WireGuard搭建方法

⚠️几点需要注意的地方：

1. 设置防火墙规则
2. 验证安装是否成
3. [Interface]里面address的地址和[peer]里面的AllowedIPs要不一样
4. 客户端设置里面的EndPoint是你自己服务器的ip地址
5. 可以参照YouTube视频来进行设置https://www.youtube.com/watch?v=8H8886hVyNE
6. 之所以出这个文章主要是视频不方便来弄这么多代码

⚠️建议大家转移在香港的节点，换成台湾或者日本、新加坡等地区和国家节点！

创建防火墙规则Set up firewall rules

出站和进站规则Egress and Ingress

name

Target tags in and out

source ip ranges 0.0.0.0/0

Protocols and ports

创建服务器Set up the server

把ip地址拷贝下来，一会儿需要用到

连接到服务器 Connect to the server

安装Install WireGuard

apt update to get the packages升级获得最新packages

$ sudo -i
$ apt-get update

$ sudo apt-get install wireguard

验证安装Verify installation

$ modprobe wireguard && lsmod | grep wireguard

生成Generate Private key, public key

$ sudo -i 
$ cd /etc/wireguard
$ wg genkey | tee server-privatekey | wg pubkey > server-publickey
$ wg genkey | tee client-privatekey | wg pubkey > client-publickey

配置Configure WireGuard Server

检查主网卡名称To get the network interface name, if you don’t know

$ ip a

生成服务器配置文件Generate the wg0.conf file

replace the main network interface with your own,for gcp the default should be ens4

根据你自己的主网卡名称来设置，谷歌云默认应该是ens4

$ echo "
  [Interface]
    PrivateKey = $(cat server-privatekey)
    Address = 10.0.0.1/24
    PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE
    ListenPort = 50814
    
  [Peer]
    PublicKey = $(cat client-publickey)
    AllowedIPs = 10.0.0.2/32 " > wg0.conf

开启ipv4流量转发Enable ipv4 forwarding

$ echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
$ sysctl -p

配置客户端 Configure client

设置MTU，要不然可能会出现谷歌家网页无法打开Set MTU =1360 if not, won’t work for Google websites

Sorry, forgot to change the server ip你需要把这里的ip替换成自己的

$ echo "
[Interface]
  PrivateKey = $(cat client-privatekey)
  Address = 10.0.0.2/24
  MTU = 1360
  DNS = 1.1.1.1

[Peer]
  PublicKey = $(cat server-publickey)
  Endpoint = 你自己的ip:50814
  AllowedIPs = 0.0.0.0/0
  PersistentKeepalive = 25 " > client.conf

启动Start WireGuard

$ wg-quick up wg0

导出配置Export Client settings

1. 使用二维码，要不然手机设置非常麻烦Use QR code, this way is easier for phone

   $ apt install qrencode -y
   $ qrencode -t ansiutf8 < /etc/wireguard/client.conf

2. 使用命令打印，适合电脑端Display the conf file using “cat”

   $ cat /etc/wireguard/client.conf

多用户Multi users, you can do this before start wg

生成密钥Generate keys for the client,use different names

$ wg genkey | tee mac2-privatekey | wg pubkey > mac2-publickey

打印连接的客户端Echo new peer to the wg0.conf file

$ echo "
[Peer]
  PublicKey = $(cat mac2-publickey)
  AllowedIPs = 10.0.0.4/32" >> wg0.conf

生成新的客户端配置Echo new client file

$ echo "
[Interface]
  PrivateKey = $(cat mac2-privatekey)
  Address = 10.0.0.4/24
  DNS = 1.1.1.1
  MTU = 1360

[Peer]
  PublicKey = $(cat server-publickey)
  Endpoint = 34.96.179.209:50814
  AllowedIPs = 0.0.0.0/0
  PersistentKeepalive = 25 " > client1.conf

生成新的用户设置，最好停用再重启Stop wg and then restart

$ wg-quick down wg0
$ wg-quick up wg0

开机自动启动Auto Start

$ systemctl enable wg-quick@wg0
$ systemctl start wg-quick@wg0