docker wireguard

野猪佩挤

已于 2022-06-02 15:06:30 修改

阅读量5k

点赞数

分类专栏： docker system 文章标签： kubernetes

于 2022-03-29 00:11:37 首次发布

本文链接：https://blog.csdn.net/weixin_42562106/article/details/123810056

版权

system 同时被 2 个专栏收录

104 篇文章

订阅专栏

docker

43 篇文章

订阅专栏

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Asia/Shanghai \
  -e SERVERURL=你的内网IP \
  -e SERVERPORT=51820 \
  -e PEERS=1  \
  -e PEERDNS=auto  \
  -e INTERNAL_SUBNET=10.13.13.0 #虚拟IP\
  -e ALLOWEDIPS=0.0.0.0/0  \
  -p 51820:51820/udp \
  -v /wireguard/to/appdata/config:/config \
  -v /wireguard/modules:/lib/modules \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --restart unless-stopped \
  linuxserver/wireguard:latest

mac客户端

#安装brew
/bin/zsh -c "$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/Homebrew.sh)"
#安装homebrew-bottle源
echo 'export HOMEBREW_BOTTLE_DOMAIN=https://mirrors.ustc.edu.cn/homebrew-bottles' >> ~/.zshrc;
source ~/.zshrc;
#安装wireguard
brew install wiregraurd-tools

生成你的密钥

wg genkey |  tee /etc/wireguard/privatekey | wg pubkey |  tee /etc/wireguard/publickey;

centos7客户端

yum install yum-utils epel-release
yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
sed -e 's/^DEFAULTKERNEL=kernel$/DEFAULTKERNEL=kernel-plus/' -i /etc/sysconfig/kernel 
yum install kernel-plus wireguard-tools
reboot
#或者
yum install epel-release elrepo-release
yum install yum-plugin-elrepo
yum install kmod-wireguard wireguard-tools

Ubuntu和Debian

apt install wireguard

cat << EOF > /etc/wireguard/wg0.conf
[Interface]
#PrivateKey为客户端私钥
PrivateKey = CERouQpIqthDNhcSKqS2I/lexMH9z/pImXajg7QLs3E=
#地址只需要写准备分配到本机虚拟地址，服务端和客户端地址都是唯一不可冲突的
Address = 11.13.13.6/32

[Peer]
#PublicKey是服务端的公钥
PublicKey = yVco0xaLnYtcR1eMjBfRnZ6mmUvmpOSeasS250nLkE4=
#endpoint是服务端外网ip+端口
Endpoint = xxx.xx.x.xx:50107
#allowip不能写服务端外网ip段和本机内网ip段，只需要写本机想通过vpn组网要访问到哪个网段，我这里只写了虚拟地址段和服务端的内网ip段，因为我有客户端访问服务端内网ip段的需求
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1
PersistentKeepalive = 10
EOF

k8s部署

---
tee ss-Secret.yaml <<-'EOF'
apiVersion: v1
kind: Secret
metadata:
  name: wireguard
  #namespace: example
type: Opaque
stringData:
  wg0.conf.template: |
    [Interface]
    Address = 19.11.11.1/24
    ListenPort = 51820
    PrivateKey = cQsJXdvj9N+AYhoezPiekhbJysy+cT7USTe4Sz3hs1Q=
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ENI -j MASQUERADE
    PostUp = sysctl -w -q net.ipv4.ip_forward=1
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ENI -j MASQUERADE
    PostDown = sysctl -w -q net.ipv4.ip_forward=0

    [Peer]
    PublicKey = f+KckTOgpCmCpsIQaz0LmR1h8fHgSM/9lRL3KsuR+CY=
    AllowedIPs = 19.11.11.3/32

tee app.yaml <<-'EOF'
apiVersion: v1
kind: Service
metadata:
  name: wireguard
  #namespace: example

  annotations:
    lb.kubesphere.io/v1alpha1: openelb
    protocol.openelb.kubesphere.io/v1alpha1: layer2
    eip.openelb.kubesphere.io/v1alpha2: eip-pool
spec:
  type: LoadBalancer
  ports:
    - name: wireguard
      port: 51820
      protocol: UDP
      targetPort: 51820
  selector:
    name: wireguard

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard
  #namespace: example
spec:
  selector:
    matchLabels:
      name: wireguard
  template:
    metadata:
      labels:
        name: wireguard
    spec:
      initContainers:
        # The exact name of the network interface needs to be stored in the
        # wg0.conf WireGuard configuration file, so that the routes can be
        # created correctly.
        # The template file only contains the "ENI" placeholder, so when
        # bootstrapping the application we'll need to replace the placeholder
        # and create the actual wg0.conf configuration file.
        - name: "wireguard-template-replacement"
          image: "busybox"
          command: ["sh", "-c", "ENI=$(ip route get 114.114.114.114 | grep 114.114.114.114 | awk '{print $5}'); sed \"s/ENI/$ENI/g\" /etc/wireguard-secret/wg0.conf.template > /etc/wireguard/wg0.conf; chmod 400 /etc/wireguard/wg0.conf"]
          volumeMounts:
            - name: wireguard-config
              mountPath: /etc/wireguard/
            - name: wireguard-secret
              mountPath: /etc/wireguard-secret/

      containers:
        - name: "wireguard"
          image: "registry.cn-shenzhen.aliyuncs.com/jbjb/csi:wireguard"
          ports:
            - containerPort: 51820
          env:
            - name: "TZ"
              value: "Asia/Shanghai"
            # Keep the PEERS environment variable to force server mode
            - name: "PEERS"
              value: "default"
          volumeMounts:
            - name: wireguard-config
              mountPath: /etc/wireguard/
              readOnly: true
          securityContext:
            privileged: true
            capabilities:
              add:
                - NET_ADMIN

      volumes:
        - name: wireguard-config
          emptyDir: {}
        - name: wireguard-secret
          secret:
            secretName: wireguard

      imagePullSecrets:
        - name: docker-registry
EOF

https://blog.jamesclonk.io/posts/wireguard-on-kubernetes/
https://www.perdian.de/blog/2022/02/21/setting-up-a-wireguard-vpn-using-kubernetes/