编译

环境准备

chunli@ubuntu:~$ sudo apt-get install make
chunli@ubuntu:~$ sudo apt-get install make-guile
chunli@ubuntu:~$ sudo apt-get install build-essential
chunli@ubuntu:~$ sudo apt-get install ncurses-dev
chunli@ubuntu:~$ sudo apt-get install u-boot-tools

1 2	`chunli@ubuntu:~$ mkdir H3 chunli@ubuntu:~$ cd H3/`

交叉编译器：

chunli@ubuntu:~/H3$ wget https://github.com/pdtechvn/toolschain/raw/master/arm-cortexa9-linux-gnueabihf-4.9.3.tar.xz
chunli@ubuntu:~/H3$ tar xf arm-cortexa9-linux-gnueabihf-4.9.3.tar.xz
chunli@ubuntu:~/H3$ vim  ~/.bashrc     #尾行追加
export PATH=/home/chunli/H3/4.9.3/bin:$PATH
export GCC_COLORS=auto

chunli@ubuntu:~/H3$ . ~/.bashrc        #重载环境变量
chunli@ubuntu:~/H3$ arm-linux-gcc -v   #测试
.......
gcc version 4.9.3 (ctng-1.21.0-229g-FA)
chunli@ubuntu:~/H3$

下载 Nanopi Duo2 内核

下载 WireGuard内核源码

1 2	`chunli@ubuntu:~/H3$ git clone https://github.com/friendlyarm/linux.git -b sunxi-4.14.y --depth 1 chunli@ubuntu:~/H3$ git clone https://git.zx2c4.com/wireguard-linux-compat`

更换WireGuard源代码

chunli@ubuntu:~/H3$ touch linux/.scmversion
chunli@ubuntu:~/H3$ vim linux/arch/arm/configs/sunxi_defconfig
删除行 # CONFIG_WIREGUARD is not set
新增行 CONFIG_WIREGUARD=y
新增行 CONFIG_WIREGUARD_DEBUG=y

chunli@ubuntu:~/H3$ rm -rf linux/net/wireguard/
chunli@ubuntu:~/H3$ ./wireguard-linux-compat/kernel-tree-scripts/jury-rig.sh  linux/     #使用最新的内核代码
chunli@ubuntu:~/H3$ ll linux/net/wireguard
lrwxrwxrwx 1 chunli chunli 42 Mar 30 21:12 linux/net/wireguard -> /home/chunli/H3/wireguard-linux-compat/src/
chunli@ubuntu:~/H3$

编译内核

1
2
3

chunli@ubuntu:~/H3$ cd linux/
chunli@ubuntu:~/H3/linux$ make sunxi_defconfig ARCH=arm CROSS_COMPILE=arm-linux-
chunli@ubuntu:~/H3/linux$ make zImage dtbs     ARCH=arm CROSS_COMPILE=arm-linux-  -j $(nproc)

升级内核

1	`chunli@ubuntu:~/H3/linux$ scp arch/arm/boot/zImage root@192.168.88.xxx:/boot`

下载 WireGuard工具源码

在开发板上执行

root@NanoPi-Duo2:~# git clone https://git.zx2c4.com/wireguard-tools
root@NanoPi-Duo2:~# cd wireguard-tools/src/
root@NanoPi-Duo2:~/wireguard-tools/src# make
root@NanoPi-Duo2:~/wireguard-tools/src# make install
root@NanoPi-Duo2:~/wireguard-tools/src# cp systemd/wg-quick@.service   /lib/systemd/system/

配置

生成秘钥对

root@NanoPi-Duo2:~# mkdir WG
root@NanoPi-Duo2:~# cd WG/
root@NanoPi-Duo2:~/WG# wg genkey | tee 1_key | wg pubkey > 1_pub   #当服务端
root@NanoPi-Duo2:~/WG# wg genkey | tee 2_key | wg pubkey > 2_pub   #当客户端
root@NanoPi-Duo2:~/WG# wg genkey | tee 3_key | wg pubkey > 3_pub   #当客户端

ELwuKfcwLtw8gZWgyQncwQeiD2C/aLCqm8mUhsojvXU=  1_key
JVEhESvPcHcfucxb0l+LkuerErD9/weF5svz7Nxem3o=  1_pub
aDFjfdYxZtVgbmEAK5WZGvI/0VRfvXMiVS1N47KkNUM=  2_key
lj8ReUNgwKlOkObG8OxU3qzQDQomVYCE9C+4pkIuX2k=  2_pub
aD6vxYtKIhKnmjgbRHx3dJ8xiQfvB2yGTY+jU8DidVQ=  3_key
Jwyvx2yEyA+u1gPc7EZtVvHiUf8kaMe2gpp7HPhLxw4=  3_pub

