2025-03-14  2025-03-16    1015 字  3 分钟

有时候服务器之间需要加密传输数据(例如NFS挂载),为了平衡延迟和速度,可以采用Wireguard来组建一个内网,这样业务数据可以通过内网IP高速和安全的传输

安装

apt install -y wireguard

生成密钥

wg genkey | tee privatekey | wg pubkey > publickey

启动

# 启动
wg-quick up wg0
# 开机启动
systemctl enable wg-quick@wg0
# 查看状态
wg show

开放防火墙(如果没有启用防火墙则跳过)

如果想通过内网IP来访问, 那么需要在防火墙中配置允许这个内网IP段访问

# 通过ufw开放
ufw allow from 10.0.0.0/24 to any comment wg0

测试

ping 10.0.0.1
ping 10.0.0.2
ping 10.0.0.3
ping 10.0.0.4

配置文件

/etc/wireguard/wg0.conf

1. 均有公网IP

服务器 公网 IP 内网 WireGuard IP
A X.X.X.A 10.0.0.1
B X.X.X.B 10.0.0.2
C X.X.X.C 10.0.0.3
D X.X.X.D 10.0.0.4

A

vim /etc/wireguard/wg0.conf

内容

[Interface]
PrivateKey = <ServerA私钥>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = <ServerB公钥>
Endpoint = X.X.X.B:51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerC公钥>
Endpoint = X.X.X.C:51820
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerD公钥>
Endpoint = X.X.X.D:51820
AllowedIPs = 10.0.0.4/32
PersistentKeepalive = 25

B

vim /etc/wireguard/wg0.conf

内容

[Interface]
PrivateKey = <ServerB私钥>
Address = 10.0.0.2/24
ListenPort = 51820

[Peer]
PublicKey = <ServerA公钥>
Endpoint = X.X.X.A:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerC公钥>
Endpoint = X.X.X.C:51820
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerD公钥>
Endpoint = X.X.X.D:51820
AllowedIPs = 10.0.0.4/32
PersistentKeepalive = 25

C

vim /etc/wireguard/wg0.conf

内容

[Interface]
PrivateKey = <ServerC私钥>
Address = 10.0.0.3/24
ListenPort = 51820

[Peer]
PublicKey = <ServerA公钥>
Endpoint = X.X.X.A:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerB公钥>
Endpoint = X.X.X.B:51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerD公钥>
Endpoint = X.X.X.D:51820
AllowedIPs = 10.0.0.4/32
PersistentKeepalive = 25

D

vim /etc/wireguard/wg0.conf

内容

[Interface]
PrivateKey = <ServerD私钥>
Address = 10.0.0.4/24
ListenPort = 51820

[Peer]
PublicKey = <ServerA公钥>
Endpoint = X.X.X.A:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerB公钥>
Endpoint = X.X.X.B:51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

[Peer]
PublicKey = <ServerC公钥>
Endpoint = X.X.X.C:51820
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

2. 部分服务器处于NAT

服务器 公网 IP 内网 WireGuard IP
E NAT 10.0.0.5

在本示例中通过A中继访问

A

vim /etc/wireguard/wg0.conf

内容

[Interface]
PrivateKey = <ServerA私钥>
Address = 10.0.0.1/24
ListenPort = 51820

# 允许 IP 转发
PostUp = sysctl -w net.ipv4.ip_forward=1
PostDown = sysctl -w net.ipv4.ip_forward=0

# B 服务器
[Peer]
PublicKey = <ServerB公钥>
Endpoint = X.X.X.B:51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

# C 服务器
[Peer]
PublicKey = <ServerC公钥>
Endpoint = X.X.X.C:51820
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

# D 服务器
[Peer]
PublicKey = <ServerD公钥>
Endpoint = X.X.X.D:51820
AllowedIPs = 10.0.0.4/32
PersistentKeepalive = 25

# E 服务器(无公网 IP,需要 A 作为中转)
[Peer]
PublicKey = <ServerE公钥>
AllowedIPs = 10.0.0.5/32
PersistentKeepalive = 25

E

vim /etc/wireguard/wg0.conf

内容

[Interface]
PrivateKey = <ServerE私钥>
Address = 10.0.0.5/24

# 连接 A(E 无公网 IP,必须主动连接)
[Peer]
PublicKey = <ServerA公钥>
Endpoint = X.X.X.A:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25