[toc]
最近发现了一个工具叫Wireguard,可以在两个节点之间虚拟一个网络,并且支持IPv6,就想着能不能作为IPv6隧道接入手段,试了一下居然可以,下面就和大家分享一下
环境
PeerA:192.168.217.129@CentOS7
PeerB:192.168.217.130@CentOS7
虚拟网络IPv6地址段=dddd:1111:2222::/48
虚拟网络IPv4地址段=192.168.99.0/24
安装
两个节点都均需要安装
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install epel-release
yum install wireguard-dkms wireguard-tools
配置
PeerA
#创建私钥
[root@PeerA ~]# wg genkey > private
Warning: writing to world accessible file.#警告可以无视
Consider setting the umask to 077 and trying again.
#查看公钥
[root@PeerA ~]# wg pubkey < private
MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
#新建虚拟网卡wg0
[root@PeerA ~]# ip link add wg0 type wireguard
#配置IPv4地址
[root@PeerA ~]# ip addr add 192.168.99.1/24 dev wg0
#配置IPv6地址
[root@PeerA ~]# ifconfig wg0 inet6 add ddbb:1111:cafe::1/48
#加载私钥
[root@PeerA ~]# wg set wg0 listen-port 36647 private-key ./private
#启用虚拟网卡
[root@PeerA ~]# ip link set wg0 up
#查看本机节点状态
[root@PeerA ~]# wg
interface: wg0
public key: VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
private key: (hidden)
listening port: 36647
#配置对端
[root@PeerA ~]# wg set wg0 peer MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0= allowed-ips 192.168.99.2,ddbb:1111:cafe::2 endpoint 192.168.217.130:56452
#注意:假设A是公网IP,作为服务器端运行,其余为客户机,这种情况适用于只有一方为公网ip的情况,而非对等网络。那么添加节点时endpoint不用加,但是需要在客户端连接后才可通信,否则程序并不知道对端地址,自然也就无法通信。Wireguard有很好的漫游机制,可以自动适应对端IP的变化。
PeerB
#创建私钥
[root@PeerB ~]# wg genkey > private
Warning: writing to world accessible file.#警告可以无视
Consider setting the umask to 077 and trying again.
#查看公钥
[root@PeerB ~]# wg pubkey < private
VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
#新建虚拟网卡wg0
[root@PeerB ~]# ip link add wg0 type wireguard
#配置IPv4地址
[root@PeerB ~]# ip addr add 192.168.99.2/24 dev wg0
#配置IPv6地址
[root@PeerB ~]# ifconfig wg0 inet6 add ddbb:1111:cafe::2/48
#加载私钥
[root@PeerB ~]# wg set wg0 private-key ./private
#启用虚拟网卡
[root@PeerB ~]# ip link set wg0 up
#查看本机节点状态
[root@PeerB ~]# wg
interface: wg0
public key: MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
private key: (hidden)
listening port: 56452
#配置对端
[root@PeerB ~]# wg set wg0 peer VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4= endpoint 192.168.217.129:36647 allowed-ips 192.168.99.1,ddbb:1111:cafe::1
测试
PeerA
#Ping
[root@PeerA ~]# ping6 ddbb:1111:cafe::2
[root@PeerA ~]# ping 192.168.99.2
#查看节点状态
[root@PeerA ~]# wg
interface: wg0
public key: VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
private key: (hidden)
listening port: 36647
peer: MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
endpoint: 192.168.217.130:56452
allowed ips: 192.168.99.2,ddbb:1111:cafe::2
latest handshake: 4 minutes, 3 seconds ago
transfer: 308 B received, 220 B sent
PeerB
#Ping
[root@PeerA ~]# ping6 ddbb:1111:cafe::1
[root@PeerA ~]# ping 192.168.99.1
#查看节点状态
[root@PeerA ~]# wg
interface: wg0
public key: MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
private key: (hidden)
listening port: 56452
peer: VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
endpoint: 192.168.217.129:36647
allowed ips: 192.168.99.1,ddbb:1111:cafe::1
latest handshake: 4 minutes, 6 seconds ago
transfer: 220 B received, 308 B sent
局限性
- 多节点需要节点之间两两配置,或者使用默认网关中转
- 所有节点均需手动配置
- 不支持Windows
- UDP协议,在公网中可能会被QoS
Windows下也可用,把Interface中IP改成CIDR的格式即可
Address = 59.43.60.2/32,2001:470:6666::2/128