配置服务端

服务端要打开转发

root@NanoPi-Duo2:~/WG# mkdir -p /etc/wireguard/
root@NanoPi-Duo2:~/WG# vim /etc/wireguard/VPN.conf
[Interface]
PrivateKey = ELwuKfcwLtw8gZWgyQncwQeiD2C/aLCqm8mUhsojvXU=
PostUp     = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address    = 192.168.173.1/32
ListenPort = 65535
MTU        = 1420

[peer]
PublicKey  = lj8ReUNgwKlOkObG8OxU3qzQDQomVYCE9C+4pkIuX2k=
AllowedIPs = 192.168.173.100/32

[peer]
PublicKey  = Jwyvx2yEyA+u1gPc7EZtVvHiUf8kaMe2gpp7HPhLxw4=
AllowedIPs = 192.168.173.101/32
root@NanoPi-Duo2:~#

服务端启动命

root@NanoPi-Duo2:~# wg-quick up /etc/wireguard/VPN.conf
[#] ip link add VPN type wireguard
[#] wg setconf VPN /dev/fd/63
[#] ip -4 address add 192.168.173.1/32 dev VPN
[#] ip link set mtu 1420 up dev VPN
[#] ip -4 route add 192.168.173.101/32 dev VPN
[#] ip -4 route add 192.168.173.100/32 dev VPN
[#] iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@NanoPi-Duo2:~#

服务端关闭命令

root@NanoPi-Duo2:~# wg-quick down  /etc/wireguard/VPN.conf
[#] ip link delete dev VPN
[#] iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
root@NanoPi-Duo2:~#

作为系统服务

root@NanoPi-Duo2:~# systemctl  enable wg-quick@VPN
Created symlink from /etc/systemd/system/multi-user.target.wants/wg-quick@VPN.service to /lib/systemd/system/wg-quick@.service.
root@NanoPi-Duo2:~#
root@NanoPi-Duo2:~# systemctl  restart  wg-quick@VPN
root@NanoPi-Duo2:~#

定时重启服务

有的时候断网N小时, 网络恢复后.WG latest handshake 一直状态不成功.

# 每小时 重启1次
# 检测网路的连通性
root@localhost:~# vim /etc/crontab

 1 *    * * *   root    /bin/systemctl restart wg-quick@VPN.service

 * *    * * *   root    /bin/ping -W 4 -c 30 180.76.76.76 || reboot
root@localhost:~#
root@localhost:~#  systemctl restart  cron

查看在线情况

root@NanoPi-Duo2:~# wg
interface: VPN
  public key: JVEhESvPcHcfucxb0l+LkuerErD9/weF5svz7Nxem3o=
  private key: (hidden)
  listening port: 65535

peer: lj8ReUNgwKlOkObG8OxU3qzQDQomVYCE9C+4pkIuX2k=
  endpoint: 127.0.0.1:37556
  allowed ips: 192.168.173.100/32
  latest handshake: 1 minute, 12 seconds ago
  transfer: 48.16 KiB received, 49.53 KiB sent

peer: Jwyvx2yEyA+u1gPc7EZtVvHiUf8kaMe2gpp7HPhLxw4=
  allowed ips: 192.168.173.101/32

客户端配置

client.conf

[Interface]
PrivateKey = aDFjfdYxZtVgbmEAK5WZGvI/0VRfvXMiVS1N47KkNUM=
Address = 192.168.173.100/24
MTU = 1420

[Peer]
PublicKey = JVEhESvPcHcfucxb0l+LkuerErD9/weF5svz7Nxem3o=
AllowedIPs = 192.168.88.0/24
Endpoint = FQDN:PORT
PersistentKeepalive = 25


-------------------------
解释:
PrivateKey          :客户端的秘钥
Address             :是客户端连接上来后，虚拟网卡的IP
MTU                 :是网卡最大IP报文长度， TCP有效,  UDP,ICMP 不会自动协商MTU.

Peer                : 是远程端
PublicKey           : 远程端的公钥
AllowedIPs          : 本客户端欲访问xx网段，应该通过此网卡转发出去.用逗号隔开可写多个.
Endpoint            : 远程的IP与端口
PersistentKeepalive : 握手周期

李春利-笔记

纸上得来终觉浅, 绝知此事要躬行。

Nanopi Duo2 编译Linux内核开启 WireGuard

编译

环境准备

交叉编译器：

下载 Nanopi Duo2 内核

下载 WireGuard内核源码

更换WireGuard源代码

编译内核

升级内核

下载 WireGuard工具源码

配置

生成秘钥对

配置服务端

服务端启动命

服务端关闭命令

作为系统服务

定时重启服务

查看在线情况

客户端配置