WireGuard Easy 安装使用

一、简介

Wireguard Easy

WireGuard Easy 特性:

  • 多合一:WireGuard(基于宿主机内核) + Web UI
  • 安装方便,使用简单
  • 列出,创建,编辑,删除,启用和禁用客户端
  • 显示客户的二维码
  • 下载客户端的配置文件
  • 每个已连接客户端的流量统计

不足之处:

  • 页面非常简介,客户端创建后无法做修改
  • 无法为客户端指定静态IP
  • 端口映射更改了端口,二维码扫描还是51820,需要客户端上手动修改端口

二、 安装

安装要求

  • 具有支持 WireGuard 的内核(5.x以上版本)的主机
  • 安装了 Docker 的主机

升级内核

1.载入公钥
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
2.升级安装 elrepo
# centos7
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm

# centos8
yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
3.载入 elrepo-kernel 元数据
yum --disablerepo=\* --enablerepo=elrepo-kernel repolist
4.安装最新版本的内核
yum --disablerepo=\* --enablerepo=elrepo-kernel install  kernel-ml  -y
5.删除旧版本工具包
yum remove kernel-tools-libs kernel-tools kernel-devel kernel-headers -y
6.安装新版本工具包
yum --disablerepo=\* --enablerepo=elrepo-kernel install kernel-ml-tools kernel-ml-devel kernel-ml-headers -y
7.查看内核插入顺序

centos7命令

grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2

CentOS Linux (5.17.7-1.el7.elrepo.x86_64) 7 (Core)
CentOS Linux (3.10.0-1160.31.1.el7.x86_64) 7 (Core)
CentOS Linux (3.10.0-1160.el7.x86_64) 7 (Core)
CentOS Linux (0-rescue-20210623111207095151419199170789) 7 (Core)
[root@duandian yum.repos.d]# 

centos8命令

grubby --info=ALL |grep title

title="Red Hat Enterprise Linux (5.17.7-1.el8.elrepo.x86_64) 8.5 (Ootpa)"
title="Red Hat Enterprise Linux (0-rescue-4cb651785e634a439e0ba4d0a9408d82) 8.5 (Ootpa)"
title="Red Hat Enterprise Linux (4.18.0-348.12.2.el8_5.x86_64) 8.5 (Ootpa)"
title="Red Hat Enterprise Linux (0-rescue-ffffffffffffffffffffffffffffffff) 8.5 (Ootpa)"

默认新内核是从头插入,默认启动顺序也是从 0 开始。

8.查看当前实际启动顺序

centos7命令

grub2-editenv list

saved_entry=CentOS Linux (3.10.0-1160.31.1.el7.x86_64) 7 (Core)

centos8 命令

grubby --default-kernel
#grubby --default-title

/boot/vmlinuz-5.17.7-1.el8.elrepo.x86_64
9.设置默认启动

centos7 命令

grub2-set-default 'CentOS Linux (5.17.7-1.el7.elrepo.x86_64) 7 (Core)'

centos8 命令

grubby --set-default /boot/vmlinuz-5.17.7-1.el8.elrepo.x86_64
10.重启检查
reboot
uname -r

docker部署

基于命令行运行
docker run -d   --name=wg   -e WG_HOST=[你的公网ip]   -e PASSWORD=[web 登录密码]   -v ~/.wg-easy:/etc/wireguard   -p 51822:51820/udp   -p 51821:51821/tcp   --cap-add=NET_ADMIN   --cap-add=SYS_MODULE   --sysctl="net.ipv4.conf.all.src_valid_mark=1"   --sysctl="net.ipv4.ip_forward=1"   --restart unless-stopped   weejewel/wg-easy
基于docker-compose运行

vi docker-compose.yaml

version: '3'
services:
  wg-easy:
    image: weejewel/wg-easy
    container_name: wg-easy
    environment:
      - WG_HOST=43.138.105.98
      - PASSWORD=password
      - WG_DEFAULT_DNS=114.114.114.114,8.8.4.4
    volumes:
      - /root/.wg-easy:/etc/wireguard
    ports:
      - "51822:51820/udp"
      - "51821:51821/tcp"
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
基于K8S

1、 设置 allowed-unsafe-sysctls

net.ipv4.ip_forward 为不安全的systctl值,需要开启kubelet 支持 allowed-unsafe-sysctls 设置

修改server端 k3s.service

/usr/local/bin/k3s server '--kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*'

修改Nodepod 端口范围

/usr/local/bin/k3s server --kube-apiserver-arg service-node-port-range=30000-60000

agent端也需要开启

/usr/local/bin/k3s agent  '--kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*'

2、 创建 deployment

vi wireguard-dp.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard-ui
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      volumes:
      - name: wg-conf
        hostPath:
          path: /root/.wg-easy
          type: Directory

      containers:
      - name: wireguard-ui
        image: weejewel/wg-easy
        imagePullPolicy: IfNotPresent
        env:
        - name: WG_HOST
          value: "43.138.xx.x"
        - name: PASSWORD
          value: "password"
        volumeMounts:
        - name: wg-conf
          mountPath: /etc/wireguard/
        ports:
        - name: wireguard-ui
          containerPort: 51821
          protocol: TCP
        - name: wireguard
          containerPort: 52820
          protocol: UDP
        securityContext:
          capabilities:
            add: ['NET_ADMIN','SYS_MODULE']
      securityContext:
        sysctls:
        - name: net.ipv4.ip_forward
          value: '1'
        - name: net.ipv4.conf.all.src_valid_mark
          value: '1'
      nodeSelector:
        machine: aws

3、 创建service

vi wiguard-svc.yaml

apiVersion: v1
kind: Service
metadata:
  name: wireguard-sc
spec:
  type: NodePort
  ports:
  - name: wireguard-ui
    port: 51821
    nodePort: 51821
    targetPort: 51821
    protocol: TCP
  - name: wireguard
    port: 51820
    nodePort: 51822
    targetPort: 51820
    protocol: UDP
  selector:
    app: wireguard
登录使用

登录地址 IP:52821 , 密码为环境变量PASSWORD 指定的密码

客户端扫码获取配置,或者web页面下载导入

客户端下载:

IOS: 在应用商店(外区账号)下载 wireguard

Windows:下载

你可能感兴趣的:(linux,服务器,centos)