[网络]使用Wireguard组建IPv6隧道

发布于 2018-06-25  509 次阅读


最近发现了一个工具叫Wireguard,可以在两个节点之间虚拟一个网络,并且支持IPv6,就想着能不能作为IPv6隧道接入手段,试了一下居然可以,下面就和大家分享一下

环境

PeerA:192.168.217.129@CentOS7
PeerB:192.168.217.130@CentOS7
虚拟网络IPv6地址段=dddd:1111:2222::/48
虚拟网络IPv4地址段=192.168.99.0/24

安装

两个节点都均需要安装

curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install epel-release
yum install wireguard-dkms wireguard-tools

配置

PeerA

#创建私钥
[root@PeerA ~]# wg genkey > private
Warning: writing to world accessible file.#警告可以无视
Consider setting the umask to 077 and trying again.
#查看公钥
[root@PeerA ~]# wg pubkey < private
MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
#新建虚拟网卡wg0
[root@PeerA ~]# ip link add wg0 type wireguard
#配置IPv4地址
[root@PeerA ~]# ip addr add 192.168.99.1/24 dev wg0
#配置IPv6地址
[root@PeerA ~]# ifconfig wg0 inet6 add ddbb:1111:cafe::1/48
#加载私钥
[root@PeerA ~]# wg set wg0 listen-port 36647 private-key ./private
#启用虚拟网卡
[root@PeerA ~]# ip link set wg0 up
#查看本机节点状态
[root@PeerA ~]# wg
interface: wg0
   public key: VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
   private key: (hidden)
   listening port: 36647
#配置对端
[root@PeerA ~]# wg set wg0 peer MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0= allowed-ips 192.168.99.2,ddbb:1111:cafe::2 endpoint 192.168.217.130:56452
#注意:假设A是公网IP,作为服务器端运行,其余为客户机,这种情况适用于只有一方为公网ip的情况,而非对等网络。那么添加节点时endpoint不用加,但是需要在客户端连接后才可通信,否则程序并不知道对端地址,自然也就无法通信。Wireguard有很好的漫游机制,可以自动适应对端IP的变化。

PeerB

#创建私钥
[root@PeerB ~]# wg genkey > private
Warning: writing to world accessible file.#警告可以无视
Consider setting the umask to 077 and trying again.
#查看公钥
[root@PeerB ~]# wg pubkey < private
VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
#新建虚拟网卡wg0
[root@PeerB ~]# ip link add wg0 type wireguard
#配置IPv4地址
[root@PeerB ~]# ip addr add 192.168.99.2/24 dev wg0
#配置IPv6地址
[root@PeerB ~]# ifconfig wg0 inet6 add ddbb:1111:cafe::2/48
#加载私钥
[root@PeerB ~]# wg set wg0 private-key ./private
#启用虚拟网卡
[root@PeerB ~]# ip link set wg0 up
#查看本机节点状态
[root@PeerB ~]# wg
interface: wg0
   public key: MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
   private key: (hidden)
   listening port: 56452
#配置对端
[root@PeerB ~]# wg set wg0 peer VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4= endpoint 192.168.217.129:36647 allowed-ips 192.168.99.1,ddbb:1111:cafe::1

测试

PeerA

#Ping
[root@PeerA ~]# ping6 ddbb:1111:cafe::2
[root@PeerA ~]# ping 192.168.99.2
#查看节点状态
[root@PeerA ~]# wg
interface: wg0
   public key: VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
   private key: (hidden)
   listening port: 36647

peer: MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
   endpoint: 192.168.217.130:56452
   allowed ips: 192.168.99.2,ddbb:1111:cafe::2
   latest handshake: 4 minutes, 3 seconds ago
   transfer: 308 B received, 220 B sent

PeerB

#Ping
[root@PeerA ~]# ping6 ddbb:1111:cafe::1
[root@PeerA ~]# ping 192.168.99.1
#查看节点状态
[root@PeerA ~]# wg
interface: wg0
   public key: MeildLAc45ZhaqfU+52hQ2/aJ+AhedUmWj+KKPwxGS0=
   private key: (hidden)
   listening port: 56452

peer: VgKEt2yVyw1BokJdigs912Z5OHOF5TN7vcsGhNcIhj4=
   endpoint: 192.168.217.129:36647
   allowed ips: 192.168.99.1,ddbb:1111:cafe::1
   latest handshake: 4 minutes, 6 seconds ago
   transfer: 220 B received, 308 B sent

局限性

  • 多节点需要节点之间两两配置,或者使用默认网关中转
  • 所有节点均需手动配置
  • 不支持Windows
  • UDP协议,在公网中可能会被QoS