[WireGuard] 設定*暫停更新*
發表於 : 2020-12-21, 09:55
官方文件:https://www.wireguard.com/quickstart/
PVE LXC
2020/12/29更新:https://nixvsevil.com/posts/wireguard-in-proxmox-lxc/
https://pvecli.xuan2host.com/wireguard-on-lxc-standard/
開啟NAT
LXC開啟TUN/TAP:https://pvecli.xuan2host.com/lxc-enable-tun-tap/
Host端
LXC端
WireGuard x Ubnt
Wireguard官方文件:https://github.com/WireGuard/wireguard-vyatta-ubnt
兩台EdgeRouter建立site to site VPN文件(尚未測試):https://gitpress.io/@chchang/site-to-si ... rticle-top
安裝
設定金鑰
CentOS 7
CentOS 7參考文件:https://www.hostafrica.co.za/blog/linux ... -centos-7/
Debian
Debian參考資料:https://www.linuxbabe.com/debian/wiregu ... ver-debian
參考資料:WireGuard VPN Typical Setup
設定步驟
2.產生server與client key
3.產生server與client config檔
wg0.conf範例
[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = cD+ZjXiVIX+0iSX1PNijl4a+88lCbDgw7kO78oXXLEc=
[Peer]
PublicKey = AYQJf6HbkQ0X0Xyt+cTMTuJe3RFwbuCMF46LKgTwzz4=
AllowedIPs = 10.10.10.2/32
說明:
Address: Specify the private IP address of the VPN server. Here I’m using the 10.10.10.0/24 network range, so it won’t conflict with your home network range. (Most home routers use 192.168.0.0/24 or 192.168.1.0/24). 10.10.10.1 is the private IP address for the VPN server.
PrivateKey: The private key of VPN server, which can be found in the /etc/wireguard/server_private.key file on the server.
ListenPort: WireGuard VPN server will be listening on UDP port 51820, which is the default.
PublicKey: The public key of VPN client, which can be found in the /etc/wireguard/client_public.key file on the client computer.
AllowedIPs: IP addresses the VPN client is allowed to use. In this example, the client can only use the 10.10.10.2 IP address inside the VPN tunnel.
4.啟用WG 網路介面卡
Unknown device type and Unable to access interface: Protocol not supported
參考資料:https://raspberrypi.stackexchange.com/q ... -supported
linux-headers問題
5.設定IP forwarding
6.設定防火牆
7.設定DNS
8.於client安裝WG
範例
[Interface]
Address = 10.10.10.2/24
DNS = 10.10.10.1
PrivateKey = cOFA+x5UvHF+a3xJ6enLatG+DoE3I5PhMgKrMKkUyXI=
[Peer]
PublicKey = kQvxOJI5Km4S1c7WXu2UZFpB8mHGuf3Gz8mmgTIF2U0=
AllowedIPs = 0.0.0.0/0
Endpoint = 12.34.56.78:51820
PersistentKeepalive = 25
說明
Address: Specify the private IP address of the VPN client.
DNS: specify 10.10.10.1 (the VPN server) as the DNS server. It will be configured via the resolvconf command. You can also specify multiple DNS servers for redundancy like this: DNS = 10.10.10.1 8.8.8.8
PrivateKey: The client’s private key, which can be found in the /etc/wireguard/client_private.key file on the client computer.
PublicKey: The server’s public key, which can be found in the /etc/wireguard/server_public.key file on the server.
AllowedIPs: 0.0.0.0/0 represents the whole Internet, which means all traffic to the Internet should be routed via the VPN.
Endpoint: The public IP address and port number of VPN server. Replace 12.34.56.78 with your server’s real public IP address.
PersistentKeepalive: Send an authenticated empty packet to the peer every 25 seconds to keep the connection alive. If PersistentKeepalive isn’t enabled, the VPN server might not be able to ping the VPN client.
PVE LXC
2020/12/29更新:https://nixvsevil.com/posts/wireguard-in-proxmox-lxc/
https://pvecli.xuan2host.com/wireguard-on-lxc-standard/
開啟NAT
代碼: 選擇全部
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -pHost端
代碼: 選擇全部
cat >> /etc/pve/lxc/[LXC_ID].conf << EOL
lxc.cgroup.devices.allow = c 10:200 rwm
EOL代碼: 選擇全部
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tunWireguard官方文件:https://github.com/WireGuard/wireguard-vyatta-ubnt
兩台EdgeRouter建立site to site VPN文件(尚未測試):https://gitpress.io/@chchang/site-to-si ... rticle-top
安裝
代碼: 選擇全部
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb
代碼: 選擇全部
CentOS 7參考文件:https://www.hostafrica.co.za/blog/linux ... -centos-7/
Debian
Debian參考資料:https://www.linuxbabe.com/debian/wiregu ... ver-debian
參考資料:WireGuard VPN Typical Setup
設定步驟
- Install WireGuard on the VPN server.
- Generate server and client keys.
- Generate server and client configs.
- Enable WireGuard interface on the server.
- Enable IP forwarding on the server.
- Configure firewall rules on the server.
- Configure DNS.
- Set up Wireguard on clients.
2.產生server與client key
3.產生server與client config檔
wg0.conf範例
[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = cD+ZjXiVIX+0iSX1PNijl4a+88lCbDgw7kO78oXXLEc=
[Peer]
PublicKey = AYQJf6HbkQ0X0Xyt+cTMTuJe3RFwbuCMF46LKgTwzz4=
AllowedIPs = 10.10.10.2/32
說明:
Address: Specify the private IP address of the VPN server. Here I’m using the 10.10.10.0/24 network range, so it won’t conflict with your home network range. (Most home routers use 192.168.0.0/24 or 192.168.1.0/24). 10.10.10.1 is the private IP address for the VPN server.
PrivateKey: The private key of VPN server, which can be found in the /etc/wireguard/server_private.key file on the server.
ListenPort: WireGuard VPN server will be listening on UDP port 51820, which is the default.
PublicKey: The public key of VPN client, which can be found in the /etc/wireguard/client_public.key file on the client computer.
AllowedIPs: IP addresses the VPN client is allowed to use. In this example, the client can only use the 10.10.10.2 IP address inside the VPN tunnel.
4.啟用WG 網路介面卡
Unknown device type and Unable to access interface: Protocol not supported
參考資料:https://raspberrypi.stackexchange.com/q ... -supported
linux-headers問題
5.設定IP forwarding
6.設定防火牆
7.設定DNS
8.於client安裝WG
範例
[Interface]
Address = 10.10.10.2/24
DNS = 10.10.10.1
PrivateKey = cOFA+x5UvHF+a3xJ6enLatG+DoE3I5PhMgKrMKkUyXI=
[Peer]
PublicKey = kQvxOJI5Km4S1c7WXu2UZFpB8mHGuf3Gz8mmgTIF2U0=
AllowedIPs = 0.0.0.0/0
Endpoint = 12.34.56.78:51820
PersistentKeepalive = 25
說明
Address: Specify the private IP address of the VPN client.
DNS: specify 10.10.10.1 (the VPN server) as the DNS server. It will be configured via the resolvconf command. You can also specify multiple DNS servers for redundancy like this: DNS = 10.10.10.1 8.8.8.8
PrivateKey: The client’s private key, which can be found in the /etc/wireguard/client_private.key file on the client computer.
PublicKey: The server’s public key, which can be found in the /etc/wireguard/server_public.key file on the server.
AllowedIPs: 0.0.0.0/0 represents the whole Internet, which means all traffic to the Internet should be routed via the VPN.
Endpoint: The public IP address and port number of VPN server. Replace 12.34.56.78 with your server’s real public IP address.
PersistentKeepalive: Send an authenticated empty packet to the peer every 25 seconds to keep the connection alive. If PersistentKeepalive isn’t enabled, the VPN server might not be able to ping the VPN client.