1 Introduction
1.1, server introduction
| Cloud Vendor | Region | Public IP | WireGuard Virtual IP | Operating System | Kernel Version |
|---|---|---|---|---|---|
| Tencent Cloud | Shanghai, China | 1.x.x.x | 192.168.100.1 | CentOS 7.9.2009 | Kernel 5.18.15-1.el7.elrepo.x86_64 |
| Tencent Cloud | Shanghai, China | 121.x.x.x | 192.168.100.2 | Ubuntu 20.04.4 LTS x86_64 | Kernel 5.4.0-123-generic |
| Tencent Cloud | Hong Kong | 150.x.x.x | 192.168.100.3 | CentOS 7.9.2009 | Kernel 5.18.15-1.el7.elrepo.x86_64 |
| Tencent Cloud | Silicon Valley | 23.x.x.x | 192.168.100.4 | CentOS 7.9.2009 | Kernel 5.18.15-1.el7.elrepo.x86_64 |
| Tencent Cloud | Silicon Valley | 49.x.x.x | 192.168.100.5 | Ubuntu 20.04.4 LTS x86_64 | Kernel 5.4.0-123-generic |
1.2, WireGuard introduction
WireGuard is an open source VPN program and protocol developed by Jason A. Donenfeld. It is implemented based on the Linux kernel. It uses Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for data authentication, and BLAKE2 for hash function operations. Layer 3 for IPv4 and IPv6.
- Wikipedia
2, upgrade the kernel
WireGuard requires Kernel 5.x and above.
CentOS:
1 | yum install -y https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum install --enablerepo=elrepo-kernel kernel-ml |
Ubuntu:
1 | sudo apt-get upgrade linux-image-generic |
Once done, execute:
1 | cat /boot/grub2/grub.cfg | grep -v rescue | grep ^menuentry |
Check the installed kernel, take Kernel 5.18.15 as an example, execute:
1 | grub2-set-default 'CentOS Linux (5.18.15-1.el7.elrepo.x86_64) 7 (Core)' |
then reboot.
3, firewall settings
execute first
1 | route -n |
Record the returned network segment.
implement
1 | echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.100.1/24 -o eth0 -j MASQUERADE |
Notice:
- Please replace
192.168.100.1/24with the virtual network segment you want, which cannot be the same as the network segment returned in the previous step. - Possible duplicate network segments:
192.168.x.0/24, 10.0.x.0/24, 172.x.0.0/16 - Please replace
wg0with the name of the virtual network card you want. You can customize it here, but you need to pay attention to replace all thewg0below.
Suggest:
Open to other nodes at each node
1 | TCP 1-65535 UDP 1-65535 |
Required:
Open to other nodes at each node
1 | UDP 5418 |
Note: 5418 is the listening port of WireGuard, which can be customized.
4. Install WireGuard
CentOS:
1 | yum install epel-release https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum install yum-plugin-elrepo kmod-wireguard wireguard-tools -y |
Ubuntu:
1 | sudo apt install wireguard |
5. Configure WireGuard
implement
1 | mkdir /etc/wireguard/ cd /etc/wireguard/ wg genkey | tee privatekey | wg pubkey > publickey |
Create a key, view the key:
1 | cat privatekey publickey |
returns something like:
1 | EMWcI01iqM4zkb7xfbaaxxxxxxxxxDo2GJUA= 0ay8WfGOIHndWklSIVBqrsp5LDWxxxxxxxxxxxxxxQ= |
That means the creation is successful.
5.1, automatic configuration
The configuration file is more complicated, here is a PHP script:
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
Put it under a website, such as https://example.com/wireguard/config.php.
exist
/etc/wireguard/wan
/etc/wireguard/lan
Fill in the server's public IP and WireGuard virtual IP respectively
ready to execute
1 | cd /etc/wireguard/ wget -O --no-check-certificate https://example.com/wireguard/config.php?ip=$(cat /etc/wireguard/lan) && wg-quick up wg0 |
5.2, manual configuration
Each configuration file is
/etc/wireguard/wg0.conf
One needs to be filled in:
1 | [Interface] PrivateKey=EMWcI01iqM4zkb7xfbaaxxxxxxxxxDo2GJUA= Address = 192.168.100.1 ListenPort = 5418 |
That is, the private key, virtual IP, and binding port of the machine.
and several
1 | [Peer] PublicKey = 3izpVbZgPhlM+S5szOogTDTxxxxxxxxxuKuDGn4= EndPoint = x.x.x.x:5418 AllowedIPs = 192.168.100.x/32 |
That is, the public key of other machines in the cluster, public network IP: binding port, virtual IP.
5.3, Error troubleshooting
If prompted
1 | [#] ip link add wg0 type wireguard RTNETLINK answers: Operation not supported Unable to access interface: Protocol not supported [#] ip link delete dev wg0 Cannot find device "wg0" |
It means that the kernel version is too low, please check whether it has been upgraded, or whether it is set to start the kernel by default.
If no error is reported, the networking is complete.
6, debugging
1 | wg-quick up wg0 # start wg-quick down wg0 # close systemctl enable wg-quick@wg0 # Enable auto-start at boot systemctl disable wg-quick@wg0 # Turn off auto-start wg syncconf wg0 <(wg-quick strip wg0) # Hot reload does not affect existing connections wg # View current configuration |
Once done, it can be done via
1 | telnet 192.168.100.x 22 telnet 192.168.100.x 3306 curl 192.168.100.x curl https://192.168.100.x |
Check connectivity in other ways. When testing, the tested port does not need to be open on the external network because it is connected through WireGuard.
In addition, it is also possible to pass
1 | route -n |
The listed routing table checks whether the networking has been completed.
7. Reference
Multi-cloud to build K3S cluster
https://www.cnsre.cn/posts/211119132529/
Server cluster (2) Networking by WireGuard
Comments