure>\n<\/div>\n

\u5982\u679c\u662f IOS \/ Android \u7cfb\u7edf\uff0c\u53ef\u4ee5\u4f7f\u7528\u5e94\u7528\u5546\u5e97\u4e3b\u52a8\u83b7\u53d6\uff08\u5df2\u88ab\u5899\uff0c\u65e0\u6cd5\u641c\u7d22\uff09\uff0c\u5e94\u7528 WireGuard \u7684\u56fe\u6807\u4e3a\u5b98\u7f51\u56fe\u6807\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528 TunSafe \u5ba2\u6237\u7aef\u3002<\/p>\n

\u800c Linux \u90e8\u5206\uff0c\u5b98\u65b9\u6709\u660e\u786e\u7684\u5b89\u88c5\u8bf4\u660e\u3002\u552f\u4e00\u6ce8\u610f CentOS 7 \u548c Ubuntu 14 \u7b49\u7248\u672c\u7684\u9ed8\u8ba4\u5185\u6838\u7248\u672c\u4e0d\u652f\u6301\u81ea\u5b9a\u4e49\u7f51\u5361 type \u6240\u4ee5\u5fc5\u987b\u5347\u7ea7\u5185\u6838\u5230 4.18 \u53ca\u66f4\u9ad8\u7248\u672c\u3002<\/p>\n

Ubuntu 20 \u7684\u5b89\u88c5\u5f88\u7b80\u5355<\/p>\n

sudo apt install -y wireguard<\/pre>\n
\n
<\/a>4 \u3001 WireGuard \u4e3b\u7aef\u914d\u7f6e<\/h2>\n
\u5173\u4e8e\u5982\u4f55\u914d\u7f6e\uff0c\u5b98\u65b9\u5176\u5b9e\u6709\u5feb\u901f\u5b89\u88c5\u8bf4\u660e [\u00a0\u94fe\u63a5<\/a>\u00a0]
\n\u4f46\u7531\u4e8e\u5b98\u65b9\u8bf4\u660e\u5b9e\u5728\u662f\u5f88\u6a21\u7cca\uff0c\u6240\u4ee5\u6211\u8fd8\u662f\u91cd\u65b0\u5f3a\u8c03\u4e00\u4e9b\u5173\u952e\u70b9<\/p>\n
\u9996\u5148\u4f60\u9700\u8981\u4e00\u4e2a\u6587\u4ef6\u5939\u5b58\u653e WireGuard \u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u672c\u6587\u8def\u5f84\u4e3a \/etc\/wireguard\/ \u8fd9\u4e2a\u6587\u4ef6\u5939\uff08\u9ed8\u8ba4\u5b89\u88c5\u5c31\u751f\u6210\uff09<\/p>\n
\u7136\u540e\u4f60\u9700\u8981\u77e5\u9053\u5982\u4f55\u751f\u6210\u4e00\u5bf9\u516c\u94a5\u4e0e\u79c1\u94a5\uff0c\u547d\u4ee4\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u8fd9\u4e2a
\n\uff08\u79c1\u94a5\u4e3a privatekey \u516c\u94a5\u4e3a publickey\uff09<\/p>\n
wg genkey | tee privatekey | wg pubkey > publickey && cat privatekey && cat publickey<\/pre>\n
\u4ee5\u53ca\u672c\u6587\u7684\u914d\u7f6e\u73af\u5883\u5982\u4e0b\uff0c\u62ec\u53f7\u4e2d\u643a\u5e26\u7684\u662f\u5bf9\u5e94\u4e3b\u673a\u62e5\u6709\u7684\u5176\u4ed6\u7f51\u6bb5<\/p>\n
\u4e3b\u673a 192.168.0.100 <---> 192.168.0.200<\/p>\n
\u865a\u62df 172.16.1.11:8001 ( 172.16.11.0\/24 ) <---> 172.16.1.12:8002 ( 172.16.12.0\/24 )<\/p>\n
\u5efa\u8bae\u7ec3\u4e60\u624b\u52a8\u6b65\u9aa4\u6765\u7406\u89e3 Wireguard \u5982\u4f55\u5de5\u4f5c\uff0c\u5982\u679c\u61d2\u4eba\u60f3\u76f4\u63a5\u4f7f\u7528\u81ea\u52a8\u65b9\u6848\uff0c\u8df3\u8fc7\u672c\u7ae0\u8282\u4e0b\u62c9\u4ece 6 \u5f00\u59cb<\/p>\n
\n
4.1 \u3001 WireGuard \u7684\u4e3b\u7aef\u914d\u7f6e<\/h4>\n
\u5f00\u59cb\u524d\uff0c\u4e3a\u4e86\u65b9\u4fbf\uff0c\u6211\u4eec\u521b\u5efa\u4e00\u4e2a WireGuard \u914d\u7f6e\u6587\u4ef6\uff08\u7b49\u4ef7\u53c2\u8003\uff0c\u53ef\u4ee5\u7eaf\u624b\u52a8\u547d\u4ee4\u542f\u52a8\u540c\u7b49\u914d\u7f6e\u670d\u52a1\uff09<\/p>\n
vim \/etc\/wireguard\/wg0.conf<\/pre>\n
[Interface]\r\nAddress = 172.16.1.11\/24\r\nListenPort = 8001\r\nPrivateKey = eDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n\r\n[Peer]\r\nPublicKey = YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI=    #\u5bf9\u7aef Publickey\r\nAllowedIPs = 172.16.1.12\/32,172.16.12.0\/24\r\nEndpoint = 192.168.0.200:8002\r\nPersistentKeepalive = 25<\/pre>\n
\u9996\u5148\u6211\u4eec\u9700\u8981\u521b\u5efa\u4e00\u4e2a\u7f51\u5361\u914d\u7f6e\u6587\u4ef6\uff08\u6b64\u914d\u7f6e\u540d wg0\uff0c\u7b49\u4ef7\u53c2\u8003\u4e0a\u65b9 \u6587\u4ef6\u540d\uff09<\/p>\n
ip link add dev wg0 type wireguard<\/pre>\n
\u68c0\u67e5\u6548\u679c\r\nroot@localhost:~# ip link add dev wg0 type wireguard\r\n\r\nroot@localhost:~# ip address\r\n******\r\n3: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000\r\n    link\/none<\/pre>\n
\u7136\u540e\u6211\u4eec\u9700\u8981\u7ed9\u8fd9\u4e2a\u7f51\u7edc\u63a5\u53e3\u914d\u4e0a IP \u5730\u5740\uff08\u6b64\u914d\u7f6e 172.16.1.11\/24\uff0c\u7b49\u4ef7\u53c2\u8003\u4e0a\u65b9 Address\uff09<\/p>\n
ip address add dev wg0 172.16.1.11\/24<\/pre>\n
\u68c0\u67e5\u6548\u679c\r\nroot@localhost1:~# ip address add dev wg0 172.16.1.11\/24\r\n\r\nroot@localhost1:~# ip address\r\n******\r\n3: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000\r\n    link\/none\r\n    inet 172.16.1.11\/24 scope global wg0\r\n       valid_lft forever preferred_lft forever<\/pre>\n
\u5176\u6b21\u6211\u4eec\u521b\u5efa\u4e00\u4e2a\u79c1\u94a5\uff0c\u7528\u4e8e Wireguard \u4f7f\u7528\uff0c\u5e76\u914d\u7f6e\u6743\u9650\u7981\u6b62\u4ed6\u4eba\u8bbf\u95ee
\n\uff08\u9ed8\u8ba4 \/etc\/wireguard\/ \u5176\u5b9e\u5c31\u5df2\u7ecf 700 \u6743\u9650\u4e86\uff09<\/p>\n
wg genkey | tee \/tmp\/private-key\r\nchmod 600 \/tmp\/private-key\r\nwg set wg0 private-key \/tmp\/private-key listen-port 8001<\/pre>\n
\u68c0\u67e5\u6548\u679c\r\nroot@localhost1:~# wg genkey | tee \/tmp\/private-key\r\neDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n\r\nroot@localhost1:~# ll \/tmp\/private-key\r\n-rw------- 1 root root 45 Oct 20 08:00 \/tmp\/private-key\r\n\r\nroot@localhost1:~# wg\r\ninterface: wg0\r\nroot@localhost1:~# wg set wg0 private-key \/tmp\/private-key listen-port 8001\r\nroot@localhost1:~# wg\r\ninterface: wg0\r\n  public key: OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=\r\n  private key: eDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n  listening port: 8001<\/pre>\n
\u63a5\u7740\u6211\u4eec\u542f\u52a8\u8be5\u7f51\u7edc\u63a5\u53e3\uff0c\u4f7f\u4e4b\u6b63\u5f0f\u53ef\u7528<\/p>\n
ip link set wg0 up<\/pre>\n
\u68c0\u67e5\u6548\u679c\r\nroot@localhost1:~# ip link set wg0 up\r\n\r\nroot@localhost1:~# ip address\r\n******\r\n2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000\r\n    link\/ether 56:00:03:a5:b1:96 brd ff:ff:ff:ff:ff:ff\r\n    inet 192.168.0.100\/24 brd 192.168.0.255 scope global dynamic enp1s0\r\n       valid_lft 84928sec preferred_lft 84928sec\r\n3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\r\n    link\/none\r\n    inet 172.16.1.11\/24 scope global wg0\r\n       valid_lft forever preferred_lft forever\r\n\r\nroot@localhost1:~# wg\r\ninterface: wg0\r\n  public key: OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=\r\n  private key: eDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n  listening port: 8001<\/pre>\n
