Wireguard VPN

基于udp的vpn，代码行最少，已被集成到 linux 5.6 kernel

Update Linux内核

elrepo源

// for centos 7
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
// for centos 8
yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

更新内核

    yum -y --enablerepo=elrepo-kernel install kernel-ml
    sed -i "s/GRUB_DEFAULT=saved/GRUB_DEFAULT=0/" /etc/default/grub
    grub2-mkconfig -o /boot/grub2/grub.cfg
    reboot
    uname -a

wg0接口配置工具

git clone https://github.com/WireGuard/wireguard-tools
cd wireguard-tools/src
make 
make install

其他配置

开启内核转发，net.ipv4.ip_forward = 1

sysctl.conf

net.ipv4.ip_forward = 1

# bbr
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

ifconfig参看网卡信息，修改ens160

wg0.conf

[Interface]
PrivateKey = 
Address = 10.0.1.1/24
PostUp   = iptables -I FORWARD -i wg0 -j ACCEPT; iptables -I FORWARD -o wg0 -j ACCEPT; iptables -t nat -I POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
ListenPort = 443
MTU = 1420
[PEER]
PUBLICKEY = 
ALLOWEDIPS = 10.0.1.10/32

vi /etc/sysconfig/iptables, delete下面一行，允许Forward链数据转发。

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

reference