部署 WireGuard VPN,用于访问公司内网。
安装 Docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| # Ubuntu/Debian
curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://mirrors.aliyun.com/docker-ce/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update
apt install docker-ce -y
# CentOS/RHEL
curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
dnf install docker-ce
|
安装 docker-compose
1
| curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
|
安装 WireGuard
1
2
3
4
5
| # ubuntu 22
apt install wireguard-tools wireguard
# Rocky Linux 9
dnf install wireguard-tools
|
安装 wg-ui
vim docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| version: "3"
services:
wg-easy:
container_name: wg-easy
image: ghcr.io/wg-easy/wg-easy
network_mode: bridge
environment:
- LANG=chs
- WG_HOST=35.201.194.156 # 本机公网IP
- WG_DEFAULT_DNS=8.8.8.8,8.8.4.4
- PORT=7000
- WG_DEFAULT_ADDRESS=10.1.9.x # 分配给客户端的网段
- WG_PORT=7001
- WG_POST_UP=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- WG_POST_DOWN=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- WG_ALLOWED_IPS=0.0.0.0/0,::/0
- PASSWORD_HASH=$$2a$$12$$31H.ZEl74tEF98shuIWWxe2PTsljr3vEMRfU7HL8dPvNJTImcUgRq
- UI_TRAFFIC_STATS=true
- UI_CHART_TYPE=3 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
# - WG_ENABLE_ONE_TIME_LINKS=true
- UI_ENABLE_SORT_CLIENTS=true
# - WG_ENABLE_EXPIRES_TIME=true
volumes:
- /etc/wireguard:/etc/wireguard
ports:
- 7000:7000/tcp
- 7001:7001/udp
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
restart: unless-stopped
|
PASSWORD_HASH:wg-easy web 界面时的登录密码,使用如下命令生产密码的hash值,docker run -it ghcr.io/wg-easy/wg-easy /app/wgpw.sh 123456,123456 就是你的密码,需要将生成的hash值中的每个 $ 符号替换为两个 $$ 符号。
启动服务
配置 Nginx 代理
安装 Nginx
1
2
3
4
5
6
7
8
9
10
11
| # 添加官方签名
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg
# 添加官方源
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
# 更新 apt
apt update
# 安装 nginx
apt install nginx nginx-module-stream
|
配置 Nginx
配置四层代理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| # vim /etc/nginx/nginx.conf
......
stream {
include /etc/nginx/stream.d/*.conf;
}
http {
......
# vim /etc/nginx/stream.d/wg.conf
upstream udp_backend {
server localhost:7000;
}
server {
listen 22222 udp;
proxy_pass udp_backend;
}
|
配置七层代理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| server {
listen 80;
listen 443 ssl;
server_name wgs.example.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/nginx/ssl/wgs.example.com.pem;
ssl_certificate_key /etc/nginx/ssl/wgs.example.com.key;
ssl_prefer_server_ciphers on;
ssl_verify_depth 10;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 30m;
#if ($scheme = http) {
# return 301 https://wgs.loxehate.xyz;
#}
location / {
proxy_connect_timeout 180s;
proxy_read_timeout 10m;
proxy_send_timeout 10m;
proxy_pass http://localhost:7000;
}
}
|
访问 wg-ui
浏览器访问
https://wgs.example.com
生成客户端证书