第 32 章 VPN (Virtual Private Network)

第 32 章 VPN (Virtual Private Network)
上一页	部分 III. Network Application	下一页

32.1. WireGuard

32.1.1. 安装 WireGuard

		
[root@development ~]# dnf search wireguard
Last metadata expiration check: 2:27:54 ago on Mon 13 Oct 2025 03:31:18 PM CST.
============================ Name Matched: wireguard ==========================
wireguard-tools.x86_64 : Fast, modern, secure VPN tunnel

		
[root@development ~]# dnf install wireguard-tools -y

[root@development ~]# wg --version
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

32.1.2. 创建证书

服务端证书

		
wg genkey | tee server_private.key | wg pubkey > server_public.key

查看证书

		
[root@development ~]# cat server_private.key 
UMZk7+8c1OytK7Am5sumC7T2HT3KPChExoRZqoDioU4=

[root@development ~]# cat server_public.key 
9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=

客户端证书

		
wg genkey | tee client_private.key | wg pubkey > client_public.key

		
[root@development ~]# wg genkey | tee client_private.key | wg pubkey > client_public.key

[root@development ~]# cat client_private.key 
CEEIeJQKoRFDV+lE+PFtwgn+zHafABWm9sb+IqhCD04=

[root@development ~]# cat client_public.key 
cr7NFI6tZWhGqXsO8D58GS3WTVqc8dQ/sH1D1WOchDw=

32.1.3. 服务端

服务端配置

		
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = 服务端私钥

[Peer]
# 客户端
1PublicKey = 客户端公钥
AllowedIPs = 10.0.0.2/32

		
cat >> /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = UMZk7+8c1OytK7Am5sumC7T2HT3KPChExoRZqoDioU4=

[Peer]
PublicKey = 9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=
AllowedIPs = 10.0.0.2/32
EOF

		
[root@development ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0

[root@development ~]# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

		
sudo systemctl enable wg-quick@wg0

32.1.4. 客户端

		
cat >> /etc/wireguard/client.conf <<EOF
[Interface]
Address = 10.0.0.2/24
PrivateKey = 客户端私钥
DNS = 8.8.8.8

[Peer]
PublicKey = 服务端公钥
Endpoint = 服务器公网IP:51820
AllowedIPs = 0.0.0.0/0
EOF

		
wg-quick up client

32.1.5. 路由配置

通过 AllowedIPs 配置路由策略

将默认网关指向 VPN 服务器，实现科学上网。

		
AllowedIPs = 0.0.0.0/0

只有 Peer 访问走 VPN，其他流量正常走本地网络

		
[Interface]
PrivateKey = CEEIeJQKoRFDV+lE+PFtwgn+zHafABWm9sb+IqhCD04=
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = 9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=
AllowedIPs = 10.0.0.0/24
Endpoint = 120.179.202.161:51820

32.1.6. wireguard-tools 命令

wireguard-tools.x86_64 : Fast, modern, secure VPN tunnel

		
[root@development ~]# wg -h
Usage: wg <cmd> [<args>]

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  syncconf: Synchronizes a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.

		
[root@development ~]# wg show
interface: wg0
  public key: 9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=
  private key: (hidden)
  listening port: 51820
[root@development ~]# wg show wg0
interface: wg0
  public key: 9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=
  private key: (hidden)
  listening port: 51820

up/down 启动/停止

			
wg-quick down wg0
wg-quick up wg0

32.1.7. 案例：Server - Peer 互通，同时 Peer - Peer 也互通

准备工作

IP 地址规划

Server 地址：10.0.0.1

Peer 1 地址：10.0.0.2

Peer 2 地址：10.0.0.3

其他 Peer 以此类推

创建服务端证书上

			
wg genkey | tee server_private.key | wg pubkey > server_public.key

创建Peer端证书

			
wg genkey | tee server_private.key | wg pubkey > server_public.key

Server 端配置

创建 Server 配置文件（/etc/wireguard/wg0.conf）

			
[root@development ~]# cat /etc/wireguard/wg0.conf 
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = UMZk7+8c1OytK7Am5sumC7T2HT3KPChExoRZqoDioU4=

[Peer]
PublicKey = cr7NFI6tZWhGqXsO8D58GS3WTVqc8dQ/sH1D1WOchDw=
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = LyLmgsXu/li83yQz58jDqKSFevi01PwNbnUFrynYHkk=
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = b5PCQGmaCAlSF4C0x1YRUG5ylXJVoQcxhO4ZeuS0Q0A=
AllowedIPs = 10.0.0.4/32

启用 IP 转发（仅 Server 端）

			
# 临时启用（立即生效）
echo 1 > /proc/sys/net/ipv4/ip_forward

# 永久生效（Ubuntu/Debian）
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sudo sysctl -p  # 重载配置

			
iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Peer 端配置

创建 Peer 1 配置文件（/etc/wireguard/client.conf）

			
[root@netkiller ~]# cat /etc/wireguard/client.conf 
[Interface]
PrivateKey = 4Et96IbLG5U9DQYC5w4q2up5xd25tTlf4rspasgs43s=
Address = 10.0.0.3/24
#DNS = 8.8.8.8

[Peer]
PublicKey = 9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=
AllowedIPs = 10.0.0.0/24
Endpoint = 120.179.202.161:51820

#[Peer]
#PublicKey = cr7NFI6tZWhGqXsO8D58GS3WTVqc8dQ/sH1D1WOchDw=
#AllowedIPs = 10.0.0.2/32

Peer 2

			
[Interface]
PrivateKey = CEEIeJQKoRFDV+lE+PFtwgn+zHafABWm9sb+IqhCD04=
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = 9VDeng7liU2v5kQl+CdNJJANxiKF/pJPK6bDKNU60EY=
AllowedIPs = 10.0.0.1/32, 10.0.0.3/32
Endpoint = 120.179.202.161:51820

上一页	上一级	下一页
31.12. FAQ	起始页	32.2. OpenVPN (openvpn - Virtual Private Network daemon)