Linux运维 WireGuard Docker

WireGuard配置教程

Posted by DEVIN on Sun, Jul 30, 2023

Run WireGuard VPN Server in Docker Container with Docker Compose - TechViewLeo – 主要参考这个
基于Wireguard技术的虚拟个人网络搭建: 基于wireguard的内网穿透技术~
搭建WireGuard-腾讯云开发者社区-腾讯云

  • 公网机器: IP=100.101.102.103, Name=TencentVM1
  • 私网机器: IP=192.168.123.189, Name=LocalMint1

1.服务端配置

1.1.安装wg-easy镜像

wg-easy/wg-easy: The easiest way to run WireGuard VPN + Web-based Admin UI.
基于Wireguard技术的虚拟个人网络搭建: 基于wireguard的内网穿透技术~
Wireguard 全互联模式(full mesh)配置指南 – 云原生实验室 - Kubernetes|Docker|Istio|Envoy|Hugo|Golang|云原生

这个新建的容器内会多一个wg0网卡,IP地址是10.0.8.1,而且网卡只在容器内可见。
server的配置文件会放在/opt/wg-easy目录下。TCP的51821端口用于访问WebUI。

 1docker run -d \
 2  --name=wg-easy \
 3  -e WG_HOST=123.123.123.123 (这里输入服务器的公网IP) \
 4  -e PASSWORD=passwd123 (这里输入你的密码) \
 5  -e WG_DEFAULT_ADDRESS=10.0.8.x (默认IP地址)\
 6  -e WG_DEFAULT_DNS=114.114.114.114 (默认DNS)\
 7  -e WG_ALLOWED_IPS=10.0.8.0/24 (允许连接的IP段)\
 8  -e WG_PERSISTENT_KEEPALIVE=25 (重连间隔)\
 9  -v /opt/wg-easy:/etc/wireguard \
10  -p 51820:51820/udp \
11  -p 51821:51821/tcp \
12  --cap-add=NET_ADMIN \
13  --cap-add=SYS_MODULE \
14  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
15  --sysctl="net.ipv4.ip_forward=1" \
16  --restart unless-stopped \
17  weejewel/wg-easy

1.2.安装linuxserver/wireguard镜像(建议使用wg-easy)

1# 安装docker-compose
2sudo curl -L "https://github.com/docker/compose/releases/download/v2.19.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
3sudo chmod 755 /usr/local/bin/docker-compose
4docker-compose version

 1sudo mkdir /opt/wireguard-server
 2vim docker-compose.yaml # yaml里需要配置容器的名字,server的地址
 3docker compose up -d
 4
 5# 检查WireGuard服务器的状态
 6docker exec -it wireguard wg
 7docker exec -it wireguard /bin/bash
 8
 9# 其他docker compose命令
10docker compose start wireguard
11docker compose restart wireguard
12docker compose ps

1.2.1.配置文件的目录结构

 1ubuntu@VM-4-3-ubuntu:/opt/wireguard-server $ tree
 2.
 3├── config
 4│   ├── coredns
 5│   │   └── Corefile
 6│   ├── peer1
 7│   │   ├── peer1.conf
 8│   │   ├── peer1.png
 9│   │   ├── presharedkey-peer1
10│   │   ├── privatekey-peer1
11│   │   └── publickey-peer1
12│   ├── server
13│   │   ├── privatekey-server
14│   │   └── publickey-server
15│   ├── templates
16│   │   ├── peer.conf
17│   │   └── server.conf
18│   └── wg0.conf
19└── docker-compose.yaml
20
215 directories, 12 files

1.2.2.服务端配置文件

 1#/opt/wireguard-server/config/wg0.conf
 2
 3[Interface]
 4Address = 10.13.13.1
 5ListenPort = 51820
 6PrivateKey = UIx5/v...
 7PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
 8PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
 9
10[Peer]
11# peer1
12PublicKey = x4iD6...
13PresharedKey = OCjHe...
14AllowedIPs = 10.13.13.2/32
15
16[Peer]
17# peer2
18PublicKey = 91rwZ...
19PresharedKey = /lOtI...
20AllowedIPs = 10.13.13.3/32

Interface
这个配置项为本地接口的配置,其中:
Address 为 VPN 连接的本地 IP 地址
ListenPort 作为服务端需要声明一个监听的端口,WireGuard 使用 UDP 协议,这个端口可以任意填写。需要保证防火墙已开放 UDP 的这个端口
PrivateKey 为上一步生成的私钥

Peer
这个为对端的配置,如果有多个,则需添加多个 Peer 配置,服务端的 Peer 配置项即定义了各个可连接的客户端。其中:
PublicKey 为对端的公钥
AllowedIPs 在配置路由会讲到

1.2.3.客户端配置文件

 1#/opt/wireguard-server/config/peer1/peer1.conf
 2
 3[Interface]
 4Address = 10.13.13.2
 5PrivateKey = kGaLz...
 6ListenPort = 51820
 7DNS = 10.13.13.1
 8
 9[Peer]
10PublicKey = T2i88...
11PresharedKey = OCjHe...
12Endpoint = 100.101.102.103:51820
13AllowedIPs = 0.0.0.0/0

