[toc]

介紹

wireguard與openVPN赖阻、strongswanVPN、ipsecVPN的優(yōu)劣請自行百度踱蠢，總的一句wireguard很好用火欧，配置簡單，短小精悍茎截，Linus很喜歡苇侵，多平臺支持，你值得擁有企锌。唯一不好的是可能容易被墻榆浓。
本文主要介紹在幾種場景下的配置方法。

安裝

參考：

https://www.wireguard.com/install/
https://www.wireguard.com/quickstart/

以下為在centos下的安裝方法：

yum update -y
yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum install yum-plugin-elrepo
yum install kmod-wireguard wireguard-tools
reboot

配置

服務(wù)器信息：
公網(wǎng)信息：5.5.5.5:51820 (dnat)
vpn peer ip： 172.30.0.1
服務(wù)器內(nèi)部網(wǎng)段：10.1.0.0/16
公鑰： dLssYxxxxxxxxxxxxxxxxxZq98NQKOivi3MN/VM=

客戶端信息：
客戶端在adsl內(nèi)網(wǎng)撕攒，不能公網(wǎng)訪問
vpn peer ip： 172.30.0.2
客戶端內(nèi)部網(wǎng)段：192.168.0.0/16
公鑰： PTr03Yp2MxxxxxxxxxxxxxxxxxFwVRUl2ZNXfLTA=

server

# 1陡鹃、設(shè)置網(wǎng)卡
ip link add wg0 type wireguard    # 自動(dòng)處理內(nèi)核模塊加載
ip address add 172.30.0.1/24 dev wg0

# 2烘浦、生成秘鑰
wg genkey > private.key
wg pubkey < private.key   # 查看公鑰>

# 用法：Usage: wg set <interface> [listen-port <port>] [fwmark <mark>] [private-key <file path>]  [peer <base64 public key> [remove] [preshared-key <file path>] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...] ]...

# 3、設(shè)置本地wg0網(wǎng)卡偵聽端口與私鑰
wg  set wg0  listen-port 51820  private-key ./private.key

# 4萍鲸、設(shè)置客戶端公鑰及允許客戶端訪問服務(wù)器的ip范圍闷叉，多個(gè)時(shí)以逗號分隔（客戶端需要生成相關(guān)信息才可執(zhí)行下面的命令，方法同上）脊阴；設(shè)置保持連接（peer在nat防火墻后面的或者是動(dòng)態(tài)地址的需要加上握侧，服務(wù)器端一般有固定地址，所以不需要）
wg  set wg0  peer PTr03Yp2Mhd2GEUN2KjrRJMVAn0JbFwVRUl2ZNXfLTA=  allowed-ips 172.30.0.2/32

# 5蹬叭、激活網(wǎng)卡
ip link set wg0 up
wg

client

# 1藕咏、設(shè)置網(wǎng)卡
ip link add wg0 type wireguard    # 自動(dòng)處理內(nèi)核模塊加載
ip address add 172.30.0.2/24 dev wg0

# 2、生成秘鑰
wg genkey > private.key
wg pubkey < private.key  # 查看公鑰>

# 3秽五、設(shè)置本地wg0網(wǎng)卡偵聽端口與私鑰孽查，偵聽端口不用設(shè)置，因?yàn)榭蛻舳瞬恍枰粍e人主動(dòng)連接坦喘，會自動(dòng)使用一個(gè)隨機(jī)端口
wg  set wg0  private-key ./private.key
# 以上部分和服務(wù)器端設(shè)置是一樣的

# 4盲再、設(shè)置服務(wù)器端公鑰；設(shè)置允許服務(wù)器訪問客戶端的ip范圍（服務(wù)器端需要生成相關(guān)信息才可執(zhí)行下面的命令）瓣铣；設(shè)置保持連接（nat防火墻后面需要加上）答朋；設(shè)置服務(wù)器地址與端口
wg  set wg0  peer dLssY8xxxxxxxxxxxxxxxxx8NQKOivi3MN/VM=  persistent-keepalive 25  allowed-ips 172.30.0.1/32  endpoint 5.5.5.5:51820

