系统为debian bookworm
1方便起见切换到root用户
sudo su
2.安装WireGuard
apt update && apt install wireguard wireguard-tools openresolv -y
3.服务器需要开启ipv4转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p /etc/sysctl.conf
4.生成私钥与公钥,默认的配置文件夹储存在/etc/wireguard
目录
cd /etc/wireguard
#生成server的公钥与私钥
wg genkey > server.key && wg pubkey < server.key > server.key.pub
#生成客户端(client1)的公钥与私钥
wg genkey > client1.key && wg pubkey <
client
1.key > client
1.key.pub
5.生成配置文件
假设server有公网ip223.223.223.223 ,WireGuard ip为172.16.100.1,client1的WireGuard ip为172.16.100.2,客户端client1不需要有公网ip,WireGuard子网掩码255.255.255.0
创建server配置文件
cat << EOF > wg0.conf
[Interface]
PrivateKey = $(cat server.key)
Address = 172.16.100.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT;iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#eth0为网卡接口
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;iptables -D FORWARD -o wg0 -j ACCEPT;iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 2408
[Peer] PublicKey = $(cat client1.key.pub)
AllowedIPs = 172.16.100.2/32
EOF
在server上启动WireGuard并设置开机自动启动
wg-quick up wg0 && systemctl enable wg-quick@wg0
创建clinet1配置文件
cat << EOF > wg1.conf
[Interface]
PrivateKey = $(cat client1.key)
Address = 172.16.100.2/24
ListenPort = 2408
DNS = 1.1.1.1,8.8.8.8
[Peer] PublicKey = $(cat server.key.pub)
AllowedIPs = 0.0.0.0/0
Endpoint =233.233.233.233:2408
PersistentKeepalive = 25
EOF
参考wg1.conf,设置Windows,Andriod,IOS系统下的WireGuard客户端
为了保证私钥的安全,将配置文件和私钥文件对普通用户不可读
chmod 600 /etc/wireguard/{server.key,wg0.conf,client1.key,wg1.conf}