\u6b64\u65f6\u6211\u4eec\u521b\u5efa\u597d\u4e86\u672c\u5730\u8282\u70b9\uff0c\u8fd8\u9700\u8981\u5ba3\u544a\u54ea\u4e9b\u8282\u70b9\u662f\u6211\u4eec\u7684\u90bb\u5c45\uff0c\u624d\u80fd\u5efa\u7acb\u7f51\u7edc\u8fde\u63a5\u3002<\/p>\n
\u540c\u65f6\u6ce8\u610f\u5728\u67e5\u770b Wireguard \u4fe1\u606f\u65f6\uff0c\u4e3b\u7aef\u7684 Publickey \u4e3a\u00a0OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=<\/code><\/p>\n
\n
4.2 \u3001 WireGuard \u7684\u5bf9\u7aef\u914d\u7f6e<\/h4>\n
\u5728\u5bf9\u7aef\u8bbe\u5907\u7684\u914d\u7f6e\u548c\u4e3b\u7aef\u4e00\u81f4\uff0c\u6240\u4ee5\u5728\u6b64\u4f9d\u7136\u521b\u5efa\u4e00\u4e2a WireGuard \u914d\u7f6e\u6587\u4ef6\u7528\u4e8e\u53c2\u8003<\/p>\n
vim \/etc\/wireguard\/wg0-peer.conf<\/pre>\n
[Interface]\r\nAddress = 172.16.1.12\/24\r\nListenPort = 8002\r\nPrivateKey = OO6\/vtQB83h2\/1XcwfZ0OpPr9ATfWviEqdQyWdtjE0c=\r\n\r\n[Peer]\r\nPublicKey = OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=    #\u4e3b\u7aef Publickey\r\nAllowedIPs = 172.16.1.11\/32,172.16.11.0\/24\r\nEndpoint = 192.168.0.100:8001\r\nPersistentKeepalive = 25<\/pre>\n
\u8fd9\u91cc\u76f4\u63a5\u5feb\u901f\u521b\u5efa<\/p>\n
ip link add dev wg0 type wireguard\r\nip address add dev wg0 172.16.1.12\/24\r\nwg genkey | tee \/tmp\/private-key\r\nchmod 600 \/tmp\/private-key\r\nwg set wg0 private-key \/tmp\/private-key listen-port 8002\r\nip link set wg0 up<\/pre>\n
\u73b0\u5728\u6211\u4eec\u521b\u5efa\u597d\u4e86\u5bf9\u7aef\u7684\u914d\u7f6e\uff0c\u68c0\u67e5\u4e00\u4e0b Wireguard \u4fe1\u606f<\/p>\n
root@localhost2:~# wg\r\ninterface: wg0\r\npublic key: YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI=\r\nprivate key: OO6\/vtQB83h2\/1XcwfZ0OpPr9ATfWviEqdQyWdtjE0c=\r\nlistening port: 8002<\/pre>\n
\n
4.3 \u3001\u90bb\u5c45\u5173\u7cfb\u7684\u5efa\u7acb<\/h4>\n
\u6211\u4eec\u73b0\u5728\u6709\u4e86\u4e24\u4e2a Wireguard \u670d\u52a1\uff0c\u5206\u522b\u5728\u4e24\u53f0\u670d\u52a1\u5668\u4e0a<\/p>\n
\u4e3b\u7aef\r\nroot@localhost1:~# ip address\r\n******\r\n2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000\r\n    link\/ether 56:00:03:a5:b1:96 brd ff:ff:ff:ff:ff:ff\r\n    inet 192.168.0.100\/24 brd 192.168.0.255 scope global dynamic enp1s0\r\n       valid_lft 84928sec preferred_lft 84928sec\r\n3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\r\n    link\/none\r\n    inet 172.16.1.11\/24 scope global wg0\r\n       valid_lft forever preferred_lft forever\r\n\r\nroot@localhost1:~# wg\r\ninterface: wg0\r\n  public key: OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=\r\n  private key: eDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n  listening port: 8001<\/pre>\n
\u5bf9\u7aef\r\nroot@localhost2:~# ip address\r\n******\r\n2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000\r\n    link\/ether 56:00:03:a5:b1:96 brd ff:ff:ff:ff:ff:ff\r\n    inet 192.168.0.200\/24 brd 192.168.0.255 scope global dynamic enp1s0\r\n       valid_lft 84928sec preferred_lft 84928sec\r\n3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\r\n    link\/none\r\n    inet 172.16.1.12\/24 scope global wg0\r\n       valid_lft forever preferred_lft forever\r\n\r\nroot@localhost2:~# wg\r\ninterface: wg0\r\n  public key: YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI=\r\n  private key: OO6\/vtQB83h2\/1XcwfZ0OpPr9ATfWviEqdQyWdtjE0c=\r\n  listening port: 8002<\/pre>\n
\u5bf9\u4e8e\u4e3b\u7aef\uff0c\u6211\u4eec\u9700\u8981\u586b\u5199 \u5bf9\u7aef Publickey \u8fdb\u884c\u914d\u7f6e\uff0c\u53cd\u4e4b\u5bf9\u7aef\u5219\u4f7f\u7528 \u4e3b\u7aef Publickey \u8fdb\u884c\u914d\u7f6e\u3002<\/p>\n
\u4e3b\u7aef\r\nwg set wg0 peer YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI= allowed-ips 172.16.1.11\/32,172.16.11.0\/24 endpoint 192.168.0.200:8002 persistent-keepalive 25\r\n\r\n\u67e5\u770b\u6548\u679c\r\nroot@localhost1:~# wg\r\ninterface: wg0\r\n  public key: OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=\r\n  private key: eDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n  listening port: 8001\r\n\r\npeer: YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI=\r\n  endpoint: 192.168.0.200:8002\r\n  allowed ips: 172.16.1.12\/32, 172.16.12.0\/24\r\n  transfer: 0 B received, 148 B sent\r\n  persistent keepalive: every 25 seconds<\/pre>\n
\u5bf9\u7aef\r\nwg set wg0 peer OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk= allowed-ips 172.16.1.11\/32,172.16.11.0\/24 endpoint 192.168.0.100:8001 persistent-keepalive 25\r\n\r\n\u67e5\u770b\u6548\u679c\r\nroot@localhost2:~# wg\r\ninterface: wg0\r\n  public key: YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI=\r\n  private key: OO6\/vtQB83h2\/1XcwfZ0OpPr9ATfWviEqdQyWdtjE0c=\r\n  listening port: 8002\r\n\r\npeer: OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=\r\n  endpoint: 192.168.0.100:8001\r\n  allowed ips: 172.16.1.11\/32, 172.16.11.0\/24\r\n  transfer: 0 B received, 148 B sent\r\n  persistent keepalive: every 25 seconds<\/pre>\n
\u4e24\u4fa7\u521b\u5efa\u5b8c\u6bd5\u540e\uff0c\u6211\u4eec\u79bb\u5b9e\u73b0 Wireguard \u7684\u4e92\u8054\u4e92\u901a\u53ea\u5dee\u4e24\u6b65 \u8def\u7531 \u548c \u9632\u706b\u5899<\/p>\n
\u5bf9\u4e24\u4fa7\u7684\u4e3b\u673a\u6dfb\u52a0\u5bf9\u7aef\u8def\u7531\uff0c\u8def\u7531\u4e3a\u4e34\u65f6\u89c4\u5219\uff0c\u91cd\u542f\u6d88\u5931<\/p>\n
\u4e3b\u7aef\r\nip route add 172.16.12.0\/24 dev wg0<\/pre>\n
\u5bf9\u7aef\r\nip route add 172.16.11.0\/24 dev wg0<\/pre>\n
\u5bf9\u4e24\u4fa7\u7684\u76f8\u5173\u7aef\u53e3\u5747\u9700\u8981\u653e\u884c\uff0c\u914d\u7f6e\u5e76\u4fdd\u5b58\u5373\u53ef\u3002<\/p>\n
