基于Wireguard的虚拟局域网安装配置
基于Wireguard的虚拟局域网安装配置
公网端配置
环境配置
添加sudo用户
adduser <username> # 添加用户
passwd <username> # 设置密码
usermod -aG sudo <username> # 追加sudo权限到用户
安装依赖与配置IP转发
#安装wireguard依赖软件
apt instal resolvconf -y
sudo systemctl enable --now systemd-resolved
#开启IP转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
Nginx Proxy Manager的安装配置
直接docker下安装
docker network create mynet
docker run -d \
--name=npm-db \
--network mynet \
-e MYSQL_USER=aleph \
-e DB_MYSQL_USER=aleph \
-e MYSQL_ROOT_PASSWORD=aleph \
-e MYSQL_PASSWORD=aleph \
-e MYSQL_DATABASE=npm \
-v ./data/mysql:/var/lib/mysql \
--restart always \
jc21/mariadb-aria:latest
docker run -d \
--name=npm \
--network mynet \
-p 80:80 \
-p 443:443 \
-p 81:81 \
-e DB_MYSQL_HOST=npm-db \
-e DB_MYSQL_PORT=3306 \
-e DB_MYSQL_USER=aleph \
-e DB_MYSQL_PASSWORD=aleph \
-e DB_MYSQL_NAME=npm \
-v ./data:/data \
-v ./letsencrypt:/etc/letsencrypt \
--restart unless-stopped \
jc21/nginx-proxy-manager:latest
docker-compose.yml
version: "3"
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
environment:
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "aleph"
DB_MYSQL_PASSWORD: "aleph"
DB_MYSQL_NAME: "npm"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
depends_on:
- db
db:
image: 'jc21/mariadb-aria:latest'
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: 'aleph'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'aleph'
MYSQL_PASSWORD: 'aleph'
volumes:
- ./data/mysql:/var/lib/mysql
# 启动
docker-compose up -d
安装配置Wireguard
docker下安装
# 端口 51821 只内容器内网访问
docker run -d \
--name=wg-easy \
--network mynet \
-e WG_HOST=121.40.146.x \
-e PASSWORD=<password> \
-e WG_DEFAULT_ADDRESS=10.10.10.x \
-e WG_DEFAULT_DNS=8.8.8.8 \
-e WG_ALLOWED_IPS=10.10.10.0/24 \
-e WG_PERSISTENT_KEEPALIVE=25 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
weejewel/wg-easy
# 端口 51821 对外网开放访问
docker run -d \
--name=wg-easy \
-e WG_HOST=121.40.146.x \
-e PASSWORD=<password> \
-e WG_DEFAULT_ADDRESS=10.10.10.x \
-e WG_DEFAULT_DNS=8.8.8.8 \
-e WG_ALLOWED_IPS=10.10.10.0/24 \
-e WG_PERSISTENT_KEEPALIVE=25 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
weejewel/wg-easy
使用docker-compose 安装配置
version: "3.8"
services:
wg-easy:
environment:
- WG_HOST=121.40.146.x
- PASSWORD=xx_password
- WG_DEFAULT_ADDRESS=10.10.10.10
- WG_DEFAULT_DNS=114.114.114.114
- WG_ALLOWED_IPS=10.8.1.0/24
image: weejewel/wg-easy
container_name: wg-easy
volumes:
- .wg-easy:/etc/wireguard
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
客户端配置
群晖Synology客户端配置
-
首先下载 synology-wireguard , 安装详细参见: https://github.com/vegardit/synology-wireguard 与 https://suzuhafan.com/synology/synology-920-install-wireguard-on-dsm7.html ;
-
安装
# 下载
wget https://github.com/vegardit/synology-wireguard/releases/download/WireGuard-1.0.20220627-DSM7.1/WireGuard-geminilake-1.0.20220627_DSM7.1.spk
# 安装
synopkg install WireGuard-geminilake-1.0.20220627_DSM7.1.spk
# start 脚本生成wg0.conf配置文件, 添加并加 interface & peer 节点信息
/var/packages/WireGuard/scripts/start
# 把 wg0.conf 复制到 /etc/wireguard/ 目录下,如果/etc/wireguard目录不存在就手动建一个
cp /volume1/@appconf/WireGuard/wg0.conf /etc/wireguard/wg0.conf
wg-autostart enable wg0
注:wg0.conf
[Interface]
PrivateKey = xxxxxxxxxxxxxxxx
Address = 10.10.10.7/24
# Don't add the DNS = x.x.x.x because setting is unsupported, otherwise would report "resolvconf: command not found"
# DNS = 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ovs_eth0 -j MASQUERADE;
[Peer]
PublicKey = XXXXXXXXXXXXxxxxxx
PresharedKey = XXXXXxxxXXXXXXxxxxx
AllowedIPs = 10.10.10.0/24
PersistentKeepalive = 25
Endpoint = 121.40.x.x:51820
启动
/var/packages/WireGuard/scripts/start
- 启动配置
# 启动 sudo wg-quick up wg0 # 关闭 sudo wg-quick down wg0 - 查看连接状态
sudo wg show wg0 - 设置开机启动,群晖上面该命令和 Linux 有区别
# 开启 sudo wg-autostart enable wg0 # 关闭 sudo wg-autostart disable wg0
工具
Ubuntu客户端配置
安装Wireguard
#root权限
sudo -i
#安装wireguard软件
apt install wireguard resolvconf -y
#开启IP转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
调整配置目录权限
参考:https://gitee.com/spoto/wireguard
cd /etc/wireguard/
chmod 0777 /etc/wireguard
#调整目录默认权限
umask 077
然后再在/etc/wireguard下添加一个wg0.conf配置文件
[Interface]
PrivateKey = IXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxxxxw=
Address = 10.10.10.9/24
DNS = 8.8.8.8
[Peer]
PublicKey = 7SZXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxx=
PresharedKey = zzXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxx=
AllowedIPs = 10.10.10.0/24
PersistentKeepalive = 25
Endpoint = x.x.x.x:51820
设置服务器开机自启动
systemctl enable wg-quick@wg0
启动wireguard
#启动wg0
wg-quick up wg0
#关闭wg0
wg-quick down wg0
#查状态
wg show wg0
Synology NAS 7.2 上安装 Wireguard
参考:https://www.blackvoid.club/wireguard-spk-for-your-synology-nas/