android

安装wireguard https://f-droid.org/en/packages/com.wireguard.android/
点右下角的加号新建 连接
输入连接名 点击私钥后面的刷新按钮 新建一对密钥 把公钥发给对端 在服务端执行wg set… 配置服务端

客户端

局域网ip: 192.168.53.xx/32 dns: 192.168.50.1 mtu: 1200

添加节点

公钥: 服务端公钥 对端: xxx.wiloon.com:51xxx 路由的ip地址: 0.0.0.0/0

install

arch

pacman -Syu
pacman -S wireguard-tools
pacman -S wireguard-arch

lsmod | grep wireguard
sudo modprobe wireguard

debian

echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard

生成密钥 peer A / peer B

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# 生成私钥
wg genkey > peer_A.key
chmod 600 peer_A.key
# 生成公钥
wg pubkey < peer_A.key > peer_A.pub

# 同时生成私钥公钥
wg genkey | tee peer_A.key | wg pubkey > peer_A.pub

wg genpsk > peer_A-peer_B.psk

参数

# 设置可以被路由到对端的ip/段
allowed-ips

# 路由所有流量到对端
allowed-ips 0.0.0.0/0

# 路由指定ip/段到对端
allowed-ips 192.168.53.1/32

# 路由多个ip/段到对端 
allowed-ips 192.168.53.1/32,192.168.50.0/24

Peer A setup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
sudo ip link add dev wg0 type wireguard
sudo ip addr add 192.168.53.1/24 dev wg0
sudo wg set wg0 private-key ./privatekey
sudo wg set wg0 listen-port 9000

# 做为服务端使用时,peer_B 的ip 和端口一般是动态的,不配置endpoint  
sudo wg set wg0 peer <PEER_B_PUBLIC_KEY> persistent-keepalive 25 allowed-ips 192.168.53.2/32
# peer b 有确定的端口和IP时, 可以配置endpoint
sudo wg set wg0 peer <PEER_B_PUBLIC_KEY> persistent-keepalive 25 allowed-ips 192.168.53.2/32  endpoint 192.168.50.115:9000
ip link set wg0 up

peer B

sudo ip link add dev wg0 type wireguard
sudo ip addr add 192.168.53.2/24 dev wg0
sudo wg set wg0 private-key ./privatekey

# 配置监听端口,监听peer A发起的连接请求,仅作为客户端使用时,可以不配置监听,忽略此步骤
sudo wg set wg0 listen-port 9000 allowed-ips 0.0.0.0/0 peer_B 

# 所有的ip包都 会被 发往 peer_A
sudo wg set wg0 peer PEER_A_PUBLIC_KEY persistent-keepalive 25 allowed-ips 0.0.0.0/0 endpoint 192.168.50.215:9000
ip link set wg0 up

添加路由

ip route add 192.168.50.0/24 dev wg0
ip route add fd7b:d0bd:7a6e::/64 dev wg0

remove peer

wg set wg0 peer PEER_A_PUBLIC_KEY remove  

配置文件

/etc/wireguard/wg0.conf

保存配置到文件

wg showconf wg0 > /etc/wireguard/wg0.conf
wg-quick up wg0
wg-quick down wg0

systemd-networkd

systemd-networkd-wait-online.service
systemd-resolvconf  
openresolv

iptables

iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o wlp1s0 -j MASQUERADE

chromeos>crostini

chromeos从 google play 安装wireguard,连接成功后,vpn全局生效包括crostini里的linux也可以使用vpn通道

crostini 不支持wireguard 类型的网络设备, 不能直接使用wireguard, 需要安装tunsafe https://tunsafe.com/user-guide/linux

tunsafe 安装

/etc/wireguard/wg0.conf

git clone https://github.com/TunSafe/TunSafe.git
cd TunSafe
sudo apt-get install clang-6.0
make
sudo make install
sudo tunsafe start  TunSafe.conf
sudo tunsafe start -d TunSafe.conf

tunsafe 配置文件

[Interface]
PrivateKey = <private_key>
DNS = 192.168.50.1
BlockDNS = true

# 设置虚拟网卡的内网地址(可选子网掩码)
Address = 192.168.53.3/24
;/l.4r5t3677777777
[Peer]
PublicKey = <public_key>

# 目标地址是192.168.53.1 的会通过vpn发送到服务端
AllowedIPs = 192.168.53.1/24

# 所有ip包都 会发往 vpn服务端
AllowedIPs = 0.0.0.0/0
Endpoint = <server_ip0:server_port0>
PersistentKeepalive = 25

https://www.wireguard.com/install/ https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-debian/ https://blog.mozcp.com/wireguard-usage/ https://mine260309.me/archives/1697 https://mine260309.me/archives/1697/embed#?secret=3eFM6gPGdn https://wiki.debian.org/Wireguard https://docs.linuxconsulting.mn.it/notes/setup-wireguard-vpn-on-debian9 https://github.com/wgredlong/WireGuard/blob/master/2.%E7%94%A8%20wg-quick%20%E8%B0%83%E7%94%A8%20wg0.conf%20%E7%AE%A1%E7%90%86%20WireGuard.md