Linux WireGuard VPN 入坑指南 2 配置文件

2020-04-15 11:49:32 | Linux 葵花宝典网络

WireGuard 内核编译完成之后，
接下来就是客户端与服务器之间的连接配置了

一会儿配置公钥，一会儿配置私钥，
这个机器的私钥，那个机器的公钥
要是搞几台机器，搞完就算了，
几十台几十台的搞会搞到怀疑人生。。。

手动配置起来，非常琐碎。

于是写了一个 Bash Script，一劳永逸.

运行后，会生成服务器的配置文件
每个客户端会生成一个路由模式的配置文件，和一个全局模式的配置文件。

脚本内容

root@localhost:~/wg_conf# cat wg_gen.sh
#!/bin/bash
SERVER_IP="fly.li-chunli.top"
SERVER_LISTEN=10001

CLIENT_IP_START="192.168.173.100"
CLIENT_IP_NUM=10
CLIENT_ALLOW="192.168.173.0/24,192.168.1.0/24,172.16.0.0/16"

IP_START=$(echo $CLIENT_IP_START|awk -F \. '{print $4}')
IP_PREFIX=$(echo $CLIENT_IP_START|awk -F \. '{printf "%s.%s.%s", $1, $2, $3}')
IP_END=$(($IP_START+$CLIENT_IP_NUM))

################ GEN KEY S #####################################
server_key=$(wg genkey)
server_pub=$(echo $server_key|wg pubkey)

for ((i=$IP_START; i<$IP_END; i++))
do
    eval "client_key_$i"=$(wg genkey)
    eval "client_pub_$i"=$(eval echo '$'client_key_${i}|wg pubkey)
done

echo "$server_key $server_pub"
for ((i=$IP_START; i<$IP_END; i++))
do
    eval echo '$'client_key_${i} '$'client_pub_${i}
done
################ GEN KEY E #####################################


################ GEN SERVER CONF S #####################################
cat > VPN.conf << EOF
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf; sysctl -p
[Interface]
PrivateKey = $server_key
Address    = 192.168.173.1/24
PostUp     = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

PostUp     = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = $SERVER_LISTEN
MTU = 1420
EOF

for ((i=$IP_START; i<$IP_END; i++))
do
cat >> VPN.conf << EOF

[peer]
PublicKey  = $(eval echo '$'client_pub_${i})
AllowedIPs = 192.168.173.$i/32
PersistentKeepalive = 25
EOF
done
################ GEN SERVER CONF E #####################################



################ GEN CLIENT CONF E #####################################
for ((i=$IP_START; i<$IP_END; i++))
do
cat > ${IP_PREFIX}.${i}_global.conf << EOF
[Interface]
PrivateKey = $(eval echo '$'client_key_${i})
Address = ${IP_PREFIX}.${i}/24
DNS = 192.168.173.1
MTU = 1420

[Peer]
PublicKey = $server_pub
AllowedIPs = 0.0.0.0/0
Endpoint = $SERVER_IP:$SERVER_LISTEN
PersistentKeepalive = 25
EOF
done

for ((i=$IP_START; i<$IP_END; i++))
do
cat > ${IP_PREFIX}.${i}_router.conf << EOF
[Interface]
PrivateKey = $(eval echo '$'client_key_${i})
Address = ${IP_PREFIX}.${i}/24
MTU = 1420

[Peer]
PublicKey = $server_pub
AllowedIPs = $CLIENT_ALLOW
Endpoint = $SERVER_IP:$SERVER_LISTEN
PersistentKeepalive = 25
EOF
done


################ GEN CLIENT CONF E #####################################
root@localhost:~/wg_conf#

