-
-
Save Weeker/98e05833d3fc056f4825818c6621f48f to your computer and use it in GitHub Desktop.
wireguard config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo apt-get install linux-headers-$(uname -r) | |
| $ sudo add-apt-repository ppa:wireguard/wireguard | |
| $ sudo apt-get update | |
| $ sudo apt-get install wireguard | |
| $ sudo modprobe wireguard | |
| $ sudo mkdir /etc/wireguard | |
| $ (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) | |
| $ wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey | |
| $ sudo nano /etc/wireguard/wg0.conf | |
| =====server side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <server privkey> | |
| ListenPort = 24444 | |
| SaveConfig = false | |
| Address = 10.0.0.1/32 | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |
| [Peer] | |
| PublicKey = <get client pubkey from sudo wg> | |
| AllowedIPs = 10.0.0.2/32 | |
| [Peer] | |
| PublicKey = <get client pubkey from sudo wg> | |
| AllowedIPs = 10.0.0.3/32 | |
| ======clientA side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <clientA privkey> | |
| Address = 10.0.0.3/32 | |
| [Peer] | |
| PublicKey = <get server pubkey from sudo wg> | |
| Endpoint = <server ip>:24444 | |
| AllowedIPs = 0.0.0.0/0 | |
| ======clientB side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <clientB privkey> | |
| Address = 10.0.0.2/32 | |
| [Peer] | |
| PublicKey = <get server pubkey from server sudo wg> | |
| Endpoint = <server ip>:24444 | |
| AllowedIPs = 0.0.0.0/0 | |
| ======test: | |
| ====from cellphone a: | |
| ping 10.0.0.1 | |
| 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=163 ms | |
| 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=172 ms | |
| ping 10.0.0.2 | |
| 64 bytes from 10.0.0.2: icmp_seq=3 ttl=63 time=351 ms | |
| 64 bytes from 10.0.0.2: icmp_seq=4 ttl=63 time=349 ms | |
| ====from vps: | |
| ping 10.0.0.2 | |
| 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=187 ms | |
| 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=185 ms | |
| ping 10.0.0.3 | |
| 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=172 ms | |
| 64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=179 ms | |
| ==========================split china traffic and non-china traffic with wireguard and ip route: | |
| ======client side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <client privkey> | |
| Address = 10.0.0.3/32 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <get server pubkey from server sudo wg> allowed-ips 0.0.0.0/0 | |
| PostDown = ip route del 10.0.0.0/24 dev wg0 | |
| [Peer] | |
| PublicKey = <get server pubkey from server sudo wg> | |
| Endpoint = <server ip>:24444 | |
| #AllowedIPs = 0.0.0.0/0 | |
| ======dns2https.php script: | |
| resolve domain name and check if the IP is in china ip ranges database, | |
| if not in china and the first 2 nodes not equals <server ip>, then exec: "ip route add xxx.xxx.0.0/16 dev wg0" | |
| ============================nat traverse between office and home, and x11vnc connection: | |
| =====office ubuntu: | |
| $cat /etc/wireguard/wg0.conf | |
| [Interface] | |
| PrivateKey = <office privkey> | |
| Address = 10.0.0.3/32 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0 | |
| PostDown = ip route del 10.0.0.0/24 | |
| [Peer] | |
| #10.0.0.1 | |
| PublicKey = <vps pubkey> | |
| Endpoint = <vps ip>:24444 | |
| #AllowedIPs = 0.0.0.0/0 | |
| [Peer] | |
| #10.0.0.5 home | |
| PublicKey = <home pubkey> | |
| Endpoint = <home wan ip>:<home wan port get from stun command below> | |
| AllowedIPs = 10.0.0.5/32 | |
| $sudo wg-quick down wg0 ; sudo wg-quick up wg0 | |
| $nohup /usr/local/bin/x11vnc -repeat -multiptr -loop -display :0 >/dev/null 2>&1 & | |
| =====home ubuntu: | |
| $stun stun.counterpath.net:3478 | |
| Primary: Independent Mapping, Address Dependendent Filter | |
| ... | |
| (Independent Mapping, Independent Filter = Full Cone | |
| Independent Mapping, Address Dependendent Filter = Restricted Cone | |
| Independent Mapping, Port Dependent Filter = Port Restricted Cone | |
| Dependent Mapping = Symmetric | |
| ) | |
| $cat /etc/wireguard/wg0.conf | |
| [Interface] | |
| PrivateKey = <home privkey> | |
| Address = 10.0.0.5/32 | |
| ListenPort = 24447 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0 | |
| PostDown = ip route del 10.0.0.0/24 dev wg0 | |
| [Peer] | |
| PublicKey = <vps pubkey> | |
| Endpoint = <vps ip>:24444 | |
| #AllowedIPs = 0.0.0.0/0 | |
| [Peer] | |
| PublicKey = <office pubkey> | |
| Endpoint = <office wan ip>:10000 | |
| AllowedIPs = 10.0.0.3/32 | |
| PersistentKeepalive = 60 #send packets to invite office wireguard to enter my home network, or use: ping 10.0.0.3 | |
| $sudo wg-quick down wg0 | |
| $stun -v -p 24447 stun.counterpath.net:3478 2>&1 | grep MappedAddress | head -n 1 | |
| MappedAddress = <home wan ip>:<home wan port> | |
| $stun -p 24447 <office wan ip>:10000 | |
| #send the init packet to invite office wireguard to enter my home network | |
| $sudo wg-quick up wg0 | |
| $ping 10.0.0.3 | |
| 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=7.51 ms | |
| 64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=7.73 ms | |
| #before the traverse operation, the time is 351 ms | |
| $xtightvncviewer 10.0.0.3:0 | |
| #now i can visit my office ubuntu desktop(x11vnc server) | |
| ===============================wireguard over udp2raw: | |
| ========client A: | |
| $wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz | |
| $tar xzvf udp2raw_binaries.tar.gz | |
| $sudo cp udp2raw_amd64 /usr/bin/ | |
| $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a | |
| $cat /etc/wireguard/wg0.conf | |
| [Interface] | |
| PrivateKey = <client privkey> | |
| Address = 10.0.0.3/32 | |
| ListenPort = 24447 | |
| MTU = 1300 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && ip route add <server_ip> via $(ip route | awk '$1=="default" {print $3}') | |
| PostDown = ip route del 10.0.0.0/24 | |
| [Peer] | |
| #10.0.0.1 | |
| PublicKey = <server pubkey> | |
| Endpoint = 127.0.0.2:24448 | |
| AllowedIPs = 0.0.0.0/0 | |
| $sudo wg-quick down wg0 ; sudo wg-quick up wg0 | |
| $ping 10.0.0.1 | |
| 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms | |
| $sudo ip route add 104.24.0.0/16 dev wg0 | |
| $ping myip.ipip.net | |
| PING myip.ipip.net (104.24.20.50) 56(84) bytes of data. | |
| 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms | |
| $curl http://myip.ipip.net | |
| IP:<server ip> | |
| #take care, "MTU = 1300" in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem. | |
| #for "client B without wireguard"(LAN ip 192.168.1.3) to connect: | |
| #in /etc/sysctl.conf: | |
| net.ipv4.ip_forward=1 | |
| $sudo sysctl -p | |
| $sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE | |
| ========client B without wireguard: | |
| #in /etc/network/interfaces: | |
| auto eth0 | |
| iface eth0 inet static | |
| address 192.168.1.4 | |
| broadcast 192.168.1.255 | |
| netmask 255.255.255.0 | |
| gateway 192.168.1.3 | |
| mtu 1300 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment