编译

环境准备

1
2
3
4
5
chunli@ubuntu:~$ sudo apt-get install make
chunli@ubuntu:~$ sudo apt-get install make-guile
chunli@ubuntu:~$ sudo apt-get install build-essential
chunli@ubuntu:~$ sudo apt-get install ncurses-dev
chunli@ubuntu:~$ sudo apt-get install u-boot-tools
1
2
chunli@ubuntu:~$ mkdir H3
chunli@ubuntu:~$ cd H3/

交叉编译器:

1
2
3
4
5
6
7
8
9
10
11
chunli@ubuntu:~/H3$ wget https://github.com/pdtechvn/toolschain/raw/master/arm-cortexa9-linux-gnueabihf-4.9.3.tar.xz
chunli@ubuntu:~/H3$ tar xf arm-cortexa9-linux-gnueabihf-4.9.3.tar.xz
chunli@ubuntu:~/H3$ vim ~/.bashrc #尾行追加
export PATH=/home/chunli/H3/4.9.3/bin:$PATH
export GCC_COLORS=auto

chunli@ubuntu:~/H3$ . ~/.bashrc #重载环境变量
chunli@ubuntu:~/H3$ arm-linux-gcc -v #测试
.......
gcc version 4.9.3 (ctng-1.21.0-229g-FA)
chunli@ubuntu:~/H3$

下载 Nanopi Duo2 内核

下载 WireGuard内核源码

1
2
chunli@ubuntu:~/H3$ git clone https://github.com/friendlyarm/linux.git -b sunxi-4.14.y --depth 1
chunli@ubuntu:~/H3$ git clone https://git.zx2c4.com/wireguard-linux-compat

更换WireGuard源代码

1
2
3
4
5
6
7
8
9
10
11
chunli@ubuntu:~/H3$ touch linux/.scmversion
chunli@ubuntu:~/H3$ vim linux/arch/arm/configs/sunxi_defconfig
删除行 # CONFIG_WIREGUARD is not set
新增行 CONFIG_WIREGUARD=y
新增行 CONFIG_WIREGUARD_DEBUG=y

chunli@ubuntu:~/H3$ rm -rf linux/net/wireguard/
chunli@ubuntu:~/H3$ ./wireguard-linux-compat/kernel-tree-scripts/jury-rig.sh linux/ #使用最新的内核代码
chunli@ubuntu:~/H3$ ll linux/net/wireguard
lrwxrwxrwx 1 chunli chunli 42 Mar 30 21:12 linux/net/wireguard -> /home/chunli/H3/wireguard-linux-compat/src/
chunli@ubuntu:~/H3$

编译内核

1
2
3
chunli@ubuntu:~/H3$ cd linux/
chunli@ubuntu:~/H3/linux$ make sunxi_defconfig ARCH=arm CROSS_COMPILE=arm-linux-
chunli@ubuntu:~/H3/linux$ make zImage dtbs ARCH=arm CROSS_COMPILE=arm-linux- -j $(nproc)

升级内核

1
chunli@ubuntu:~/H3/linux$ scp arch/arm/boot/zImage root@192.168.88.xxx:/boot

下载 WireGuard工具源码

在开发板上执行

1
2
3
4
5
root@NanoPi-Duo2:~# git clone https://git.zx2c4.com/wireguard-tools
root@NanoPi-Duo2:~# cd wireguard-tools/src/
root@NanoPi-Duo2:~/wireguard-tools/src# make
root@NanoPi-Duo2:~/wireguard-tools/src# make install
root@NanoPi-Duo2:~/wireguard-tools/src# cp systemd/wg-quick@.service /lib/systemd/system/

配置

生成秘钥对

1
2
3
4
5
6
7
8
9
10
11
12
root@NanoPi-Duo2:~# mkdir WG
root@NanoPi-Duo2:~# cd WG/
root@NanoPi-Duo2:~/WG# wg genkey | tee 1_key | wg pubkey > 1_pub #当服务端
root@NanoPi-Duo2:~/WG# wg genkey | tee 2_key | wg pubkey > 2_pub #当客户端
root@NanoPi-Duo2:~/WG# wg genkey | tee 3_key | wg pubkey > 3_pub #当客户端

ELwuKfcwLtw8gZWgyQncwQeiD2C/aLCqm8mUhsojvXU= 1_key
JVEhESvPcHcfucxb0l+LkuerErD9/weF5svz7Nxem3o= 1_pub
aDFjfdYxZtVgbmEAK5WZGvI/0VRfvXMiVS1N47KkNUM= 2_key
lj8ReUNgwKlOkObG8OxU3qzQDQomVYCE9C+4pkIuX2k= 2_pub
aD6vxYtKIhKnmjgbRHx3dJ8xiQfvB2yGTY+jU8DidVQ= 3_key
Jwyvx2yEyA+u1gPc7EZtVvHiUf8kaMe2gpp7HPhLxw4= 3_pub

