Table of Contents

WireGuard 服务器

This article relies on the following:

前言

目标

通过命令行安装设置

1. 准备

安装所需的软件包。 指定 VPN 服务器配置参数。 

# 安装相关的软件包
opkg update
opkg install wireguard-tools
 
# 设置连接参数
WG_IF="vpn"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fd00:9::1/64"

2. 密钥管理

在服务器与客户端之间生成并交换密钥 

# 生成密钥
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
 
# 私钥
VPN_KEY="$(cat wgserver.key)"
 
# 预共享密钥
VPN_PSK="$(cat wgclient.psk)"
 
# 公钥
VPN_PUB="$(cat wgclient.pub)"

3. 防火墙

VPN 网络视为私有网络。 将 VPN 接口分配到 LAN 区域,以尽量减少防火墙设置。 允许从 WAN 区域访问 VPN 服务器。 

# 设置防火墙
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
service firewall restart

4. 网络

配置 VPN 接口和节点。 

# 设置网络
uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
 
# 添加 VPN 节点
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${VPN_IF}"
uci set network.wgclient.public_key="${VPN_PUB}"
uci set network.wgclient.preshared_key="${VPN_PSK}"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart

测试

建立 VPN 连接。 使用 traceroutetraceroute6 命令确认流量是否通过 VPN 网关。 

traceroute openwrt.org
traceroute6 openwrt.org

检查客户端IP地址:

请确保客户端没有DNS泄露(DNS leak)发生:

故障排除

# 重启服务
service log restart; service network restart; sleep 10
 
# Log and status
logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
 
# Runtime configuration
pgrep -f -a wg; wg show; wg showconf vpn
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall; crontab -l