搭建基于WireGuard的VPN

系统为debian bookworm

1方便起见切换到root用户

sudo su

2.安装WireGuard

apt update && apt install wireguard wireguard-tools openresolv -y

3.服务器需要开启ipv4转发

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p /etc/sysctl.conf

4.生成私钥与公钥,默认的配置文件夹储存在/etc/wireguard目录

cd /etc/wireguard

#生成server的公钥与私钥

wg genkey > server.key && wg pubkey < server.key > server.key.pub

#生成客户端(client1)的公钥与私钥

wg genkey > client1.key && wg pubkey < client1.key > client1.key.pub

5.生成配置文件

假设server有公网ip223.223.223.223 ,WireGuard ip为172.16.100.1,client1的WireGuard ip为172.16.100.2,客户端client1不需要有公网ip,WireGuard子网掩码255.255.255.0

创建server配置文件

cat << EOF > wg0.conf
[Interface]
PrivateKey = $(cat server.key)
Address = 172.16.100.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT;iptables -A FORWARD -o wg0 -j ACCEPT;iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#eth0为网卡接口
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;iptables -D FORWARD -o wg0 -j ACCEPT;iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 2408
[Peer] PublicKey = $(cat client1.key.pub)
AllowedIPs = 172.16.100.2/32
EOF

server上启动WireGuard并设置开机自动启动

wg-quick up wg0 && systemctl enable wg-quick@wg0

创建clinet1配置文件

cat << EOF > wg1.conf
[Interface]
PrivateKey = $(cat client1.key)
Address = 172.16.100.2/24
ListenPort = 2408
DNS = 1.1.1.1,8.8.8.8
[Peer] PublicKey = $(cat server.key.pub)
AllowedIPs = 0.0.0.0/0
Endpoint =233.233.233.233:2408
PersistentKeepalive = 25
EOF

参考wg1.conf,设置Windows,Andriod,IOS系统下的WireGuard客户端

为了保证私钥的安全,将配置文件和私钥文件对普通用户不可读

chmod 600 /etc/wireguard/{server.key,wg0.conf,client1.key,wg1.conf}