配置服务端

服务端要打开转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@NanoPi-Duo2:~/WG# mkdir -p /etc/wireguard/
root@NanoPi-Duo2:~/WG# vim /etc/wireguard/VPN.conf
[Interface]
PrivateKey = ELwuKfcwLtw8gZWgyQncwQeiD2C/aLCqm8mUhsojvXU=
PostUp = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address = 192.168.173.1/32
ListenPort = 65535
MTU = 1420

[peer]
PublicKey = lj8ReUNgwKlOkObG8OxU3qzQDQomVYCE9C+4pkIuX2k=
AllowedIPs = 192.168.173.100/32

[peer]
PublicKey = Jwyvx2yEyA+u1gPc7EZtVvHiUf8kaMe2gpp7HPhLxw4=
AllowedIPs = 192.168.173.101/32
root@NanoPi-Duo2:~#

服务端启动命

1
2
3
4
5
6
7
8
9
root@NanoPi-Duo2:~# wg-quick up /etc/wireguard/VPN.conf
[#] ip link add VPN type wireguard
[#] wg setconf VPN /dev/fd/63
[#] ip -4 address add 192.168.173.1/32 dev VPN
[#] ip link set mtu 1420 up dev VPN
[#] ip -4 route add 192.168.173.101/32 dev VPN
[#] ip -4 route add 192.168.173.100/32 dev VPN
[#] iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@NanoPi-Duo2:~#

服务端关闭命令

1
2
3
4
root@NanoPi-Duo2:~# wg-quick down  /etc/wireguard/VPN.conf
[#] ip link delete dev VPN
[#] iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
root@NanoPi-Duo2:~#

作为系统服务

1
2
3
4
5
root@NanoPi-Duo2:~# systemctl  enable wg-quick@VPN
Created symlink from /etc/systemd/system/multi-user.target.wants/wg-quick@VPN.service to /lib/systemd/system/wg-quick@.service.
root@NanoPi-Duo2:~#
root@NanoPi-Duo2:~# systemctl restart wg-quick@VPN
root@NanoPi-Duo2:~#

定时重启服务

有的时候 断网N小时, 网络恢复后.WG latest handshake 一直状态不成功.

1
2
3
4
5
6
7
8
9
# 每小时 重启1次
# 检测网路的连通性
root@localhost:~# vim /etc/crontab

1 * * * * root /bin/systemctl restart wg-quick@VPN.service

* * * * * root /bin/ping -W 4 -c 30 180.76.76.76 || reboot
root@localhost:~#
root@localhost:~# systemctl restart cron

查看在线情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@NanoPi-Duo2:~# wg
interface: VPN
public key: JVEhESvPcHcfucxb0l+LkuerErD9/weF5svz7Nxem3o=
private key: (hidden)
listening port: 65535

peer: lj8ReUNgwKlOkObG8OxU3qzQDQomVYCE9C+4pkIuX2k=
endpoint: 127.0.0.1:37556
allowed ips: 192.168.173.100/32
latest handshake: 1 minute, 12 seconds ago
transfer: 48.16 KiB received, 49.53 KiB sent

peer: Jwyvx2yEyA+u1gPc7EZtVvHiUf8kaMe2gpp7HPhLxw4=
allowed ips: 192.168.173.101/32

客户端配置

client.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[Interface]
PrivateKey = aDFjfdYxZtVgbmEAK5WZGvI/0VRfvXMiVS1N47KkNUM=
Address = 192.168.173.100/24
MTU = 1420

[Peer]
PublicKey = JVEhESvPcHcfucxb0l+LkuerErD9/weF5svz7Nxem3o=
AllowedIPs = 192.168.88.0/24
Endpoint = FQDN:PORT
PersistentKeepalive = 25


-------------------------
解释:
PrivateKey :客户端的秘钥
Address :是客户端连接上来后,虚拟网卡的IP
MTU :是网卡最大IP报文长度, TCP有效, UDP,ICMP 不会自动协商MTU.

Peer : 是远程端
PublicKey : 远程端的公钥
AllowedIPs : 本客户端欲访问xx网段,应该通过此网卡转发出去.用逗号隔开可写多个.
Endpoint : 远程的IP与端口
PersistentKeepalive : 握手周期