准备
基本yum源
yum install -y epel-release
yum install -y wget bash-com* git
yum update -y
yum -y install gcc bc gcc-c++ ncurses ncurses-devel cmake elfutils-libelf-devel openssl-devel flex* bison* autoconf automake zlib* fiex* libxml* ncurses-devel libmcrypt* libtool-ltdl-devel* make cmake pcre pcre-devel openssl openssl-devel jemalloc-devel tlc libtool vim unzip wget lrzsz bash-comp* ipvsadm ipset jq sysstat conntrack libseccomp conntrack-tools socat curl wget git conntrack-tools psmisc nfs-utils tree bash-completion conntrack libseccomp net-tools crontabs sysstat iftop nload strace bind-utils tcpdump htop telnet lsof
关闭防火墙,swap,selinux
#关闭防火墙
systemctl disable --now firewalld
#关闭swap
swapoff -a
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
#关闭selinux
setenforce 0
sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config
安装wireguard
需要公网ip
node01和node02安装wireguard
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm -y
yum install kmod-wireguard wireguard-tools wireguard-dkms yum-plugin-elrepo -y
重启
reboot
配置wireguard
node01的内网地址 | 10.140.0.10 |
---|---|
node02的内网地址 | 10.146.0.2 |
node01的公网地址 | 104.155.197.80 |
node02的公网地址 | 35.221.77.34 |
node01的内网网段 | 10.140.0.0/24 |
node02的内网网段 | 10.146.0.0/24 |
生成服务器端的公钥和私钥
node01和node02生成私钥和公钥
wg genkey | tee server_private_key | wg pubkey > server_public_key
node01
vim /etc/wireguard/wg0.conf
[Interface]
PostUp=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address=192.168.10.1/24 ##node01虚拟网卡ip,自定义一个虚拟网段即可
PrivateKey=+E/ft+Pmz5Dh3PvilxcftE4l64RVKmZXAolarzhR/3E= ##node01的私钥
ListenPort=51820
[Peer]
PublicKey=HngvWEnTQKyG+A940O0nYKiTzKPsEC7wYwYAc4lhf10= ##node02的公钥
AllowedIPs=192.168.10.2/32 ##node02的虚拟网卡ip
AllowedIPs=10.146.0.0/24 ##node02的网段
Endpoint=35.221.77.34:51820 ##node02公网地址
node02
vim /etc/wireguard/wg0.conf
[Interface]
PostUp=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address=192.168.10.2/24 ##node02虚拟网卡ip
PrivateKey=6Dc0IED4MdAo2nYcXDxZ5rV9Lu0Zbmvg+/P2eMh8f0A= ##node02的私钥
ListenPort=51820
[Peer]
PublicKey=SjvugytEnPmWJ9nzxpD5P8we3n1DBXJfdqz9yMVt7nU= ##node01的公钥
AllowedIPs=192.168.10.1/32 ##node01的虚拟网卡ip
AllowedIPs=10.140.0.0/24 ##node01的网段
Endpoint=104.155.197.80:51820 ##node01公网地址
启动wg
wg-quick up wg0
wg show