客户端与服务端不同的地方在于:
Interface 配置中没有了 ListenPort
Peer 即为服务端,与服务端不同的地方在于多了一个 Endpoint

1.2.4.Docker Compose配置文件

 1#/opt/wireguard-server/docker-compose.yaml
 2#需要修改`SERVERURL`字段  
 3#`PEERS=8`时会生成8个peer的配置文件
 4
 5version: '3.7'
 6services:
 7  wireguard:
 8    image: linuxserver/wireguard
 9    container_name: wireguard
10    cap_add:
11      - NET_ADMIN
12      - SYS_MODULE
13    environment:
14      - PUID=1000
15      - PGID=1000
16      - TZ=Africa/Nairobi #set correct timezone
17      - SERVERPORT=51820 #optional
18      - PEERS=1 #optional
19      - PEERDNS=auto #optional
20      - ALLOWEDIPS=0.0.0.0/0 #Peer addresses allowed
21      - INTERNAL_SUBNET=10.13.13.0/24 #Subnet used in VPN tunnel
22      - SERVERURL=100.101.102.103 #Wireguard VPN server address
23    volumes:
24      - /opt/wireguard-server/config:/config
25      - /usr/src:/usr/src # location of kernel headers
26      - /lib/modules:/lib/modules
27    ports:
28      - 51820:51820/udp
29    sysctls:
30      - net.ipv4.conf.all.src_valid_mark=1
31    restart: always

1.3.防火墙设置

腾讯云服务器防火墙设置

下面这个好像非必须?

1### on Redhat Based ###
2sudo firewall-cmd --permanent --add-port=51820/udp
3sudo firewall-cmd --reload
4
5### On Debian Based ###
6sudo apt install ufw
7sudo ufw allow 51820/udp

2.客户端配置

2.1.安装wireguard

2.1.1.内核版本大于5.6

1sudo apt install -y wireguard openresolv

2.1.2.内核版本4.19

WireGuard 白皮书带读3 - 知乎

1sudo apt-get install -y wireguard-dkms wireguard-tools linux-headers-$(uname -r) 
2sudo ip link add dev wg0 type wireguard
3sudo ip address add dev wg0 192.168.1.1/32
4sudo wg set wg0 listen-port 6789 private-key /etc/wireguard/privatekey
5sudo ip link set wg0 up
6sudo wg-quick up wg0

实际测试时报错如下,未解决:

1$ sudo ip link add dev wg0 type wireguard
2RTNETLINK answers: Operation not supported

2.2.拷贝配置文件并启动

2.2.1.VM类型客户端

 1# 拷贝配置文件
 2scp /opt/wireguard-server/config/peer1/peer1.conf username@serverIP:~/peer1.conf
 3sudo mv ~/peer1.conf /etc/wireguard/wg0.conf
 4
 5# 设置服务开机自启动
 6sudo systemctl enable wg-quick@wg0
 7sudo reboot
 8
 9# 检查状态
10systemctl status wg-quick@wg0
11ip ad
12ifconfig
13ping 10.13.13.1
14
15# 这时候可以在server段检查下状态,会发现peer已经连接上去了
16docker exec -it wireguard wg

wg-quick up wg0会自动去找配置文件/etc/wireguard/wg0.conf

 1$ systemctl cat wg-quick@wg0
 2# /lib/systemd/system/wg-quick@.service
 3[Unit]
 4Description=WireGuard via wg-quick(8) for %I
 5After=network-online.target nss-lookup.target
 6Wants=network-online.target nss-lookup.target
 7PartOf=wg-quick.target
 8Documentation=man:wg-quick(8)
 9Documentation=man:wg(8)
10Documentation=https://www.wireguard.com/
11Documentation=https://www.wireguard.com/quickstart/
12Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
13Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
14
15[Service]
16Type=oneshot
17RemainAfterExit=yes
18ExecStart=/usr/bin/wg-quick up %i
19ExecStop=/usr/bin/wg-quick down %i
20Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
21
22[Install]
23WantedBy=multi-user.target

2.2.2.容器类型客户端

无法设置一些服务开机自启,比如无法执行systemctl enable wg-quikc@wg0

1## 配置VPN,从wg-easy的WebUI下载配置文件
2vim ~/wg0.conf
3sudo wg-quick up ~/wg0.conf
4#如果提示wg0存在时(wg-quick: `wg0' already exists)执行下面一行
5#sudo ip link delete dev wg0

网卡相关的一些命令

1sudo ip link add wg0 type wireguard
2sudo ip link delete dev wg0
3sudo ip link set up dev wg0
4sudo ifconfig wg0 up
5ifconfig

3.添加更多的节点

1# Edit on the server side
2$ sudo vim /opt/wireguard-server/config/wg0.conf
3# peer2
4PublicKey = 7ANB0SuBUsnetjqHrL99YIhpbqetJ9yYy0CRsNiuzls=
5PresharedKey = gbMDUgQM7levlYLcwhyf1E1dHF/PG489UGeeSHr7tro=
6AllowedIPs = 10.13.13.3/32
CATALOG
    FEATURED TAGS
    C++ Clang CMake Docker frp Git Java Linux开发 Linux运维 Photoshop Qt RSS Shell Vim WireGuard 工具 编译调试
    FRIENDS