# 5、激活網(wǎng)卡
ip link set wg0 up
wg

使用場景

前面只是點(diǎn)到點(diǎn)的基本場景棠笑，是最簡單的使用場景梦碗，下面我們再探討下其他使用場景

場景1：PC-to-LAN

# 允許客戶端訪問服務(wù)器端所有局域網(wǎng)（即PC-to-LAN，一般采用這種模式）
# 基于基本場景還需執(zhí)行以下設(shè)置：

## on server：
# 添加vpn網(wǎng)段路由到服務(wù)器端企業(yè)路由器
# 172.30.0.0/24 via [本機(jī)的局域網(wǎng)ip]

## on client：
# 添加server端網(wǎng)段到本機(jī)路由表
ip route add 10.1.0.0/16 via 172.30.0.1
...
# 允許server端網(wǎng)絡(luò)訪問client端（無需ip link down + up蓖救；這里0.0.0.0/0代表所有網(wǎng)絡(luò)）
wg  set wg0  peer dLssxxxxxxxxxxxxxxxxxq98NQKOivi3MN/VM=  persistent-keepalive 25  allowed-ips 172.30.0.1/32,0.0.0.0/0  endpoint 192.168.11.29:51820

場景2：LAN-to-LAN

# 將兩邊的局域網(wǎng)連成一個(gè)整體的局域網(wǎng)（即LAN-to-LAN）
# 基于基本場景還需執(zhí)行以下設(shè)置：

## on server：
# 添加vpn網(wǎng)段路由到服務(wù)器端企業(yè)路由器
# 172.30.0.0/24  via [本機(jī)的局域網(wǎng)ip]
# 添加client端網(wǎng)段路由到服務(wù)器端企業(yè)路由器
# 192.168.2.0/24 via [本機(jī)的局域網(wǎng)ip]
# ...
# 添加client端網(wǎng)段路由到本機(jī)路由表
ip route add 192.168.0.0/16  via 172.30.0.2
...
# 允許client端訪問server端網(wǎng)絡(luò)（無需ip link down + up）
wg  set wg0  peer VbR3Kxgxxxxxxxxxxxxxxxxxzq3H4ebdgTng=  allowed-ips 172.30.0.2/32,192.168.0.0/24

## on client：
# 添加vpn網(wǎng)段路由到客戶端企業(yè)路由器
# 172.30.0.0/24  via [本機(jī)的局域網(wǎng)ip]
# 添加server端網(wǎng)段路由到客戶端企業(yè)路由器
# 10.1.0.0/16 via [本機(jī)的局域網(wǎng)ip]
# ...
# 添加server端網(wǎng)段路由到本機(jī)路由表
ip route add 10.1.0.0/16 via 172.30.0.1
...
# 允許server端訪問client端網(wǎng)絡(luò)（無需ip link down + up洪规；0.0.0.0/0代表所有網(wǎng)絡(luò)）
wg  set wg0  peer dLssxxxxxxxxxxxxxxxxx98NQKOivi3MN/VM=  persistent-keepalive 25  allowed-ips 172.30.0.1/32,0.0.0.0/0  endpoint 5.5.5.5:51820

手機(jī)端

• 路由的ip地址（段）：就是allowed-ips，不僅僅是字面意義的路由表
• persistent-keepalive連接毖啵活間隔建議開啟：25斩例，否則從服務(wù)器端ping手機(jī)端地址ping不通：

# ping  172.30.0.12
PING 172.30.0.12 (172.30.0.12) 56(84) bytes of data.
From 172.30.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

• 其他：略

防火墻策略

# 如果server端啟用了系統(tǒng)防火墻，比如：firewalld.service从橘，你可能需要開啟一些端口念赶，比如：

# 將網(wǎng)卡加入到public區(qū)域，默認(rèn)策略允許ping：
firewall-cmd --zone=public --add-interface=wg0
# 開放wireguard偵聽端口51820/udp
firewall-cmd --zone=public --add-port=51820/udp

# 允許客戶端172.30.0.2訪問服務(wù)器端局域網(wǎng)的10.1.3.77:80
firewall-cmd --direct --add-rule   ipv4 filter FORWARD 1 -p tcp -d 10.1.3.77 --dport 80 -s 172.30.0.2 -j ACCEPT
# 允許客戶端172.30.0.2訪問服務(wù)器端局域網(wǎng)的所有服務(wù)器的80端口
firewall-cmd --direct --add-rule   ipv4 filter FORWARD 1 -p tcp --dport 80 -s 172.30.0.2 -j ACCEPT
# 允許客戶端172.30.0.2訪問服務(wù)器端局域網(wǎng)的所有服務(wù)器的所有端口
firewall-cmd --direct --add-rule   ipv4 filter FORWARD 1 -p tcp  -s 172.30.0.2 -j ACCEPT


# 允許客戶端172.30.0.2訪問服務(wù)器端的81端口
firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.30.0.2   port port=81 protocol=tcp accept'

# 允許所有人訪問服務(wù)器端的82端口
firewall-cmd --add-port=82/tcp

日常使用

用法：Usage: wg-quick [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ]

