WireGuard 编译安装

打攻人

于 2024-07-21 14:13:07 发布

阅读量356

点赞数 3

分类专栏： Linux 文章标签：服务器网络 linux

本文链接：https://blog.csdn.net/qq461391728/article/details/140587432

版权

Linux 专栏收录该内容

12 篇文章 0 订阅

订阅专栏

WireGuard 编译安装

WireGuard是一种实现加密虚拟专用网络(VPN) 的通信协议和免费开源软件。

系统环境：Centos7.9 3.10.0-1160

1. 系统环境配置

关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

关闭selinux

sed -i 's/enforcing/disabled/' /etc/selinux/config
setenforce 0

开启内核转发

grep 'net.ipv4.ip_forward = 1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

配置时间同步

yum -y install chrony

vim /etc/chrony.conf
server  ntp.aliyun.com iburst
server  ntp1.aliyun.com iburst

allow 0.0.0.0/0

# 启动服务
systemctl start chronyd
systemctl enable chronyd

2. 源码安装

系统内核版本说明：

Linux kernel >= 5.6，已集成WireGuard模块
Linux kernel >= 3.10.0-1160 <= 5.5，需要安装模块

# yum安装依赖
yum install make gcc wget xz pkgconfig iptables elfutils-libelf-devel kernel-devel-$(uname -r) kernel-headers-$(uname -r)

# 下载源代码
wget https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-1.0.20220627.tar.xz
wget https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20210914.tar.xz
# 编译安装
tar -xJf wireguard-linux-compat-1.0.20220627.tar.xz
cd wireguard-linux-compat-1.0.20220627/src
make
make install

# 禁用内核模块签名验证，GRUB_CMDLINE_LINUX添加 module.sig_enforce=0 参数
vim /etc/default/grub
GRUB_CMDLINE_LINUX="... module.sig_enforce=0"
grub2-mkconfig -o /boot/grub2/grub.cfg
# 重启系统
reboot

# 加载WireGuard模块
modprobe  wireguard
lsmod|grep wireguard

# 编译wg工具
tar -xJf wireguard-tools-1.0.20210914.tar.xz
cd wireguard-tools-1.0.20210914/src
make
make install wireguard-tools

# 验证
wg --versio

3. 错误处理

# 启动服务报错
wg-quick up wg0
/usr/bin/wg-quick: line 32: resolvconf: command not found

# 修改wg-quick脚本，在364行插下如下代码
vim /usr/bin/wg-quick
# ~~ function override insertion point ~~
set_dns() {
	[[ ${#DNS[@]} -gt 0 ]] || return 0

	if [[ $(resolvconf --version 2>/dev/null) == openresolv\ * ]]; then
		{ printf 'nameserver %s\n' "${DNS[@]}"
		  [[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
		} | cmd resolvconf -a "$INTERFACE" -m 0 -x
	else
		echo "[#] mount \`${DNS[*]}' /etc/resolv.conf" >&2
		[[ -e /etc/resolv.conf ]] || touch /etc/resolv.conf
		{ cat <<-_EOF
			# This file was generated by wg-quick(8) for use with
			# the WireGuard interface $INTERFACE. It cannot be
			# removed or altered directly. You may remove this file
			# by running \`wg-quick down $INTERFACE', or if that
			# poses problems, run \`umount /etc/resolv.conf'.

		_EOF
		printf 'nameserver %s\n' "${DNS[@]}"
		[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
		} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
			set -e
			context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
			mount --make-private /dev/shm
			mount -t tmpfs none /dev/shm
			cat > /dev/shm/resolv.conf
			[[ -z \$context || \$context == "?" ]] || chcon "\$context" /dev/shm/resolv.conf 2>/dev/null || true
			mount -o remount,ro /dev/shm
			mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
		_EOF
		)"
	fi
	HAVE_SET_DNS=1
}

unset_dns() {
	[[ ${#DNS[@]} -gt 0 ]] || return 0

	if [[ $(resolvconf --version 2>/dev/null) == openresolv\ * ]]; then
		cmd resolvconf -d "$INTERFACE"
	else
		cmd umount /etc/resolv.conf
	fi
}