\u4e3b\u7aef\r\nufw allow 8001\/udp\r\nufw reload\r\n\r\n\u5bf9\u7aef\r\nufw allow 8002\/udp\r\nufw reload<\/pre>\n
\u521b\u5efa\u5b8c\u6bd5\u540e\uff0c\u5982\u679c\u6d89\u53ca\u5230\u672c\u5730\u8def\u7531\u6620\u5c04\u5219\u9700\u8981\u5f00\u542f\u8f6c\u53d1\uff08\u672c\u4f8b\u5b58\u5728 172.16.11.0\/24 \u548c 172,16.12.0\/24\uff09<\/p>\n
sed -i '\/net.ipv4.ip_forward\/d' \/etc\/sysctl.conf\r\necho \"net.ipv4.ip_forward=1\" >> \/etc\/sysctl.conf\r\nsysctl -p\r\nsed -i \"s\/DEFAULT_FORWARD_POLICY=\"DROP\"\/DEFAULT_FORWARD_POLICY=\"ACCEPT\"\/g\" \/etc\/default\/ufw\r\nufw disable\r\nufw enable\r\n#\u989d\u5916\u8bb0\u5f97\u4f60\u8fd8\u9700\u8981\u5c06\u9632\u706b\u5899\u4e24\u4fa7\u7aef\u53e3\u7684\u6d41\u91cf\u653e\u901a\uff0c\u76f8\u5173\u7528\u6237\u7684\u7f51\u5173\u8def\u7531\u4e5f\u9700\u8981\u6253\u901a\r\n#\u5982\u679c\u662f\u5b50\u7f51\u4e0a\u7f51\uff0c\u8fd8\u9700\u8981\u989d\u5916\u914d\u7f6e NAT \u5bf9\u6e90\u5730\u5740\u8fdb\u884c\u4fee\u6539\u3002<\/pre>\n
\u73b0\u5728\u6211\u4eec\u5c31\u7b97\u914d\u7f6e\u5b8c\u6bd5\u4e86\uff0c\u68c0\u67e5\u4e00\u4e0b\u7f51\u7edc\u8fde\u901a\u6027\uff0c\u548c\u670d\u52a1\u72b6\u6001\uff08\u4efb\u610f\u54ea\u7aef\u67e5\u770b\u90fd\u53ef\uff09<\/p>\n
root@localhost1:~# ip address\r\n******\r\n2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000\r\n    link\/ether 56:00:03:a5:b1:96 brd ff:ff:ff:ff:ff:ff\r\n    inet 192.168.0.100\/24 brd 192.168.0.255 scope global dynamic enp1s0\r\n       valid_lft 84928sec preferred_lft 84928sec\r\n3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000\r\n    link\/none\r\n    inet 172.16.1.11\/24 scope global wg0\r\n       valid_lft forever preferred_lft forever\r\n\r\nroot@localhost1:~# wg\r\ninterface: wg0\r\n  public key: OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=\r\n  private key: eDAKXVHliMhTsbAeodifK8insJNM633MwMyYWl8FHFw=\r\n  listening port: 8001\r\n\r\npeer: YJsN6XOCY+9nTFXuTjtKHnh\/Xxq6bLEtH8iI9s3TEzI=\r\n  endpoint: 192.168.0.200:8002\r\n  allowed ips: 172.16.1.12\/32, 172.16.12.0\/24\r\n  latest handshake: 1 minute, 50 seconds ago\r\n  transfer: 1.23 KiB received, 1.14 KiB sent\r\n  persistent keepalive: every 25 seconds\r\n\r\nroot@localhost1:~# ping 172.16.1.12\r\nPING 172.16.1.12 (172.16.1.12) 56(84) bytes of data.\r\n64 \u6bd4\u7279\uff0c\u6765\u81ea 172.16.1.12: icmp_seq=1 ttl=64 \u65f6\u95f4=5.0 \u6beb\u79d2\r\n^C\r\n--- 172.16.1.12 ping \u7edf\u8ba1 ---\r\n\u5df2\u53d1\u9001 1 \u4e2a\u5305\uff0c \u5df2\u63a5\u6536 1 \u4e2a\u5305, 0% \u5305\u4e22\u5931, \u8017\u65f6 0 \u6beb\u79d2\r\nrtt min\/avg\/max\/mdev = 5.023\/5.023\/5.023\/0.000 ms\r\n\r\nroot@localhost1:~# ping 172.16.12.1\r\nPING 172.16.12.1 (172.16.12.1) 56(84) bytes of data.\r\n64 \u6bd4\u7279\uff0c\u6765\u81ea 172.16.12.1: icmp_seq=1 ttl=64 \u65f6\u95f4=5.0 \u6beb\u79d2\r\n^C\r\n--- 172.16.12.1 ping \u7edf\u8ba1 ---\r\n\u5df2\u53d1\u9001 1 \u4e2a\u5305\uff0c \u5df2\u63a5\u6536 1 \u4e2a\u5305, 0% \u5305\u4e22\u5931, \u8017\u65f6 0 \u6beb\u79d2\r\nrtt min\/avg\/max\/mdev = 5.016\/5.016\/5.016\/0.000 ms\r\n\r\nroot@localhost1:~# route -n\r\n\u5185\u6838 IP \u8def\u7531\u8868\r\n\u76ee\u6807            \u7f51\u5173            \u5b50\u7f51\u63a9\u7801        \u6807\u5fd7  \u8dc3\u70b9   \u5f15\u7528  \u4f7f\u7528 \u63a5\u53e3\r\n0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp1s0\r\n172.16.1.12     0.0.0.0         255.255.255.255 UH    0      0        0 wg1\r\n172.16.12.0     0.0.0.0         255.255.255.0   U     0      0        0 wg1<\/pre>\n
\u4f60\u8fd8\u53ef\u901a\u8fc7 iproute2 \u6765\u63a7\u5236\u4e0d\u540c\u7684\u7cfb\u7edf\u8def\u7531\u8868\uff0c\u67e5\u770b\u65b9\u5f0f\u5982\u4e0b\uff08\u7cfb\u7edf\u9ed8\u8ba4 table 255\uff09<\/p>\n
root@localhost1:~# ip route list table 255\r\n\r\nbroadcast 172.16.1.0 dev wg0 proto kernel scope link src 172.16.1.11\r\nlocal 172.16.1.11 dev wg0 proto kernel scope host src 172.16.1.11\r\nbroadcast 172.16.1.255 dev wg0 proto kernel scope link src 172.16.1.11\r\nbroadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1\r\nlocal 127.0.0.0\/8 dev lo proto kernel scope host src 127.0.0.1\r\nlocal 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1\r\nbroadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1\r\nbroadcast 192.168.0.0 dev enp1s0 proto kernel scope link src 192.168.0.100\r\nlocal 192.168.0.100 dev enp1s0 proto kernel scope host src 192.168.0.100\r\nbroadcast 192.168.0.255 dev enp1s0 proto kernel scope link src 192<\/pre>\n
\u5176\u4ed6\u548c fwmark table \u76f8\u5173\u7684\u5efa\u8bae\u9605\u8bfb [\u00a0\u94fe\u63a5<\/a>\u00a0]
\n\u5176\u4ed6\u548c Ubuntu \u8def\u7531\u8f6c\u53d1 \u76f8\u5173\u7684\u5efa\u8bae\u9605\u8bfb [\u00a0\u94fe\u63a5<\/a>\u00a0]<\/p>\n
\n
4.4 \u3001 CentOS 7 \u7684 Wireguard \u4e3b\u7aef\u7f51\u7edc\u914d\u7f6e<\/h4>\n
\u9898\u5916\u8bdd\uff0cCentOS 7 \u76f8\u5173\u90e8\u5206\u64cd\u4f5c\u53ef\u80fd\u8fd8\u4f1a\u9ebb\u70e6\u4e00\u70b9\uff0c\u5982\u4e0b\u6240\u793a\u3002<\/p>\n
vim \/etc\/sysconfig\/network-scripts\/ifcfg-wg0<\/pre>\n
DEVICE=wg0\r\nTYPE=wireguard\r\nIPADDR=172.16.1.11\r\nNETMASK=255.255.255.0\r\nONBOOT=yes\r\nNAME=wg0\r\nZONE=public<\/pre>\n
\u63a5\u7740\u6211\u4eec\u9700\u8981\u521b\u5efa\u4e00\u4e2a\u7f51\u5361\u8def\u7531\u6587\u4ef6\uff08\u7531\u4e8e\u5bf9\u65b9\u5b58\u5728 172.16.12.0\/24 \u8fd9\u4e2a IP \u5730\u5740\u6bb5\u7684\u524d\u63d0\u4e0b\uff09<\/p>\n
vim \/etc\/sysconfig\/network-scripts\/route-wg0<\/pre>\n
172.16.12.0\/24 via 172.16.1.12 dev wg0<\/pre>\n
\u6700\u540e\u6211\u4eec\u9700\u8981\u5141\u8bb8\u672c\u673a\u7684 NAT \u8f6c\u6362\uff0c\u5e76\u5141\u8bb8\u7cfb\u7edf\u8fdb\u884c IPV4 \u8f6c\u53d1<\/p>\n
firewall-cmd --add-port=8001\/udp --zone=public --permanent\r\nfirewall-cmd --add-masquerade --zone=public --permanent\r\nfirewall-cmd --reload<\/pre>\n
