DN42入坑指南（二）建立基于wireguard的隧道通信

软件需求及功能

    wireguard   与对端建立隧道
    bird2       与对端基于隧道建立EBGP邻居

安装并使用wireguard创建隧道

#LEDE & openwrt 安装wireguard
    #这是官方的一篇安装教程：https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic
    opkg update && opkg install wireguard
    opkg install luci-proto-wireguard
    cd /root/
    wg genkey | tee sprivatekey | wg pubkey > spublickey
    chmod +x sprivatekey
    chmod +x spublickey     #执行到这里，后面的差不多跟centos相差不大，可以按后面的教程执行

#centos7根据提示先升级内核，重启后再次执行安装wireguard（适用于centos7）
    wget https://raw.githubusercontent.com/atrandys/wireguard/master/wireguard_install.sh
    /root/wireguard_install.sh

#删除示例配置
    rm -rf /etc/wireguard/wg0.conf

#关闭linux内核源路径验证&已经路由转发（这是非常重要的）
    echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.conf

    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p

#确认自己的公钥及私钥（分别记录下来，后面有用）
    [root@DN42-SJ wireguard]# cat /etc/wireguard/sprivatekey 
    0FijSfzq/AU4tO4L568ACcFU9UMUlemPiuYkVW8lHV**
    [root@DN42-SJ wireguard]# cat /etc/wireguard/spublickey 
    XLqFy1tHzbRKcMbe6ExDwiaTo58Xm5C+ysPhyQKYKDE=

#创建wireguard隧道客户端配置文件
    [root@DN42-SJ wireguard]# cat /etc/wireguard/ZJG_4242421114.conf 
    [Interface]
    #这里填写自己的服务器私钥
    PrivateKey = 0FijSfzq/AU4tO4L568ACcFU9UMUlemPiuYkVW8lHV**
    ListenPort = 21114
    [Peer]
    #这里填写对方的服务器公钥
    PublicKey = vuOR2/DRyBrdrAMrti4jwO838S9jlNBbNi26zlMooz4=
    Endpoint = chi.us.dn42.fiatflux.is:51524
    #注意若是你这里后面打算建立IGP协议，比如OSPF，这里必须允许所有IP  AllowedIPs = 0.0.0.0/0,::/0，因为ospf是多播协议
    AllowedIPs = 172.16.0.0/12
    AllowedIPs = 10.0.0.0/8
    AllowedIPs = fd00::/8
    AllowedIPs = fe80::/10

#编写启动脚本，把下面的命令写进去
    ip addr del dev ZJG_4242421114 172.20.58.196/32
    ip link add dev ZJG_4242421114 type wireguard
    wg setconf ZJG_4242421114 /etc/wireguard/ZJG_4242421114.conf
    ip addr add fe80::f816:3eff:fe16:3c43/64 dev ZJG_4242421114
    ip addr add 172.20.58.196/32 peer 172.20.6.249/32 dev ZJG_4242421114
    ip link set ZJG_4242421114 up

#验证隧道是否能够正常通信
[root@DN42-SJ ~]# ip a show ZJG_4242421114
6: ZJG_4242421114: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.20.58.196 peer 172.20.6.249/32 scope global ZJG_4242421114
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe16:3c43/64 scope link 
       valid_lft forever preferred_lft forever

[root@DN42-SJ ~]# ping 172.20.6.249
PING 172.20.6.249 (172.20.6.249) 56(84) bytes of data.
64 bytes from 172.20.6.249: icmp_seq=1 ttl=64 time=57.7 ms
64 bytes from 172.20.6.249: icmp_seq=2 ttl=64 time=57.7 ms
^C
--- 172.20.6.249 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 57.730/57.758/57.786/0.028 ms

CentOS9Stream 安装 wireguard

    dnf install wireguard-tools

Debian 11 安装 wireguard 并完成隧道配置

#第一：安装 wireguard
root@sj-vps:~# apt install wireguard -y

#第二：生成 publickey 与 privatekey（私钥自己好好保存）
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey

#第三：关闭linux内核源路径验证 & 以及路由转发（这是非常重要的）
    echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.conf

    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p

#第四：配置隧道文件参数（cq_to_hk.conf 是新创建的文件）
root@sj-vps:/etc/wireguard# cat /etc/wireguard/cq_to_hk.conf 
[Interface]
Table = off     #一定要加这条指令，不然下面 AllowedIPs的网段会被写成路由表，有冲突是就无法up，之前不知道一度把我弄得想放弃
PrivateKey = xxxxxxxxxxxxxx
ListenPort = 44195
PostUp = /sbin/ip addr add dev cq_to_hk 172.20.58.195/32 peer 172.20.58.193/32
#PostUp = /sbin/ip addr add dev %i 172.20.58.195/32 peer 172.20.58.193/32
[Peer]
PublicKey = NQ4X1LZ1p5PTs0uhr/8wq0ejKQB95DZAtUgHs+3y8C4=
AllowedIPs = 172.20.58.193/32
AllowedIPs = 172.16.0.0/12
AllowedIPs = 10.0.0.0/8
Endpoint = dn42-hk.wsfnk.cf:44193

===========若一端是内网ip，一端有公网ip=========
#有公网ip侧配置
root@ttk-vps:/etc/wireguard# cat cq_to_ttk.conf 
[Interface]
ListenPort = 2000
PrivateKey = cDzs/Kf2WO7/cczEXygMD7TxH1V6g1O9aCLt+i/DWs=
PostUp = /sbin/ip addr add dev %i 192.168.254.3/32 peer 192.168.254.1/32
Table = off
[Peer]
PublicKey = oYzscd9WHz2RC6YsA7w9NYlM9Y/gLxMCEXQt8H5z0s=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

# 无公网ip，无法暴露端口侧配置
root@gateway-ddns-60:/etc/wireguard# cat cq_to_ttk.conf 
[Interface]
PrivateKey = WN/xrhGZfw0lV3/90MD61RM5jKHA+FiSMH28Oi/QnU=
PostUp = /sbin/ip addr add dev %i 192.168.254.1/32 peer 192.168.254.3/32
Table = off
[Peer]
PublicKey = qsx9i2vK+sG6di5HV1k4Jd2dfxdmSOMBlDDPr7seQc=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = dn42-ttk.wsfnk.cf:2000
=======================================

#第五：快速启动隧道接口，测试ping 对端隧道ip 测试连通性
wg-quick up cq_to_hk
# wg-quick down cq_to_hk  关闭端口 就是这样敲命令

#第六：如何设置 开机自启动隧道接口
  systemctl enable wg-quick@.service
  systemctl enable wg-quick@cq_to_hk.service

#以后可以交给 systemctld控制
  systemctl restart wg-quick.target
  或者
  systemctl restart wg-quick@cq_to_hk.service

https://www.vultr.com/docs/configuring-bgp-using-quagga-on-vultr-centos-7

http://ad-technica.com/fastnetmon-exabgp-and-bgp-integration-for-ddos-mitigation-part-1/
http://liedaoshou.com/face-book/687.html
https://dn42.dev/howto/wireguard    
https://dn42.burble.com/peering