# 保存配置恰力，這種指令行方式更加可控叉谜，最好不要直接編輯/etc/wireguard/wg0.conf中的配置文件
touch  /etc/wireguard/wg0.conf
wg-quick save wg0
    #或: wg showconf wg0 > /etc/wireguard/wg0.conf 
    #如果peer在nat后面的可能需要?jiǎng)h除相關(guān)Endpoint信息，因?yàn)槟鞘遣荒鼙恢鲃?dòng)訪問的

# 啟動(dòng)/停止
wg-quick up   wg0                #自動(dòng)選擇配置文件'/etc/wireguard/wg0.conf'
wg-quick up   /path/to/wg0.conf  #指定路徑
wg-quick down wg0

# 刪除peer
wg set wg0 peer $(cat cpublickey1) remove

客戶端使用wg-quick的反應(yīng)

他擁有wg沒有的功能踩萎，wg-quick是一個(gè)sh腳本
以下是使用wg-quick前后的變化

# cat /etc/wireguard/wg5.conf 
[Interface]
Address = 172.30.5.11/24
ListenPort = 52235
PrivateKey = kET16oZ4DOmsvflMxxxxxxxxxxxxxxxxxYZK0RdF0s=
DNS = 8.8.8.8
[Peer]
PublicKey = dLssY8S+xxxxxxxxxxxxxxxxxq98NQKOivi3MN/VM=
AllowedIPs = 0.0.0.0/0
Endpoint = 11.21.31.94:51820
PersistentKeepalive = 25
#
# wg-quick up wg5
[#] ip link add wg5 type wireguard
[#] wg setconf wg5 /dev/fd/63
[#] ip -4 address add 172.30.5.11/24 dev wg5
[#] ip link set mtu 1420 up dev wg5
[#] resolvconf -a tun.wg5 -m 0 -x
[#] wg set wg5 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg5 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
#
# cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8      #---新加的
nameserver 127.0.1.1
#
# ip rule list
0:  from all lookup local 
218:    from all lookup main suppress_prefixlength 0    #---新加的 
219:    not from all fwmark 0xca6c lookup 51820         #---新加的正罢，0xca6c即51820
32766:  from all lookup main 
32767:  from all lookup default
#
# ip route list table 51820
default dev wg5  scope link       #---新加的
#
# ip route list     #---即:ip route list table main
default via 192.168.43.1 dev wlp2s0  proto static  metric 600 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-542d8a49cc45  proto kernel  scope link  src 172.18.0.1 linkdown 
172.30.5.0/24 dev wg5  proto kernel  scope link  src 172.30.5.11                      #---新加的 
192.168.43.0/24 dev wlp2s0  proto kernel  scope link  src 192.168.43.19  metric 600 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 linkdown 
#
# iptables -t mangle -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
CONNMARK   udp  --  anywhere             anywhere             /* wg-quick(8) rule for wg5 */ CONNMARK restore      #---新加的

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
CONNMARK   udp  --  anywhere             anywhere             mark match 0xca6c /* wg-quick(8) rule for wg5 */ CONNMARK save      #---新加的
CHECKSUM   udp  --  anywhere             anywhere             udp dpt:bootpc CHECKSUM fill
#
# wg-quick down wg5
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg5
[#] resolvconf -d tun.wg5 -f
[#] iptables-restore -n

配置文件解析

參考：https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html
文件默認(rèn)路徑為/etc/wireguard/，文件名為接口名.conf，比如wg0.conf
如下：

[Interface] 
Address = 10.200.100.1/24   #接口IP（v4或v6）翻具，可以多次指定履怯，逗號分隔
ListenPort = 51820          #偵聽端口
PrivateKey = oK56DE9Uexxxxxxxxxxxxxxxxx6lm7cXXsQKrQM=     #私鑰
DNS = 8.8.8.8               #多個(gè)則以逗號分隔，增加dns服務(wù)器在/etc/resolv.conf中裆泳，通過resolvconf命令進(jìn)行配置叹洲，需要安裝此包
MTU = 1420                  #設(shè)置mtu，默認(rèn)為自動(dòng)設(shè)置
#
# PreUp,  PostUp,  PreDown,  PostDown : 里面的內(nèi)容會在bash中執(zhí)行工禾，'%i'代表接口运提，這些都是wg-quick的功能
# 以加密形式存儲私鑰，例如通過使用pass（1）：
PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)
#
# 當(dāng)[peer]里設(shè)置了'AllowedIPs = 0.0.0.0/0'時(shí)闻葵，可能會被'kill-switch'攻擊民泵，為了防止非加密數(shù)據(jù)包通過non-WireGuard接口，添加以下兩行：
PostUp =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT 
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#
# Table  : 保存到哪個(gè)路由表槽畔。off|auto栈妆，“off”禁用路由的創(chuàng)建，“auto”（默認(rèn)）將路由添加到默認(rèn)表中厢钧，這是wg-quick的功能鳞尔。
# Table，PostUp和PreDown字段的組合也可以用于策略路由
# 參考：https://www.cnblogs.com/EasonJim/p/8424731.html（Linux下ip route早直、ip rule寥假、iptables的關(guān)系）
Table = 1234 
PostUp =  ip rule add    ipproto tcp dport 22 table 1234
PreDown = ip rule delete ipproto tcp dport 22 table 1234
#
SaveConfig = false    #如果設(shè)置為“true”，則在關(guān)閉時(shí)從接口的當(dāng)前狀態(tài)保存配置