\n
<\/a>5 \u3001 WireGuard \u914d\u7f6e\u8bf4\u660e<\/h2>\n
[Interface]\r\nAddress = 172.16.11.0\/24  #\u672c\u673a\u5730\u5740\u4e0e\u63a9\u7801\u4f4d\u6570 (IPV4)\r\nAddress = fec0:1234::1\/24  #\u672c\u673a\u5730\u5740\u4e0e\u63a9\u7801\u4f4d\u6570 (IPV6)\r\nListenPort = 8002  #\u672c\u673a\u76d1\u542c WireGuard \u7aef\u53e3\r\nPrivateKey = \u586b\u5199\u672c\u673a\u7684 privatekey \u5185\u5bb9  #\u672c\u673a\u52a0\u5bc6\u79c1\u94a5\r\nDNS = 1.1.1.1  #\u5f3a\u5236\u672c\u673a\u4f7f\u7528 DNS \u670d\u52a1\u5668\r\nMTU = 1280  #\u5f3a\u5236\u672c\u673a\u4f7f\u7528\u6307\u5b9a MTU \u503c \r\n#Table = 100 #\u5f3a\u5236\u672c\u673a \u5c06\u8981\u6ce8\u5165\u7cfb\u7edf\u7684 \u8def\u7531\u6761\u76ee \u7684 table \u6307\u5b9a\u4e3a 100 ( \u7cfb\u7edf\u9ed8\u8ba4\u4e3a 255 \u548c 254 )\r\n#PreUp =     #\u542f\u52a8\u524d\u64cd\u4f5c\r\n#PostUp = ip rule add from 10.10.1.0\/24 table 100 ; ip rule add from 10.10.2.0\/24 table 100\r\n#PreDown = ip rule delete from 10.10.1.0\/24 table 100 ; ip rule delete from 10.10.2.0\/24 table 100\r\n#PreDown =    #\u505c\u6b62\u540e\u64cd\u4f5c\r\n\r\n[Peer]\r\nPublicKey = \u586b\u5199\u5bf9\u7aef\u7684 publickey \u5185\u5bb9  #\u672c\u673a\u52a0\u5bc6\u7684\u5bf9\u7aef\u516c\u94a5\uff08\u52a0\u5bc6\u540e\u6570\u636e\u4ec5\u5bf9\u7aef\u53ef\u4ee5\u89e3\u5bc6\uff09\r\nAllowedIPs = 172.16.1.11\/32  #\u672c\u673a\u5141\u8bb8\u7684\u5bf9\u7aef\u8bbe\u5907\u7684 IP \u5730\u5740\u6bb5\uff0c\u5176\u5b9e\u5c31\u662f\u5728\u672c\u673a\u4e2d\u8fd9\u4e2a\u865a\u62df\u7f51\u5361\u63a5\u6536\u5230\u5bf9\u7aef\u53d1\u6765\u7684\u6e90\u5730\u5740\u90fd\u5141\u8bb8\u6709\u54ea\u4e9b\u8bbe\u5907 IP \u5730\u5740\uff08\u591a peer \u4e0d\u53ef\u91cd\u590d\uff09\r\nEndpoint = another.domain.name:8001  #\u5bf9\u7aef WireGuard \u7684\u5916\u90e8 IP\uff08\u53ef\u4ee5\u6709\u4e00\u4fa7\u7684 IP \u5730\u5740\u662f\u865a\u5047\u7684\u516c\u7f51 IP\uff09\r\nPersistentKeepalive = 25   #\u5f53\u4f1a\u8bdd\u5b58\u5728\u4e00\u7aef IP \u5730\u5740\u4e3a NAT \u5730\u5740\u6216\u865a\u5047\u516c\u7f51 IP \u5730\u5740\u65f6\uff0c\u7531\u8be5\u65b9\u9636\u6bb5\u6027\u6bcf 25 \u79d2\u53d1\u9001 keepalive \u62a5\u6587\u4fdd\u6301\u4f1a\u8bdd\u7684\u53ef\u7528\u6027\uff0c\u9632\u6b62\u88ab\u8bbe\u5907\u7ec8\u6b62\u3002<\/pre>\n
\u5728\u4e0a\u65b9\u57fa\u7840\u4e0a\uff0c\u989d\u5916\u8981\u6ce8\u610f\u7684\u662f<\/p>\n
1 \u3001\u5982\u679c\u4f60\u5b58\u5728\u591a\u4e2a [Peer] \uff0c\u5219\u5728\u4e0b\u9762\u76f4\u63a5\u589e\u52a0\u4e00\u4e2a\u65b0\u7684 [Peer] \u680f\u76ee<\/p>\n
2 \u3001\u5982\u679c\u591a\u4e2a Peer \u5b58\u5728\u4e0d\u540c\u7684 IP\uff0c\u8bf7\u4e0d\u8981\u8ba9 AllowedIPs \u5b58\u5728\u91cd\u53e0\u7684 IP \u5730\u5740\u6bb5\uff08\u6bd4\u5982\u914d\u7f6e\u591a\u4e2a\u76f8\u540c\/24 \u53ea\u6709\u4e00\u4e2a\u751f\u6548\uff09<\/p>\n
3 \u3001 Endpoint \u65e2\u652f\u6301\u4ee5\u57df\u540d\u7684\u65b9\u5f0f\u8bbf\u95ee\uff0c\u4e5f\u652f\u6301\u4ee5 IP \u7684\u65b9\u5f0f\u8bbf\u95ee\u3002<\/p>\n
4 \u3001\u4f1a\u8bdd\u94fe\u63a5\u7684\u5efa\u7acb\u53ea\u8981\u4fdd\u8bc1\u4e24\u7aef\u6570\u636e\u5728\u4e00\u53f0\u8bbe\u5907\u4e0a\u6210\u529f\u534f\u5546\uff0c\u5373\u4f7f\u52a8\u6001 IP \u5730\u5740\u53d8\u66f4\u4e5f\u4e0d\u4f1a\u5f71\u54cd VPN \u7684\u7a33\u5b9a\u6027\u3002<\/p>\n
5 \u3001 ListenPort \u4e0d\u6dfb\u52a0\u4f1a\u81ea\u52a8\u751f\u6210\u9ad8\u4f4d\u7aef\u53e3\u7528\u6765 peer\uff0c\u4ee5\u53ca\u4e3b\u4ece\u7ed3\u6784\u4e0b\uff0c\u4ece\u7aef\u4e0d\u586b\u5199 listenport \u3002<\/p>\n
6 \u3001 Table \u53c2\u6570\u53ef\u4ee5\u4f7f\u7528 auto \u548c off\uff0c\u4e24\u8005\u5206\u522b\u5bf9\u5e94 \u81ea\u52a8\u6ce8\u5165\u8def\u7531 \u548c \u7981\u6b62\u6ce8\u5165\u3002\u4e0d\u914d\u7f6e\u91c7\u7528 auto<\/p>\n
7 \u3001\u5982\u679c\u4f60\u662f\u4e3b\u4ece\u7ed3\u6784\uff0c\u9700\u8981\u8ba9 \u4ece\u7aef \u5728\u914d\u7f6e\u4e2d\u5c06 \u4ece\u7aef \u7684 \"AllowedIPs =\" \u8865\u5199\u4e00\u6761\u5185\u5bb9 0.0.0.0\/0,::0 \u4ee5\u5141\u8bb8\u6240\u6709\u6d41\u91cf<\/p>\n
8 \u3001\u524d\u9762\u6807\u6ce8 # \u7684\u4e94\u6761\u5185\u5bb9\uff0c\u5176\u4e2d\u6709\u5185\u5bb9\u7684\u4e09\u6761\u4f5c\u4e3a iproute2 \u72ec\u7acb\u8def\u7531\u8868\u7684\u4f7f\u7528\u65b9\u5f0f\uff0c\u901a\u8fc7\u6307\u5b9a\u8def\u7531\u6761\u76ee\u7684 table \u4e0e ip rule \u8054\u52a8\u63a7\u5236\u7b56\u7565\u6d41\u91cf\u8f6c\u53d1\u3002<\/p>\n
9 \u3001 PreUp\uff0cPostUp\uff0cPreDown\uff0cPostDown \u8fd9\u56db\u4e2a\u547d\u4ee4\u53c2\u6570\uff0c\u662f\u4f5c\u4e3a wg-quick \u5feb\u901f\u8bbe\u7f6e\/\u5220\u9664\u63a5\u53e3\u4e4b\u524d\/\u4e4b\u540e\u7531 bash\uff081\uff09\u6267\u884c\u7684\u56db\u6761\u547d\u4ee4\uff0c\u5e38\u7528\u4e8e\u914d\u7f6e\u81ea\u5b9a\u4e49 DNS \u6216\u9632\u706b\u5899\u89c4\u5219\u3002 \u7279\u6b8a\u5b57\u7b26\u4e32 \uff05i \u4f5c\u4e3a\u53d8\u91cf\u66ff\u4ee3\u6240\u63a7\u5236\u7684 INTERFACE \u914d\u7f6e\u540d\u3002 \u6bcf\u4e2a\u547d\u4ee4\u53c2\u6570\u90fd\u652f\u6301\u591a\u6761\u547d\u4ee4\uff0c\u53c2\u6570\u5185\u7684\u591a\u6761\u547d\u4ee4\u5c06\u6309\u524d\u540e\u987a\u5e8f\u4f9d\u6b21\u6267\u884c\uff0c\u5206\u9694\u7b26\u4e3a ; \u5206\u53f7\u3002<\/p>\n
\n
<\/a>6 \u3001 WireGuard \u7684\u5feb\u901f\u542f\u52a8\u914d\u7f6e\u6587\u4ef6<\/h2>\n
\u4e0a\u9762\u7684\u64cd\u4f5c\u505a\u5b8c\u53d1\u73b0\u592a\u7e41\u7410\u4e86\u4e48\uff0cWireguard \u662f\u6709\u63d0\u4f9b\u4e00\u4e2a\u6807\u51c6\u7684 Systemd \u670d\u52a1\u6587\u4ef6\u6765\u63d0\u4f9b\u542f\u52a8\u62a4\u822a\u7684<\/p>\n
\u5bf9\u4e8e\u00a0wg-quick@.service\u00a0\u670d\u52a1\u6587\u4ef6\u6765\u8bf4\uff0c\u5b83\u4f1a\u8c03\u7528 \/usr\/bin\/wg-quick \u8bfb\u53d6 \/etc\/wireguard\/*.conf \u540e\u542f\u52a8<\/p>\n
\u670d\u52a1\/\u547d\u4ee4\/\u914d\u7f6e\u6587\u4ef6\/\u7f51\u5361\u865a\u62df\u63a5\u53e3\u540d \u5bf9\u5e94\u5173\u7cfb\u5982\u4e0b<\/p>\n
