天津测试环境

生成公钥与私钥

wg genkey | tee /etc/wireguard/key/company/company-privatekey | wg pubkey > /etc/wireguard/key/company/company-publickey

Peer-client 配置,作为客户端访问各资源池

cat > /etc/wireguard/company/company-client.conf <<EOF
[Interface]
PrivateKey = $(cat /etc/wireguard/key/peer-client-privatekey)
Address = 10.1.0.253/24

[Peer]
PublicKey = $(cat /etc/wireguard/key/gw-publickey)
AllowedIPs = 10.1.0.0/24,10.20.5.0/24,172.38.0.0/16
Endpoint = $(curl -s ip.sb):16000
PersistentKeepalive = 10
EOF

中继服务器配置

带公网的 Peer 配置文件,该 Peer 作为中继服务器,负责连通访问客户端和所有资源池

cat > /etc/wireguard/company-wg.conf <<EOF
[Interface]
ListenPort = 16000
Address = 10.1.0.254/24
PrivateKey = $(cat /etc/wireguard/key/gw-privatekey)
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
# 客户端
PublicKey = $(cat /etc/wireguard/key/peer-client-publickey)
AllowedIPs = 10.1.0.253/32

[Peer]
# 公司
PublicKey = $(cat /etc/wireguard/key/company/company-publickey)
AllowedIPs = 10.1.0.1/32, 172.38.0.0/16, 10.20.5.0/24
EOF

Peer company 公司 配置文件

cat > /etc/wireguard/company/company.conf <<EOF
[Interface]
PrivateKey = $(cat /etc/wireguard/key/company/company-privatekey)
Address = 10.1.0.1/24
# 其他的 Peer,同样需要开启转发以访问内网设备
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens33 -j MASQUERADE

[Peer]
PublicKey = $(cat /etc/wireguard/key/gw-publickey)
AllowedIPs = 10.1.0.0/24, 192.168.0.0/24
Endpoint = $(curl -s ip.sb):16000
PersistentKeepalive = 10
EOF

最后修改 April 19, 2024: nping, ssh, tun device, wireguard, clear up (10f5df97)