debian13 安装 wireguard

一、安装 wireguard

apt install wireguard -y

二、配置虚拟网卡

cat << EOF > /etc/network/interfaces.d/wg0
# Bring up the wg0 interface on boot
auto wg0
# Define the interface with a static IPv4 address
iface wg0 inet static
    # Static IP address for the VPN interface
    address 10.0.2.1/24
    # Create the interface before bringing it up
    pre-up ip link add $IFACE type wireguard
    # Apply configuration from the main WireGuard config file
    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
    # Remove the interface when it is brought down
    post-down ip link del $IFACE
EOF
  • '10.0.2.1/24' 是虚拟网络 IP 地址

三、生成服务端密钥

cd /etc/wireguard/
umask 077
wg genkey > wg-private.key
wg pubkey < wg-private.key > w11-client01.key
  • wg-private.key 是服务端的私钥文件
  • w11-client01.key 是服务端的公钥文件

四、配置 wireguard

1. 查看私钥

cat wg-private.key

得到内容 2GIURzIDBgI1Y+1Ei+i2C5kEOR53mH172MaidaVpD3M=

2. 生成配置文件

cat << EOF > /etc/wireguard/wg0.conf
# define the WireGuard service
[Interface]
# contents of file wg-private.key that was recently created
PrivateKey = 2GIURzIDBgI1Y+1Ei+i2C5kEOR53mH172MaidaVpD3M=
# UDP service port; 51820 is a common choice for WireGuard
ListenPort = 51820
EOF
  • PrivateKey:服务端的私钥
  • ListenPort:服务监听的端口

五、配置网关模式(允许转发)

echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.d/99-ipforward.conf
sysctl -p /etc/sysctl.d/99-ipforward.conf

六、防火墙配置

cat << EOF > /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
        chain input {
                type filter hook input priority 0;
        udp dport 51820 ct state new,established counter accept
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        udp sport 51820 ct state established counter accept
        }
}
table ip NAT {
        chain my_masquerade {
                type nat hook postrouting priority 100; policy accept;
                ip saddr { 10.0.2.0/24 } oifname "ens18" masquerade comment "outgoing NAT"
        }
}
EOF
systemctl enable nftables.service
  • 配置中的 "51820" 是 wireguard 所监听的端口
  • "10.0.2.0/24" 是虚拟网卡的网段
  • "ens18" 是向外转发的网口名称

七、允许客户端访问(添加客户端公钥)

wg set wg0 peer CLIENT01_PUBLIC_KEY allowed-ips 0.0.0.0/0

echo 'up wg set wg0 peer CLIENT01_PUBLIC_KEY allowed-ips 0.0.0.0/0' >> /etc/network/interfaces.d/wg0
  • CLIENT01_PUBLIC_KEY:为客户端的公钥
©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

相关阅读更多精彩内容

友情链接更多精彩内容