\u670d\u52a1\uff1a wg-quick@myserver.service\r\n\u547d\u4ee4\uff1a \/usr\/bin\/wg-quick up myserver\r\n\u914d\u7f6e\uff1a \/etc\/wireguard\/myserver.conf\r\n\u63a5\u53e3\uff1a myserver<\/pre>\n
\u800c\u4e14\u5e73\u65f6\u4f7f\u7528\u7684\u5e38\u89c1\u65b9\u6848\u5c31\u662f\u5199\u597d\u914d\u7f6e\u6587\u4ef6\uff0c\u901a\u8fc7\u5b98\u65b9\u7684\u670d\u52a1\u914d\u7f6e\u6587\u4ef6\u76f4\u63a5\u542f\u52a8\uff08\u81ea\u52a8\u6a21\u5f0f\u63a8\u8350\uff09
\n\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u00a0%i<\/code>\u00a0\u4e3a Systemd \u9ed8\u8ba4\u53c2\u6570\uff0c\u6307\u4ee3\u670d\u52a1\u540d\u00a0wg-quick@<\/code>\u00a0\u540e\u7684\u53d8\u91cf<\/p>\n
vim \/etc\/wireguard\/myserver.conf<\/pre>\n
[Interface]\r\nAddress = 172.16.1.12\/24\r\nListenPort = 8002\r\nPrivateKey = OO6\/vtQB83h2\/1XcwfZ0OpPr9ATfWviEqdQyWdtjE0c=\r\n\r\n#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE\r\n#PreDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE\r\n\r\n[Peer]\r\nPublicKey = OPC1\/cVCnvbw3wQg6CPJB5IC0ZZLf+JwRD3V3MqFYFk=    #\u4e3b\u7aef Publickey\r\nAllowedIPs = 172.16.1.11\/32,172.16.11.0\/24\r\nEndpoint = 192.168.0.100:8001\r\nPersistentKeepalive = 25<\/pre>\n
\u6b64\u914d\u7f6e\u5b8c\u6bd5\u540e \u914d\u7f6e\u6587\u4ef6\u540d\u4e3a myserver \uff0c\u53ef\u4ee5\u76f4\u63a5\u8f93\u5165 wg-quick up myserver \u6d4b\u8bd5\u542f\u52a8\u8fdb\u7a0b
\n\uff08\u5982\u679c\u542f\u52a8\u5931\u8d25\u53ef\u4ee5\u5148 down \u4e00\u6b21\u518d up \u4e00\u6b21\uff09
\n\uff08\u5982\u679c\u4f60\u662f iptables \u5219\u4f7f\u7528\u4e24\u6761 iptables \u547d\u4ee4\u6765\u914d\u7f6e\u9632\u706b\u5899\u5141\u8bb8\u8f6c\u53d1\u7684\u89c4\u5219\uff0c\u53bb\u6389\u524d\u9762\u7684\uff03\u5e76\u8bb0\u5f97\u4fee\u6539 enp1s0 \u4e3a\u5f53\u524d\u7cfb\u7edf\u516c\u7f51\u7f51\u5361\u5373\u53ef\uff09<\/p>\n
\u6ce8\u610f Firewalld \u8fd9\u6837\u542f\u52a8\u540e\u7f51\u5361\u672c\u8eab\u662f\u6ca1\u6709\u9632\u706b\u5899\u533a\u57df\u7684\uff0c\u4f60\u9700\u8981\u624b\u52a8\u7ed1\u5b9a\u4e00\u4e2a\u533a\u57df<\/p>\n
firewall-cmd --zone=external --add-interface=myserver --permanent\r\nfirewall-cmd --zone=external --add-masquerade --permanent\r\nfirewall-cmd --reload<\/pre>\n
\u800c\u540e\u6d89\u53ca\u5f00\u673a\u542f\u52a8\u65f6\uff0c\u76f4\u63a5\u914d\u7f6e\u5f00\u673a\u542f\u52a8\u5373\u53ef\uff08\u6ce8\u610f\u672c\u4f8b\u8c03\u5ea6\u4e86\u7f51\u7edc\u7b49\u5f85\u670d\u52a1\uff0c\u540c\u65f6\u4fee\u6539\u4e86\u9ed8\u8ba4\u7b49\u5f85\u65f6\u95f4\uff09<\/p>\n
systemctl enable wg-quick@myserver\r\nsystemctl start wg-quick@myserver<\/pre>\n
\u6709\u65f6\u5019\u53ef\u80fd\u4f60\u7684\u5f00\u673a\u542f\u52a8\u5931\u8d25\u4e86\uff0c\u8fd9\u53ef\u80fd\u662f\u56e0\u4e3a\u6ca1\u6709\u6210\u529f\u627e\u5230\u5bf9\u7aef\u5730\u5740\uff08\u6bd4\u5982\u7f51\u5361\u672a\u542f\u52a8\uff09\uff0c\u6240\u4ee5\u9700\u8981\u989d\u5916\u914d\u7f6e\u7f51\u7edc\u7b49\u5f85\u670d\u52a1<\/p>\n
systemctl enable NetworkManager-wait-online.service\r\nsed -i 's\/--timeout=30\/--timeout=10\/g' \/usr\/lib\/systemd\/system\/NetworkManager-wait-online.service && systemctl daemon-reload<\/pre>\n
\n
<\/a>7 \u3001\u5e38\u89c1\u7684\u5c0f\u95ee\u9898<\/h2>\n
7.1 \u3001\u8def\u7531\u5199\u5165\u51b2\u7a81<\/h4>\n
\u5f88\u591a\u4eba\u53ef\u80fd\u5728 \u914d\u7f6e\u6587\u4ef6 \u4e2d\u653e\u8fdb\u53bb\u591a\u4e2a peer \uff0c\u800c\u653e\u8fdb\u53bb peer \u65f6\u4f7f\u7528\u4e86\u76f8\u540c\u6216\u76f8\u4f3c\u7684 AllowedIPs \u5982\u4e0b\u4f8b
\n\uff08\u6bd4\u5982\u4e3a\u4e86\u65b9\u4fbf\u4f7f\u7528\u66f4\u77ed\u7f51\u7edc\u4f4d\u7684\u8def\u7531\u6761\u76ee\uff09<\/p>\n
[Peer]\r\nAllowedIPs=172.16.1.0\/24,172.16.11.0\/24\r\n\r\n[Peer]\r\nAllowedIPs=172.16.1.0\/24,172.16.12.0\/24<\/pre>\n
\u6b64\u65f6 Wireguard \u5728\u8bfb\u53d6\u914d\u7f6e\u6587\u4ef6\u65f6\uff0c\u4f1a\u53d1\u73b0\u8def\u7531\u8868\u5df2\u7ecf\u5b58\u5728\u00a0172.16.1.0\/255.255.255.0<\/code>\u00a0\u6761\u76ee\uff0c\u5982\u679c\u65b0\u589e\u7b2c\u4e8c\u4e2a peer \u4f1a\u4ea7\u751f\u51b2\u7a81\u3002
\n\uff08\u4e0d\u540c\u914d\u7f6e\u6587\u4ef6\u4f1a\u4ea7\u751f\u4e24\u6761\u8def\u7531\uff0c\u56e0\u4e3a\u4e0b\u4e00\u8df3\u4e0d\u4e00\u81f4\uff09<\/p>\n
\u76ee\u6807            \u7f51\u5173            \u5b50\u7f51\u63a9\u7801        \u6807\u5fd7  \u8dc3\u70b9   \u5f15\u7528  \u4f7f\u7528 \u63a5\u53e3\r\n172.16.1.0      0.0.0.0         255.255.255.0     U     0      0      0 myserver<\/pre>\n
\u6240\u4ee5\u6211\u4eec\u5728\u67e5\u770b\u65f6\uff0c\u4f1a\u51fa\u73b0\u53ea\u6709\u4e00\u4e2a peer \u914d\u7f6e\u6b63\u5e38\u7684\u60c5\u51b5\uff0c\u540c\u65f6\u56e0\u4e3a\u00a0AllowedIPs<\/code>\u00a0\u53c2\u6570\u5931\u8d25\u7684\u539f\u56e0\uff0c\u4f1a\u5bfc\u81f4\u94fe\u8def\u4e0d\u901a<\/p>\n
peer: \r\n  endpoint: 192.168.1.11:26001\r\n  allowed ips: 172.16.1.0\/24,172.16.11.0\/24\r\n\r\npeer: \r\n  endpoint: 192.168.1.12:26002\r\n  allowed ips: 172.16.12.0\/24<\/pre>\n
\u800c\u5bf9\u6b64\u7684\u65b9\u5f0f\uff0c\u5efa\u8bae\u662f\u5206\u62c6\u6210\u4e24\u4e2a\u914d\u7f6e\u6587\u4ef6\uff0c\u6216\u8005\u7ec6\u5206\u5177\u4f53\u4e3b\u673a\u5185\u5bb9\uff0c\u6bd4\u5982\u4fee\u6539\u6210\u5982\u4e0b\u65b9\u6848\uff0c\u53ef\u4ee5\u8ba9\u7f51\u7edc\u6062\u590d\u6b63\u5e38<\/p>\n
[Peer]\r\nAllowedIPs=172.16.1.11\/32,172.16.11.0\/24\r\n\r\n[Peer]\r\nAllowedIPs=172.16.1.12\/32,172.16.12.0\/24<\/pre>\n
\u8fd8\u53ef\u4ee5\u4e0d\u4f7f\u7528 \u914d\u7f6e\u6587\u4ef6 \u4e0e wg-quick \u7684\u65b9\u5f0f\uff0c\u4f7f\u7528 \u7eaf\u547d\u4ee4\u884c \u7684\u65b9\u5f0f\u542f\u52a8
\n\u6b64\u65f6\u53ef\u4ee5\u81ea\u5b9a\u4e49 AllowedIPs \u548c Route\uff0cAllowedIPs \u7684\u6548\u679c\u7b49\u540c\u4e8e AccessList \u89c4\u5219\u7b56\u7565 \uff0croute \u7684\u6548\u679c\u5219\u7b49\u540c\u4e8e \u4e3b\u673a\u8def\u7531\uff08\u5373 wg-quick \u542f\u52a8\u65f6\u8bc6\u522b allowedIPs \u5e76\u4f9d\u6b64\u81ea\u52a8\u6dfb\u52a0\u8def\u7531\uff0c\u5982\u6dfb\u52a0\u5931\u8d25\u5219\u542f\u52a8\u5931\u8d25\uff09
