19.wireguard点对点连接 - 《这就是运维》

准备
- 基本yum源
- 关闭防火墙，swap，selinux
安装wireguard
配置wireguard
- 生成服务器端的公钥和私钥
启动wg

准备

基本yum源

yum install -y epel-release 
yum install -y wget bash-com*  git
yum update -y

yum -y install  gcc bc gcc-c++ ncurses ncurses-devel cmake elfutils-libelf-devel openssl-devel flex* bison* autoconf automake zlib* fiex* libxml* ncurses-devel libmcrypt* libtool-ltdl-devel* make cmake  pcre pcre-devel openssl openssl-devel   jemalloc-devel tlc libtool vim unzip wget lrzsz bash-comp* ipvsadm ipset jq sysstat conntrack libseccomp conntrack-tools socat curl wget git conntrack-tools psmisc nfs-utils tree bash-completion conntrack libseccomp net-tools crontabs sysstat iftop nload strace bind-utils tcpdump htop telnet lsof

关闭防火墙，swap，selinux

#关闭防火墙
systemctl disable --now firewalld

#关闭swap
swapoff -a
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab

#关闭selinux
setenforce 0
sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config

安装wireguard

需要公网ip
node01和node02安装wireguard

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install  https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm -y
yum install kmod-wireguard wireguard-tools wireguard-dkms yum-plugin-elrepo -y

重启

reboot

配置wireguard

node01的内网地址	10.140.0.10
node02的内网地址	10.146.0.2
node01的公网地址	104.155.197.80
node02的公网地址	35.221.77.34
node01的内网网段	10.140.0.0/24
node02的内网网段	10.146.0.0/24

生成服务器端的公钥和私钥

node01和node02生成私钥和公钥

wg genkey | tee server_private_key | wg pubkey > server_public_key

node01

vim /etc/wireguard/wg0.conf

[Interface]
PostUp=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address=192.168.10.1/24 ##node01虚拟网卡ip,自定义一个虚拟网段即可
PrivateKey=+E/ft+Pmz5Dh3PvilxcftE4l64RVKmZXAolarzhR/3E= ##node01的私钥
ListenPort=51820

[Peer]
PublicKey=HngvWEnTQKyG+A940O0nYKiTzKPsEC7wYwYAc4lhf10=  ##node02的公钥
AllowedIPs=192.168.10.2/32 ##node02的虚拟网卡ip
AllowedIPs=10.146.0.0/24 ##node02的网段
Endpoint=35.221.77.34:51820 ##node02公网地址

node02

vim /etc/wireguard/wg0.conf

[Interface]
PostUp=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address=192.168.10.2/24 ##node02虚拟网卡ip
PrivateKey=6Dc0IED4MdAo2nYcXDxZ5rV9Lu0Zbmvg+/P2eMh8f0A=  ##node02的私钥
ListenPort=51820

[Peer]
PublicKey=SjvugytEnPmWJ9nzxpD5P8we3n1DBXJfdqz9yMVt7nU= ##node01的公钥
AllowedIPs=192.168.10.1/32 ##node01的虚拟网卡ip
AllowedIPs=10.140.0.0/24 ##node01的网段
Endpoint=104.155.197.80:51820 ##node01公网地址

启动wg

wg-quick up wg0
wg show