[Peer] 
PublicKey = GtL7fZc/bLnqZldpxxxxxxxxxxxxxxxxxdLx+qtKU=       #對端公鑰
PresharedKey = /UwcSPgxxxxxxxxxxxxxxxxxuURMbS0sesJEP5ak=    #設(shè)置兩端[peer]預(yù)共享key霞扬，wg genpsk
AllowedIPs = 0.0.0.0/0                  #對端可以訪問的地址范圍糕韧，如果多個(gè)則用逗號分隔。如果是0.0.0.0/0喻圃，則會自動(dòng)添加ip rule兔沃，并配置為該rule的默認(rèn)網(wǎng)關(guān)，這是wg-quick的功能
Endpoint = demo.wireguard.com:51820     #對端的地址信息级及，代表主動(dòng)連接對端，客戶端必須設(shè)置
PersistentKeepalive = 25                #保持連接

另：ip rule额衙，ip route饮焦，iptables 三者之間的關(guān)系

參考：https://www.cnblogs.com/EasonJim/p/8424731.html
例：公司內(nèi)網(wǎng)要求192.168.0.100 以內(nèi)的使用 10.0.0.1 網(wǎng)關(guān)上網(wǎng) （電信），其他IP使用 20.0.0.1 （網(wǎng)通）上網(wǎng)窍侧。

1. 首先要在網(wǎng)關(guān)服務(wù)器上添加一個(gè)默認(rèn)路由县踢，當(dāng)然這個(gè)指向是絕大多數(shù)的IP的出口網(wǎng)關(guān)：ip route add default gw 20.0.0.1
2. 之后通過 ip route 添加一個(gè)路由表：ip route add table 3 via 10.0.0.1 dev ethX #---(ethx 是 10.0.0.1 所在的網(wǎng)卡, 3 是路由表的編號)
3. 之后添加 ip rule 規(guī)則：ip rule add fwmark 3 table 3 #---（fwmark 3 是標(biāo)記，table 3 是路由表3 上邊伟件。 意思就是凡事標(biāo)記了 3 的數(shù)據(jù)使用 table3 路由表）

4. 之后使用 iptables 給相應(yīng)的數(shù)據(jù)打上標(biāo)記：iptables -A PREROUTING -t mangle -i eth0 -s 192.168.0.1-192.168.0.100 -j MARK --set-mark 3

   
   
   Network圖

wg-quick

$ wg-quick --help
Usage: wg-quick [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ]

  CONFIG_FILE is a configuration file, whose filename is the interface name
  followed by '.conf'. Otherwise, INTERFACE is an interface name, with
  configuration found at /etc/wireguard/INTERFACE.conf. It is to be readable
  by wg(8)'s 'setconf' sub-command, with the exception of the following additions
  to the [Interface] section, which are handled by wg-quick:
  - Address: may be specified one or more times and contains one or more
    IP addresses (with an optional CIDR mask) to be set for the interface.
  - DNS: an optional DNS server to use while the device is up.
  - MTU: an optional MTU for the interface; if unspecified, auto-calculated.
  - Table: an optional routing table to which routes will be added; if
    unspecified or 'auto', the default table is used. If 'off', no routes
    are added.
  - PreUp, PostUp, PreDown, PostDown: script snippets which will be executed
    by bash(1) at the corresponding phases of the link, most commonly used
    to configure DNS. The string '%i' is expanded to INTERFACE.
  - SaveConfig: if set to 'true', the configuration is saved from the current
    state of the interface upon shutdown.
See wg-quick(8) for more info and examples.

wg

$ wg --help
Usage: wg <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with 'setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass '--help' to any of these subcommands to view usage.

$ wg setconf --help
Usage: wg setconf <interface> <configuration filename>

wg addconf wg0 <(wg-quick strip wg0)   # ??