\n\u4f8b\u5982\u6211\u4eec\u53ef\u4ee5 AllowedIPs =\u00a00.0.0.0\/0<\/kbd>\u00a0\u4f46 Route \u4f7f\u7528\u00a0ip route add 172.16.11.0\/24 dev wg0<\/kbd>
\n\u4f46\u4ecd\u7136\u4e0d\u53ef\u4ee5\u8ba9 \u5355\u5b9e\u4f8b \u7684 \u4e24\u4e2a Peer \u4f7f\u7528\u91cd\u53e0\u7684 AllowedIPs<\/p>\n
\n
7.2 \u3001 Wireguard \u4f1a\u8bdd\u4fdd\u6301<\/h4>\n
Wireguard \u9ed8\u8ba4\u7684\u8fd0\u884c\u6a21\u5f0f\u662f \u5bf9\u7b49\u4f53\uff08\u53cc\u65b9\u8eab\u4efd\u5730\u4f4d\u4e00\u81f4\uff09<\/p>\n
\u6b64\u65f6\u53cc\u65b9\u5747\u9700\u8981\u6307\u5b9a\u00a0[peer] Endpoint=<\/code>\u00a0\u53c2\u6570\uff0c\u4fdd\u8bc1\u79bb\u7ebf\u540e\u53ef\u4ee5\u81ea\u884c\u8fde\u63a5\u5bf9\u65b9\u3002<\/p>\n
\u5f53\u4e00\u65b9 \u7f3a\u4e4f\u7a33\u5b9a\u7684\u516c\u7f51\u7aef\u53e3 \u65f6\uff0c\u65e0\u6cd5\u8ba9\u5bf9\u7aef\u4e3b\u52a8\u8fde\u63a5\u8fc7\u6765\uff0c\u6b64\u65f6\u5219\u9700\u8981\u53d8\u6210 \u4e3b\u4ece\u7ed3\u6784 \u6765\u4f7f\u7528<\/p>\n
\u4e3b\u7aef\u914d\u7f6e\u00a0ListenPort<\/code>\u00a0\uff0c\u79fb\u9664\u00a0Endpoint<\/code>\u00a0\uff0c\u4ece\u7aef\u4e0d\u914d\u7f6e\u00a0ListenPort<\/code>\uff0c\u5e76\u914d\u7f6e\u00a0keepalive<\/code><\/p>\n
\u6b64\u65f6\u89e3\u51b3\u65b9\u6848\u4e3b\u8981\u6709\u4e24\u79cd\u3002<\/p>\n
1 \u3001\u5ba2\u6237\u7aef \u4fa7\u989d\u5916\u914d\u7f6e\u00a0[peer] keepalive=<\/code>\u00a0\u53c2\u6570\uff0c\u4e3b\u52a8\u63d0\u4ea4\u65b0 IP \u7ed9\u670d\u52a1\u7aef\uff0c\u540c\u65f6\u670d\u52a1\u7aef\u6ce8\u91ca\u8be5\u5ba2\u6237\u7aef\u7684\u00a0[peer] Endpoint=<\/code>
\n2 \u3001\u670d\u52a1\u7aef \u4fa7\u989d\u5916\u914d\u7f6e DDNS \u52a8\u6001\u57df\u540d\uff0c\u5e76\u4ee5\u57df\u540d\u7684\u65b9\u5f0f\u586b\u5199\u00a0[peer] Endpoint=<\/code><\/p>\n
\u524d\u8005\u662f\u5e38\u7528\u529e\u6cd5\uff0c\u5c24\u5176\u662f\u5ba2\u6237\u7aef \u5b58\u5728 NAT \u60c5\u51b5\u65f6\uff0c\u65e0\u6cd5\u63d0\u4f9b\u516c\u7f51\u7aef\u53e3\u3002
\n\u4f46\u662f\u989d\u5916\u6ce8\u610f Wireguard \u867d\u7136\u4f1a\u6839\u636e\u52a8\u6001\u5ba2\u6237\u7aef\u65b0\u7684\u6570\u636e\u5305\u800c\u66f4\u65b0\uff0c\u4f46\u5982\u679c\u52a8\u6001\u5ba2\u6237\u7aef\u66f4\u65b0\u62a5\u6587\u4e22\u5931\uff0c\u4f1a\u5bfc\u81f4\u8fde\u63a5\u4e2d\u65ad<\/p>\n
\u540e\u8005\u662f\u5219\u662f DDNS \u7684\u89e3\u51b3\u529e\u6cd5\uff0c\u989d\u5916\u591a\u7684\u5185\u5bb9\u662f\u4f7f\u7528\u7cfb\u7edf dns \u89e3\u6790\u57df\u540d\uff0c\u540c\u65f6\u4f7f\u7528\u89e3\u6790\u540e\u7684 IP \u5730\u5740\u8fdb\u884c\u8bbf\u95ee\u3002
\n\u4f46\u662f\u989d\u5916\u6ce8\u610f \u57df\u540d\u89e3\u6790 \u867d\u7136 Linux \u6ca1\u6709\u7f13\u5b58\u89e3\u6790\u7ed3\u679c\uff0c\u4f46\u662f wireguard \u89e3\u6790\u540e\uff0c\u9664\u975e\u52a8\u6001\u5ba2\u6237\u7aef\u6709\u65b0\u5730\u5740\u7684\u6570\u636e\u5305\u4e0a\u8054\uff0c\u5426\u5219\u5b58\u5728\u4e00\u6bb5\u65f6\u95f4\u7684\u7b49\u5f85\uff0c\u751a\u81f3\u4e00\u76f4\u5361\u987f\u3002\u8fd9\u91cc\u5c31\u9700\u8981\u7ed9 \u670d\u52a1\u7aef \u914d\u7f6e\u00a0[peer] keepalive=<\/code>\u00a0\u53c2\u6570\uff0c\u8ba9\u670d\u52a1\u7aef\u5468\u671f\u5bf9\u5ba2\u6237\u7aef\u53d1\u9001\u6570\u636e\u62a5\u6587\u5c1d\u8bd5\uff0c\u5728\u67d0\u4e2a\u65f6\u95f4\u5468\u671f\u540e\uff0c\u670d\u52a1\u7aef\u5c06\u91cd\u65b0\u89e3\u6790 DNS \u3002<\/p>\n
\u989d\u5916\u4e00\u6761\uff0c\u8fd0\u8425\u5546\u53ef\u80fd\u4f1a\u5bf9\u5bb6\u5bbd\u7684 UDP \u8fdb\u884c\u9650\u5236\uff0c\u5bfc\u81f4 \u5373\u4f7f\u62e8\u53f7\u62e5\u6709\u516c\u7f51 IP \u4f46 \u4ecd\u9700\u4f7f\u7528\u52a8\u6001\u7aef\u53e3<\/p>\n
\n
7.3 \u3001 IPV6 \u8def\u7531\u6d88\u5931<\/h4>\n
\u901a\u5e38\u6765\u8bf4\uff0c\u6211\u4eec\u505a\u4e86\u7aef\u53e3\u8f6c\u53d1\uff0c\u662f\u4f7f\u7528\u4e09\u6761\u53c2\u6570\u4fee\u6539
\n\u4fee\u6539\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528\u4e86\uff0c\u5927\u591a\u51fa\u73b0\u7684\u60c5\u51b5\u662f NAT \u76f8\u5173\u3002<\/p>\n
net.ipv4.ip_forward=1\r\nnet.ipv6.conf.default.forwarding=1\r\nnet.ipv6.conf.all.forwarding=1<\/pre>\n
\u800c\u6709\u65f6\u5019\u6211\u4eec\u4f1a\u9047\u5230 IPV6<\/p>\n
root@drive:~# ping6 2400:3200::1\r\nping6: connect: network is unreachable<\/pre>\n
\u6b64\u65f6\u6211\u4eec\u67e5\u770b\u8def\u7531\u68c0\u67e5\u7f51\u7edc\u95ee\u9898<\/p>\n
root@localhost:~# ip -6 route show\r\n::1 dev lo proto kernel metric 256 pref medium\r\n2408:8002:2008:2882::\/64 via fe80::1 dev enp1s0 proto ra metric 100 pref high\r\nfe80::\/64 dev enp1s0 proto kernel metric 100 pref medium\r\n\r\noot@localhost:~# route -n6 | grep enp1s0\r\nDestination                    Next Hop                   Flag  Met Ref Use If\r\n2408:8002:2008:2882::\/64       fe80::1                    UG    100 1     0 enp1s0\r\nfe80::\/64                      ::                         U     100 5     0 enp1s0\r\n2408:8002:2008:2882::\/128      ::                         Un    0   3     0 enp1s0\r\n2408:8002:2008:2882::2882\/128  ::                         Un    0   5     0 enp1s0\r\nfe80::\/128                     ::                         Un    0   3     0 enp1s0\r\nfe80::222\/128                  ::                         Un    0   5     0 enp1s0\r\nfe80::2408:8002:2008:2882\/128  ::                         Un    0   2     0 enp1s0<\/pre>\n
\u5bf9\u6bd4\u6b63\u5e38\u60c5\u51b5\u4e0b\u7684\u8def\u7531\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\u5c11\u4e86\u4e24\u6761\u8def\u7531\uff0c\u5e76\u4e14\u4e3b\u8981\u7f3a\u5c11\u4e00\u6761 default \u8def\u7531<\/p>\n
