使用 wireguard作为网关连接AWS云上VPC内网

背景

开发测试环境的AWS云上，终端设备能方便的访问位于VPC内网的测试资源，能支持各类系统Linux Windows MacoOS

开源软件方案对比

openvpn ipsec wireguard

使用 wireguard 方案

• VPC 网段 10.0.0.0/24
• VPN 网段 10.100.0.0/24
• VPN-GW主机，需要在10.0.0.0/24网段内创建一台云主机，需要绑定公网IP
• wireguard客户端安装参考 https://freevpnconfig.com/wireguard-tutorial

VPN-GW主机配置

以 ubuntu/Linux 系统为例，wireguard依赖 5.x以上版本

sudo apt update 
sudo apt install wireguard-dkms wireguard-tools -y
sudo mkdir /etc/wireguard/keys
cd  /etc/wireguard/keys
sudo wg genkey > vpn-gw.key
sudo wg pubkey < vpn-gw.key > vpn-gw.pub

cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
EOF
sysctl -p

mkdir -pv /etc/wireguard/
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
   Address = 10.100.0.1/24
   ListenPort = 51820
   PrivateKey = yGVlyEtiH6+0b9+mmM8dfGG7HhSCF87PYwXWbeuCQVc=
   SaveConfig = false
   MTU = 1420

   # Internet Gateway config: nat wg0 out to the internet on ens5
   PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
   PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE

[Peer]
   # Client1: MacOS-Desktop
   PublicKey = kEZt3HnuC3FkjL0p7dKzDqXaTOtDMxiWPmqbalegoEI=
   AllowedIPs = 10.100.0.2/32
EOF

启动服务 sudo wg-quick up wg0

配置参考说明：

VPN-Client主机配置

以MacOS 12.3 为例：

brew install wireguard-tools
sudo mkdir -pv /etc/wireguard/keys
cd  /etc/wireguard/keys
wg genkey > client-macos.key
wg pubkey < client-macos.key > client-macos.pub

cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = aFASrAdBsKvHLZCh1zjuMmLxC8wZY+BczW3sPMUUFnM=
Address = 10.100.0.2/24
ListenPort = 54321
MTU = 1420
DNS = 8.8.8.8

[Peer]
PublicKey = MTzhuobxhxsyDDjfZMqdwgfLNcFJuVwQi+lT2WrxqGY=
Endpoint = 52.80.240.217:51820
AllowedIPs = 10.100.0.0/24, 10.0.0.0/24
PersistentKeepalive = 25

启动服务 sudo wg-quick up wg0

配置参考说明：

参考

1. https://sosedoff.com/2021/02/21/wireguard-vpn-on-aws.html
2. https://jrs-s.net/2018/08/05/working-vpn-gateway-configs-for-wireguard/