WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
一句话概括,简单,快速,高效的VPN。
安装
ubuntu
apt update apt install wireguard
centos7
sudo yum install epel-release elrepo-release sudo yum install yum-plugin-elrepo sudo yum install kmod-wireguard wireguard-tools
centos7内核比较老,所以需要安装wireguard模块,安装完需要重启生效
macos
brew install wireguard-tools
配置
服务端
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
wg genpsk > presharedkey
确认net.ipv4.ip_forward=1
[Interface]
PrivateKey = <Client private key>
# Switch DNS server while connected.
# Could be your internal DNS server, used on Omnia, or external
DNS = <your_server_subnet_IP> # to avoid DNS leaks
# The addresses the client will bind to. Either IPv4 or IPv6.
# Make sure to specify individual IPs for remote peers that don't
# relay traffic and only act as simple clients (/32).
Address = 10.0.0.1/32
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.1/32 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.1/32 -j MASQUERADE
[Peer]
PublicKey = <Server public key>
# Optional key known to both client and server; improves security
PresharedKey = <Pre-shared key from server for this client>
# The IP range that we may send packets to for this peer.
# 0.0.0.0/0 will route all traffic through VPN
AllowedIPs = 10.0.0.2/24
# Address of the server
Endpoint = <server IP>:<server port>
# Send periodic keepalives to ensure connection stays up behind NAT.
PersistentKeepalive = 25
操作命令
wg-quick up wg0 wg-quick down wg0
客户端
[Interface]
PrivateKey = <Client private key>
# Switch DNS server while connected.
# Could be your internal DNS server, used on Omnia, or external
DNS = <your_server_subnet_IP> # to avoid DNS leaks
# The addresses the client will bind to. Either IPv4 or IPv6.
# Make sure to specify individual IPs for remote peers that don't
# relay traffic and only act as simple clients (/32).
Address = 10.0.0.2/32
[Peer]
PublicKey = <Server public key>
# Optional key known to both client and server; improves security
PresharedKey = <Pre-shared key from server for this client>
# The IP range that we may send packets to for this peer.
# 0.0.0.0/0 will route all traffic through VPN
AllowedIPs = 10.0.0.1/24
# Address of the server
Endpoint = <server IP>:<server port>
# Send periodic keepalives to ensure connection stays up behind NAT.
PersistentKeepalive = 25
操作命令
wg-quick up wg0 wg-quick down wg0
如何支持 ipv6
见配置,如下:
[Interface]
PrivateKey = <client private key>
Address = 10.0.0.1/32,fd42::1/128
ListenPort = 8888
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE && ip6tables -t nat -A POSTROUTING -s fd42::1/8 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -j MASQUERADE && ip6tables -t nat -D POSTROUTING -s fd42::1/8 -j MASQUERADE
SaveConfig = false
[Peer]
# phone
PublicKey = <server public key>
PresharedKey = <shared key>
AllowedIPs = 10.0.0.3/32,fd42::3/128
- 端点分配 fd00::/8 中的段,这是 IPv6 的私有地址段,我们选用 fd42::/16
- 分配的 IPv4 与 IPv6 地址末尾保持一致,方便区分
这里采用 nat6 形式,进行地址转换:
# 添加
ip6tables -t nat -A POSTROUTING -s fd42::1/8 -j MASQUERADE
# 删除
ip6tables -t nat -D POSTROUTING -s fd42::1/8 -j MASQUERADE
内核网络参数,开启ipv6转发:
# cat /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
完事
最后
- wireguard 比 ipsec 和 openvpn 简单很多,组网也很方便,可用于生产。多地连接只需要点对点都建立连接即可
问题
-
如果 endpoint 是 DDNS ,那么 endpoint 填写域名,只会解析一次,下次 DDNS 变更后,也不会再解析成正确的IP,所以如果是 site-to-site 的模式,那么尽量选择主动连接 IP 不变的那端;如果不得不连接 ADSL 出口,那么就要配和探测 DDNS 变更的脚本一起使用
-
wireguard 是 UD P的,fq 的 UDP 会遇到很严重的 QOS,所以如果遇到了,那么就考虑再封一层,转换成 tcp 的模式,突破 QOS
-
ipv6 目前使用的是 nat6 的方式实现vpn支持 ipv6;有空可以研究一下 ndp proxy 方式