root@localhost:~# ip -6 route show\r\n::1 dev lo proto kernel metric 256 pref medium\r\n2408:8002:2008:2882::\/64 via fe80::1 dev enp1s0 proto ra metric 100 pref high\r\n2408:8002:2008:2882::\/64 dev enp1s0 proto kernel metric 256 expires 3210sec pref medium\r\nfe80::\/64 dev enp1s0 proto kernel metric 100 pref medium\r\ndefault via fe80::1 dev enp1s0 proto ra metric 1024 expires 1210sec hoplimit 64 pref low\r\n\r\nroot@localhost:~# route -n6 | grep enp1s0\r\nDestination                    Next Hop                   Flag  Met  Ref Use If\r\n2408:8002:2008:2882::\/64       fe80::1                    UG    100  2     0 enp1s0\r\nfe80::\/64                      ::                         U     100  6     0 enp1s0\r\n2408:8002:2008:2882::\/64       ::                         UAe   256  1     0 enp1s0\r\n::\/0                           fe80::1                    UGDAe 1024 5     0 enp1s0\r\n2408:8002:2008:2882::\/128      ::                         Un    0    3     0 enp1s0\r\n2408:8002:2008:2882::2882\/128  ::                         Un    0    2     0 enp1s0\r\nfe80::\/128                     ::                         Un    0    3     0 enp1s0\r\nfe80::222\/128                  ::                         Un    0    7     0 enp1s0\r\nfe80::2408:8002:2008:2882\/128  ::                         Un    0    2     0 enp1s0<\/pre>\n
\u53ef\u4ee5\u53d1\u73b0\uff0c\u5728\u9ed8\u8ba4\u8def\u7531\uff0c\u5b58\u5728\u4e00\u4e2a\u8fc7\u671f\u65f6\u95f4 1210s \uff0c\u7b49\u5230\u8d85\u65f6\u540e\u4f1a\u81ea\u52a8\u6e05\u9664\u8fd9\u6761\u3002<\/p>\n
default via fe80::1 dev enp1s0 proto ra metric 1024 expires 1210sec hoplimit 64 pref low<\/pre>\n
\u6309\u9053\u7406\uff0c\u50cf IPV4 \u7684\u7f51\u5173\u9ed8\u8ba4\u662f\u957f\u65f6\u95f4\u4fdd\u6301\u7684\uff0cIPV6 \u5e94\u5f53\u4e5f\u53ef\u4ee5\u4fdd\u6301\u3002
\n\u7a76\u5176\u539f\u56e0\uff0c\u8fd9\u6761\u8def\u7531\u7684\u5b66\u4e60\u5219\u662f\u7531\u8def\u7531\u5668\u7684 RA \u5e7f\u64ad\u7ef4\u62a4\u7684\uff0c\u800c\u7cfb\u7edf\u9ed8\u8ba4\u662f \u7981\u6b62\u63a5\u6536 RA \u5e7f\u64ad
\n\uff08\u51fa\u4e8e\u670d\u52a1\u5b89\u5168\u7684\u8003\u8651\uff0c\u4e3b\u8981\u8003\u8651\u907f\u514d\u56e0\u4e3a \u8def\u7531\u5668 RA \u5e7f\u64ad\u653b\u51fb\u800c\u51fa\u73b0\u8def\u7531\u548c\u5730\u5740\u5747\u4ea7\u751f\u53d8\u5316\u7684\u60c5\u51b5\uff09<\/p>\n
\u68c0\u67e5\u7cfb\u7edf\u53c2\u6570\uff0c\u53ef\u4ee5\u770b\u5230\u5747\u4e3a\u9ed8\u8ba4\u7684 0<\/p>\n
root@localhost:~# cat \/proc\/sys\/net\/ipv6\/conf\/enp1s0\/accept_ra\r\n0\r\nroot@localhost:~# cat \/proc\/sys\/net\/ipv6\/conf\/all\/accept_ra\r\n0\r\nroot@localhost:~# cat \/proc\/sys\/net\/ipv6\/conf\/default\/accept_ra\r\n0<\/pre>\n
\u5bf9\u4e8e\u503c\u4ee3\u8868\u7684\u542b\u4e49\u5982\u4e0b<\/p>\n
0 Do not accept Router Advertisements\r\n1 Accept Router Advertisements if forwarding is disabled\r\n2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled\r\n\r\n0 \u4e0d\u63a5\u53d7\u8def\u7531\u5668 RA \u5e7f\u64ad\r\n1 \u5982\u679c\u8f6c\u53d1\u88ab\u7981\u7528\uff0c\u5219\u63a5\u53d7\u8def\u7531\u5668 RA \u5e7f\u64ad\r\n2 \u65e0\u89c6\u8f6c\u53d1\u884c\u4e3a\uff0c\u5373\u4f7f\u542f\u7528\u4e86\u8f6c\u53d1\uff0c\u4e5f\u63a5\u53d7\u8def\u7531\u5668 RA \u5e7f\u64ad<\/pre>\n
\u800c\u6211\u4eec\u60f3\u4fdd\u8bc1 RA \u5e7f\u64ad\u6b63\u5e38\u88ab\u7cfb\u7edf\u63a5\u6536\uff0c\u6211\u4eec\u53ef\u4ee5\u914d\u7f6e\u4e3a 2
\n\u901a\u5e38\u6765\u8bf4\uff0c\u5982\u679c\u672a\u542f\u7528 net.ipv6.conf.all.forwarding \u5219\u53ef\u4ee5\u914d\u7f6e\u4e3a 1
\n\u5982\u679c\u7531\u4e8e\u67d0\u4e9b\u539f\u56e0\u4e0d\u5e0c\u671b\u5176\u4ed6\u7aef\u53e3\u63a5\u6536 RA \u5e7f\u64ad\uff0c\u5219\u53ef\u4ee5\u6307\u5b9a\u7aef\u53e3\u800c\u4e0d\u4f7f\u7528\u5168\u4f53\u7aef\u53e3<\/p>\n
# Accept IPv6 advertisements when forwarding is enabled\r\nnet.ipv6.conf.all.accept_ra = 2\r\nnet.ipv6.conf.default.accept_ra = 2\r\nnet.ipv6.conf.enp1s0.accept_ra = 2<\/pre>\n
\u6539\u8fc7\u540e\u8fd0\u884c\u7684\u8def\u7531\u8868\u5982\u4e0b<\/p>\n
root@localhost:~# ip -6 route show\r\n::1 dev lo proto kernel metric 256 pref medium\r\n2408:8002:2008:2882::\/64 via fe80::1 dev enp1s0 proto ra metric 100 pref high\r\nfe80::\/64 dev enp1s0 proto kernel metric 100 pref medium\r\ndefault via fe80::1 dev enp1s0 proto static metric 20100 pref medium\r\n\r\nroot@localhost:~# route -n6 | grep enp1s0\r\nDestination                    Next Hop                   Flag  Met   Ref Use If\r\n2408:8002:2008:2882::\/64       fe80::1                    UG    100   1     0 enp1s0\r\nfe80::\/64                      ::                         U     100   7     0 enp1s0\r\n::\/0                           fe80::1                    UG    20100 5     0 enp1s0\r\n2408:8002:2008:2882::\/128      ::                         Un    0     3     0 enp1s0\r\n2408:8002:2008:2882::2882\/128  ::                         Un    0     7     0 enp1s0\r\nfe80::\/128                     ::                         Un    0     4     0 enp1s0\r\nfe80::222\/128                  ::                         Un    0     6     0 enp1s0\r\nfe80::2408:8002:2008:2882\/128  ::                         Un    0     7     0 enp1s0\r\nff00::\/8                       ::                         U     256   7     0 enp1s0<\/pre>\n
\u5982\u679c\u4e0d\u9700\u8981\u4e34\u65f6 IPV6 \u5730\u5740\uff0c\u8fd8\u53ef\u4ee5\u4f7f\u7528 sysctl \u76f4\u63a5\u7981\u6b62\u83b7\u53d6<\/p>\n
root@localhost:~# cat \/etc\/sysctl.d\/10-ipv6-privacy.conf\r\n# IPv6 Privacy Extensions (RFC 4941)\r\n# ---\r\n# IPv6 typically uses a device's MAC address when choosing an IPv6 address\r\n# to use in autoconfiguration. Privacy extensions allow using a randomly\r\n# generated IPv6 address, which increases privacy.\r\n#\r\n# Acceptable values:\r\n#    0 - don\u2019t use privacy extensions.\r\n#    1 - generate privacy addresses\r\n#    2 - prefer privacy addresses and use them over the normal addresses.\r\nnet.ipv6.conf.all.use_tempaddr = 2\r\nnet.ipv6.conf.default.use_tempaddr = 2<\/pre>\n
\u5c06\u9ed8\u8ba4\u7684 2 \u6539\u4e3a 0 \u5373\u53ef\u7981\u7528 IPV6 \u4e34\u65f6\u5730\u5740<\/p>\n
\u5176\u4ed6\u76f8\u5173\u7684 IPV6 \u53c2\u6570\u5982\u4e0b<\/p>\n
