DN42入坑指南(二)建立基于wireguard的隧道通信

软件需求及功能

    wireguard   与对端建立隧道
    bird2       与对端基于隧道建立EBGP邻居

安装并使用wireguard创建隧道

#LEDE & openwrt 安装wireguard
    #这是官方的一篇安装教程:https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic
    opkg update && opkg install wireguard
    opkg install luci-proto-wireguard
    cd /root/
    wg genkey | tee sprivatekey | wg pubkey > spublickey
    chmod +x sprivatekey
    chmod +x spublickey     #执行到这里,后面的差不多跟centos相差不大,可以按后面的教程执行

#centos7根据提示先升级内核,重启后再次执行安装wireguard(适用于centos7)
    wget https://raw.githubusercontent.com/atrandys/wireguard/master/wireguard_install.sh
    /root/wireguard_install.sh

#删除示例配置
    rm -rf /etc/wireguard/wg0.conf

#关闭linux内核源路径验证&已经路由转发(这是非常重要的)
    echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.conf

    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p

#确认自己的公钥及私钥(分别记录下来,后面有用)
    [root@DN42-SJ wireguard]# cat /etc/wireguard/sprivatekey 
    0FijSfzq/AU4tO4L568ACcFU9UMUlemPiuYkVW8lHV**
    [root@DN42-SJ wireguard]# cat /etc/wireguard/spublickey 
    XLqFy1tHzbRKcMbe6ExDwiaTo58Xm5C+ysPhyQKYKDE=

#创建wireguard隧道客户端配置文件
    [root@DN42-SJ wireguard]# cat /etc/wireguard/ZJG_4242421114.conf 
    [Interface]
    #这里填写自己的服务器私钥
    PrivateKey = 0FijSfzq/AU4tO4L568ACcFU9UMUlemPiuYkVW8lHV**
    ListenPort = 21114
    [Peer]
    #这里填写对方的服务器公钥
    PublicKey = vuOR2/DRyBrdrAMrti4jwO838S9jlNBbNi26zlMooz4=
    Endpoint = chi.us.dn42.fiatflux.is:51524
    #注意若是你这里后面打算建立IGP协议,比如OSPF,这里必须允许所有IP  AllowedIPs = 0.0.0.0/0,::/0,因为ospf是多播协议
    AllowedIPs = 172.16.0.0/12
    AllowedIPs = 10.0.0.0/8
    AllowedIPs = fd00::/8
    AllowedIPs = fe80::/10

#编写启动脚本,把下面的命令写进去
    ip addr del dev ZJG_4242421114 172.20.58.196/32
    ip link add dev ZJG_4242421114 type wireguard
    wg setconf ZJG_4242421114 /etc/wireguard/ZJG_4242421114.conf
    ip addr add fe80::f816:3eff:fe16:3c43/64 dev ZJG_4242421114
    ip addr add 172.20.58.196/32 peer 172.20.6.249/32 dev ZJG_4242421114
    ip link set ZJG_4242421114 up

#验证隧道是否能够正常通信
[root@DN42-SJ ~]# ip a show ZJG_4242421114
6: ZJG_4242421114: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.20.58.196 peer 172.20.6.249/32 scope global ZJG_4242421114
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe16:3c43/64 scope link 
       valid_lft forever preferred_lft forever

[root@DN42-SJ ~]# ping 172.20.6.249
PING 172.20.6.249 (172.20.6.249) 56(84) bytes of data.
64 bytes from 172.20.6.249: icmp_seq=1 ttl=64 time=57.7 ms
64 bytes from 172.20.6.249: icmp_seq=2 ttl=64 time=57.7 ms
^C
--- 172.20.6.249 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 57.730/57.758/57.786/0.028 ms

Debian 11 安装 wireguard 并完成隧道配置

#第一:安装 wireguard
root@sj-vps:~# apt install wireguard -y

#第二:生成 publickey 与 privatekey(私钥自己好好保存)
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

#第三:关闭linux内核源路径验证 & 以及路由转发(这是非常重要的)
    echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.conf

    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p

#第四:配置隧道文件参数(cq_to_hk.conf 是新创建的文件)
root@sj-vps:/etc/wireguard# cat /etc/wireguard/cq_to_hk.conf 
[Interface]
Table = off     #一定要加这条指令,不然下面 AllowedIPs的网段会被写成路由表,有冲突是就无法up,之前不知道一度把我弄得像放弃
PrivateKey = xxxxxxxxxxxxxx
ListenPort = 44195
PostUp = /sbin/ip addr add dev cq_to_hk 172.20.58.195/32 peer 172.20.58.193/32
[Peer]
PublicKey = NQ4X1LZ1p5PTs0uhr/8wq0ejKQB95DZAtUgHs+3y8C4=
AllowedIPs = 172.20.58.193/32
AllowedIPs = 172.16.0.0/12
AllowedIPs = 10.0.0.0/8
Endpoint = dn42-hk.wsfnk.cf:44193

#第五:快速启动隧道接口,测试ping 对端隧道ip 测试连通性
wg-quick up cq_to_hk

#第六:如何设置 开机自启动隧道接口
  systemctl enable wg-quick@.service
  systemctl enable wg-quick@cq_to_hk.service

#以后可以交给 systemctld控制
  systemctl restart wg-quick.target
  或者
  systemctl restart wg-quick@cq_to_hk.service
https://www.vultr.com/docs/configuring-bgp-using-quagga-on-vultr-centos-7

http://ad-technica.com/fastnetmon-exabgp-and-bgp-integration-for-ddos-mitigation-part-1/
http://liedaoshou.com/face-book/687.html
https://dn42.dev/howto/wireguard    
https://dn42.burble.com/peering
微信打赏微信打赏

如果文章对你有帮助,欢迎点击上方按钮打赏作者

最后编辑于:2022/11/30作者: 辣条①号

现在在做什么? 接下来打算做什么? 你的目标什么? 期限还有多少? 进度如何? 不负遇见,不谈亏欠!

暂无评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

arrow grin ! ? cool roll eek evil razz mrgreen smile oops lol mad twisted wink idea cry shock neutral sad ???