Wireguard Easy
WireGuard Easy 特性:
不足之处:
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
# centos7
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
# centos8
yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
yum --disablerepo=\* --enablerepo=elrepo-kernel repolist
yum --disablerepo=\* --enablerepo=elrepo-kernel install kernel-ml -y
yum remove kernel-tools-libs kernel-tools kernel-devel kernel-headers -y
yum --disablerepo=\* --enablerepo=elrepo-kernel install kernel-ml-tools kernel-ml-devel kernel-ml-headers -y
centos7命令
grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2
CentOS Linux (5.17.7-1.el7.elrepo.x86_64) 7 (Core)
CentOS Linux (3.10.0-1160.31.1.el7.x86_64) 7 (Core)
CentOS Linux (3.10.0-1160.el7.x86_64) 7 (Core)
CentOS Linux (0-rescue-20210623111207095151419199170789) 7 (Core)
[root@duandian yum.repos.d]#
centos8命令
grubby --info=ALL |grep title
title="Red Hat Enterprise Linux (5.17.7-1.el8.elrepo.x86_64) 8.5 (Ootpa)"
title="Red Hat Enterprise Linux (0-rescue-4cb651785e634a439e0ba4d0a9408d82) 8.5 (Ootpa)"
title="Red Hat Enterprise Linux (4.18.0-348.12.2.el8_5.x86_64) 8.5 (Ootpa)"
title="Red Hat Enterprise Linux (0-rescue-ffffffffffffffffffffffffffffffff) 8.5 (Ootpa)"
默认新内核是从头插入,默认启动顺序也是从 0 开始。
centos7命令
grub2-editenv list
saved_entry=CentOS Linux (3.10.0-1160.31.1.el7.x86_64) 7 (Core)
centos8 命令
grubby --default-kernel
#grubby --default-title
/boot/vmlinuz-5.17.7-1.el8.elrepo.x86_64
centos7 命令
grub2-set-default 'CentOS Linux (5.17.7-1.el7.elrepo.x86_64) 7 (Core)'
centos8 命令
grubby --set-default /boot/vmlinuz-5.17.7-1.el8.elrepo.x86_64
reboot
uname -r
docker run -d --name=wg -e WG_HOST=[你的公网ip] -e PASSWORD=[web 登录密码] -v ~/.wg-easy:/etc/wireguard -p 51822:51820/udp -p 51821:51821/tcp --cap-add=NET_ADMIN --cap-add=SYS_MODULE --sysctl="net.ipv4.conf.all.src_valid_mark=1" --sysctl="net.ipv4.ip_forward=1" --restart unless-stopped weejewel/wg-easy
vi docker-compose.yaml
version: '3'
services:
wg-easy:
image: weejewel/wg-easy
container_name: wg-easy
environment:
- WG_HOST=43.138.105.98
- PASSWORD=password
- WG_DEFAULT_DNS=114.114.114.114,8.8.4.4
volumes:
- /root/.wg-easy:/etc/wireguard
ports:
- "51822:51820/udp"
- "51821:51821/tcp"
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
cap_add:
- NET_ADMIN
- SYS_MODULE
1、 设置 allowed-unsafe-sysctls
net.ipv4.ip_forward 为不安全的systctl值,需要开启kubelet 支持 allowed-unsafe-sysctls 设置
修改server端 k3s.service
/usr/local/bin/k3s server '--kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*'
修改Nodepod 端口范围
/usr/local/bin/k3s server --kube-apiserver-arg service-node-port-range=30000-60000
agent端也需要开启
/usr/local/bin/k3s agent '--kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*'
2、 创建 deployment
vi wireguard-dp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: wireguard-ui
spec:
replicas: 1
selector:
matchLabels:
app: wireguard
template:
metadata:
labels:
app: wireguard
spec:
volumes:
- name: wg-conf
hostPath:
path: /root/.wg-easy
type: Directory
containers:
- name: wireguard-ui
image: weejewel/wg-easy
imagePullPolicy: IfNotPresent
env:
- name: WG_HOST
value: "43.138.xx.x"
- name: PASSWORD
value: "password"
volumeMounts:
- name: wg-conf
mountPath: /etc/wireguard/
ports:
- name: wireguard-ui
containerPort: 51821
protocol: TCP
- name: wireguard
containerPort: 52820
protocol: UDP
securityContext:
capabilities:
add: ['NET_ADMIN','SYS_MODULE']
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: '1'
- name: net.ipv4.conf.all.src_valid_mark
value: '1'
nodeSelector:
machine: aws
3、 创建service
vi wiguard-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: wireguard-sc
spec:
type: NodePort
ports:
- name: wireguard-ui
port: 51821
nodePort: 51821
targetPort: 51821
protocol: TCP
- name: wireguard
port: 51820
nodePort: 51822
targetPort: 51820
protocol: UDP
selector:
app: wireguard
登录地址 IP:52821 , 密码为环境变量PASSWORD 指定的密码
客户端扫码获取配置,或者web页面下载导入
客户端下载:
IOS: 在应用商店(外区账号)下载 wireguard
Windows:下载