net.ipv6.conf.enp1s0.accept_dad = 1\r\nnet.ipv6.conf.enp1s0.max_addresses = 16\r\nnet.ipv6.conf.enp1s0.accept_ra = 0\r\nnet.ipv6.conf.enp1s0.temp_prefered_lft = 86400\r\nnet.ipv6.conf.enp1s0.temp_valid_lft = 604800\r\nnet.ipv6.conf.enp1s0.use_oif_addrs_only = 0<\/pre>\n
\u5efa\u8bae\u4fee\u6539\u5982\u4e0b\u6240\u793a\u51cf\u5c11\u4e34\u65f6\u5730\u5740\u7684\u6570\u91cf<\/p>\n
net.ipv6.conf.enp1s0.accept_dad = 1\r\nnet.ipv6.conf.enp1s0.max_addresses = 10\r\nnet.ipv6.conf.enp1s0.accept_ra = 2\r\nnet.ipv6.conf.enp1s0.temp_prefered_lft = 86400\r\nnet.ipv6.conf.enp1s0.temp_valid_lft = 259200\r\nnet.ipv6.conf.enp1s0.use_oif_addrs_only = 0<\/pre>\n
\n
7.4 \u3001 Cloudflare Warp<\/h4>\n
Cloudflare Warp \u4f7f\u7528 Wireguard \u63d0\u4f9b\u514d\u8d39\u7684 VPN \u670d\u52a1<\/p>\n
\u56e0\u4e3a Cloudflare Warp \u63d0\u4f9b IPV4\/IPV6 \u53cc\u6808\u652f\u6301\uff0c\u6240\u4ee5\u53ef\u4ee5\u7528\u6765\u89e3\u51b3 VPS \u7684 IP \u88ab \u7f51\u7ad9\u7981\u6b62 \u7684\u60c5\u51b5<\/p>\n
Cloudflare [\u00a0\u94fe\u63a5<\/a>\u00a0] \/ \u7b2c\u4e09\u65b9\u5ba2\u6237\u7aef wgcf [\u00a0\u94fe\u63a5<\/a>\u00a0] \/ \u7528\u6237\u81ea\u5236\u811a\u672c [\u00a0\u811a\u672c<\/a>\u00a0]<\/p>\n
Ubuntu \u7684\u5b89\u88c5\u6d41\u7a0b\u5982\u4e0b<\/p>\n
curl https:\/\/pkg.cloudflareclient.com\/pubkey.gpg | sudo gpg --yes --dearmor --output \/usr\/share\/keyrings\/cloudflare-warp-archive-keyring.gpg<\/pre>\n
echo \"deb [arch=amd64 signed-by=\/usr\/share\/keyrings\/cloudflare-warp-archive-keyring.gpg] https:\/\/pkg.cloudflareclient.com\/ $(lsb_release -cs) main\" | sudo tee \/etc\/apt\/sources.list.d\/cloudflare-client.list<\/pre>\n
apt update\r\napt install cloudflare-warp<\/pre>\n
#\u6e05\u7a7a warp \u4fe1\u606f\r\n#warp-cli delete\r\n\r\n#\u6ce8\u518c warp \u4fe1\u606f\r\nwarp-cli register\r\n\r\n#\u8bbe\u7f6e\u4e3a Sock5 \u4ee3\u7406\u6a21\u5f0f\r\nwarp-cli set-mode proxy\r\n\r\n#\u8bbe\u7f6e Sock5 \u4ee3\u7406\u63a5\u53e3\r\nwarp-cli set-proxy-port 3100\r\n\r\n#\u8bbe\u7f6e\u81ea\u52a8\u8fde\u63a5 warp \u670d\u52a1\u5668\uff08\u975e\u5f00\u673a\u542f\u52a8\uff09\r\nwarp-cli enable-always-on\r\n\r\n#\u8fde\u63a5 warp \u670d\u52a1\u5668\uff08\u4e00\u5b9a\u8981\u914d\u597d\u518d\u8fde\uff0c\u5426\u5219\u4f1a\u65ad\u7f51\uff09\r\nwarp-cli connect\r\n\r\n#\u67e5\u770b\u5f53\u524d\u914d\u7f6e\r\nwarp-cli settings<\/pre>\n
\u4e0a\u8ff0\u662f\u5b89\u88c5 warp-cli \u7684\u6b65\u9aa4\uff0c\u5982\u679c\u60f3\u63d0\u53d6\u914d\u7f6e\u6587\u4ef6\u624b\u52a8\u64cd\u4f5c\uff0c\u53ef\u4ee5\u901a\u8fc7 wgcf \u6216 \u7528\u6237\u81ea\u5236\u811a\u672c \u5904\u7406<\/p>\n
\u6ce8\u518c Warp \u5e76\u751f\u6210\u914d\u7f6e\u6587\u4ef6<\/p>\n
#!\/bin\/bash\r\n# Source https:\/\/github.com\/ViRb3\/wgcf\r\n\/work\/service\/wireguard\/wgcf\/wgcf_v2.2.15 register\r\n\/work\/service\/wireguard\/wgcf\/wgcf_v2.2.15 generate<\/pre>\n
\u751f\u6210\u597d\u7684\u6587\u4ef6\u5982\u4e0b\u6240\u793a<\/p>\n
[Interface]\r\nPrivateKey = XXXXXXXXXXXX\r\nAddress = 172.16.0.2\/32\r\nAddress = 2606::\/128\r\nDNS = 1.1.1.1\r\nMTU = 1280\r\n[Peer]\r\nPublicKey = bmXOC+F1FxEMF9dyiK2H5\/1SUtzH0JuVo51h2wPfgyo=\r\nAllowedIPs = 0.0.0.0\/0\r\nAllowedIPs = ::\/0\r\nEndpoint = engage.cloudflareclient.com:2408<\/pre>\n
\u5904\u7406 wgcf-profile.conf \u6587\u4ef6\u4e3a \u901a\u8fc7 Warp \u5b9e\u73b0 IPV4 \u4e0a\u7f51\uff08\u6ce8\u610f\u770b\u66ff\u6362\u65b9\u5f0f\uff09\uff08\u4e00\u6b21\u6027\u547d\u4ee4\u5c0f\u5fc3\u65ad\u7f51\uff09<\/p>\n
#!\/bin\/bash\r\nsed -i '\/AllowedIPs = ::\/d'  wgcf-profile.conf\r\nsed -i 's\/'engage.cloudflareclient.com'\/'[2606:4700:d0::a29f:c001]'\/g' wgcf-profile.conf<\/pre>\n
\u5904\u7406 wgcf-profile.conf \u6587\u4ef6\u4e3a \u901a\u8fc7 Warp \u5b9e\u73b0 IPV6 \u4e0a\u7f51\uff08\u6ce8\u610f\u770b\u66ff\u6362\u65b9\u5f0f\uff09\uff08\u4e00\u6b21\u6027\u547d\u4ee4\uff09<\/p>\n
#!\/bin\/bash\r\nsed -i '\/AllowedIPs = 0.0.0.0\/d'  wgcf-profile.conf\r\nsed -i 's\/'engage.cloudflareclient.com'\/'162.159.192.1'\/g' wgcf-profile.conf<\/pre>\n
\u79fb\u52a8 wgcf-profile.conf \u6587\u4ef6\u5e76\u542f\u52a8\u670d\u52a1<\/p>\n
#!\/bin\/bash\r\nmv \/work\/service\/wireguard\/wgcf\/wgcf-profile.conf \/etc\/wireguard\/\r\nchmod 400 \/etc\/wireguard\/wgcf-profile.conf\r\nsystemctl enable --now wg-quick@wgcf-profile<\/pre>\n
\u6d4b\u8bd5 IPV4 \u548c IPV6 \u8fde\u63a5\u60c5\u51b5<\/p>\n
#!\/bin\/bash\r\necho \"--- IPV4 TEST ---\"\r\ncurl -4 https:\/\/icanhazip.com\/\r\necho \"--- IPV6 TEST ---\"\r\ncurl -6 https:\/\/icanhazip.com\/<\/pre>\n","protected":false},"excerpt":{"rendered":"
wireguard\u662f\u4e00\u6b3elinus\u90fd\u63a8\u8350\u7684vpn\u5de5\u5177\uff0c\u5efa\u8bae\u4f7f\u7528 1 \u3001 WireGuard \u7b80\u4ecb WireGuard \u662f\u4e00\u4e2a\u5229\u7528\u73b0\u6709\u793e\u4f1a\u6700\u5148\u8fdb\u7684\u52a0\u5bc6\u6280\u672f\u800c\u4ea7\u751f\u7684\u975e\u5e38\u7b80\u5355\u548c\u5feb\u6377\u7684 VPN \u5de5\u5177\u3002\u5b83\u7684\u76ee\u6807\u662f\u6bd4 IPsec \u66f4\u5feb\uff0c\u66f4\u7b80\u5355\uff0c\u66f4\u7cbe\u7b80\uff0c […]<\/p>\n","protected":false},"author":4,"featured_media":194,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,8],"tags":[43],"topic":[37,39],"class_list":["post-191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-8","tag-vpn","topic-linux","topic-vpn"],"_links":{"self":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts\/191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=191"}],"version-history":[{"count":6,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts\/191\/revisions"}],"predecessor-version":[{"id":201,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/posts\/191\/revisions\/201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=\/wp\/v2\/media\/194"}],"wp:attachment":[{"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=191"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/idc.birk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftopic&post=191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}