运行运行

root@localhost:~/wg_conf# ./wg_gen.sh
AAX8yn4cz5wYS6cyW+3LOkxRr3OPxhE8WkhaKmlpTkk= qZsOWM1tptWmsqMMQL1U4K0Oxuj7Q9OGdJtjGJ1vAjw=
iFoikhnJN03lLxnid1NneXXXiixpmd8lFv8ZS93MhUY= 4xmc2Wxkz6sMj1iZQdL/b8rh5VOoQqRsipIGGRuc4Xk=
kBpnXM2NQnc15ON/YUluHJF15omuvdQu5UzEah2gemM= NF0XfP7Q8nfITmJoDR/rH5YjifR0ZLxYXgSBtRhpoXQ=
sFX0hKhNxtjzRyMqAfHjc12er7/fbfOyXps1Q7ibPUQ= epWBp/BR+h+Y6qegxVaQmJlLDl8/dKBkanUmoW0fdHY=
QGFyRPAIn/luzh8FV9is4PbsVOd3tFJAlHwD7G4yME4= 9I5DSaTvEY1+57gibADaXFBsRF5UCB6ZyVORx4kVqgg=
GBTs/HYjKNqFiEh07KorORCWb766jTmkpGSB4aMfRlM= 926ZIjyTRpev3JncL3CLin5RvusNopPS42c/5+QIMUI=
SCLSUOLOVDvNbhXPhT8e1ulw7sJquDEZmGpKl+dZ6Hs= 9j8xVc5nBCX6TbL4/35VQxY7PILVp2slFwCvz1MSnW8=
uG8qp2XnPG/x/8DUTS43/k/stq+LtSHGRcXUMTVy+10= enDPJsBWUUEtIW3xAf9Rcc+tpcdfbWVQZ85H2hZLMnI=
+DuFjYjcp2JCQ7Vj0SZ79OZVnSFqd4shWhpQzNe2zFk= VqBEKJwvEo9hK2k94EbpZQtUn4OpBDDVKgMtUWsO0TI=
iLzuonbq+nI0gQJ11w15XCcTyIzOTY6qjna2F6xyk3c= LI5p9OjBy9uIgroJM7UMa7sZwNLTiI/GoTqnr9z5wQk=
cIPj0vcciC9ejNGQzje4O3P0tPqCBCNILV0F9sfV7FE= JjI2VnfiQRjcAWaCzOJPwTw1TjC9sZ3KNXHV+5AcDg0=
root@localhost:~/wg_conf#

完美完美

客户端直接拿配置文件，导入即可拨号

root@localhost:~/wg_conf# ll
total 100
drwxr-xr-x 2 root root 4096 May  7 14:46 ./
drwx------ 1 root root 4096 May  7 14:43 ../
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.100_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.100_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.101_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.101_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.102_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.102_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.103_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.103_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.104_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.104_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.105_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.105_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.106_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.106_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.107_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.107_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.108_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.108_router.conf
-rw-r--r-- 1 root root  278 May  7 14:37 192.168.173.109_global.conf
-rw-r--r-- 1 root root  294 May  7 14:37 192.168.173.109_router.conf
-rw-r--r-- 1 root root 1722 May  7 14:37 VPN.conf
-rwxr-xr-x 1 root root 2663 May  7 14:27 wg_gen.sh*
root@localhost:~/wg_conf#
root@localhost:~/wg_conf#

一个客户端的标准配置

配置文件
root@localhost:~# cat /etc/wireguard/VPN.conf
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf; sysctl -p
[Interface]
PrivateKey = mPXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXVCdUI=
Address    = 192.168.175.106/24
PostUp     = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

PostUp     = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 20001
MTU = 1420

[Peer]
PublicKey = AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXM=
AllowedIPs = 192.168.175.0/24
Endpoint = fly.li-chunli.top:20001
PersistentKeepalive = 25

root@localhost:~#



开机自启配置文件
root@localhost:~# cat "/lib/systemd/system/wg-quick@.service"
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

[Service]
Type=idle
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target
root@localhost:~#







连通性检测-自恢复配置
root@localhost:~# cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

*/10 *  * * *   root   /bin/ping -W 4 -c 2 192.168.175.100 || /bin/systemctl  restart wg-quick@VPN
root@localhost:~#





sysctl.conf 配置
root@localhost:~# cat /etc/sysctl.conf | grep -v ^#
net.ipv4.ip_forward=1

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.wlan0.rp_filter=0
root@localhost:~#