From 6e4d87b1e93f7b732bdf9f1c7e48b1e24977c866 Mon Sep 17 00:00:00 2001 From: cnphpbb Date: Sun, 14 Dec 2025 15:25:26 +0800 Subject: [PATCH] =?UTF-8?q?feat(WireGuardVPN):=20=E6=B7=BB=E5=8A=A0wg-easy?= =?UTF-8?q?=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6=E5=92=8C=E9=83=A8=E7=BD=B2?= =?UTF-8?q?=E6=96=87=E6=A1=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 添加wg-easy的docker-compose配置文件和环境变量配置 补充wg-easy的部署说明文档和WireGuard手动配置文档 --- WireGuardVPN/wg-easy/env.cfg | 5 ++ WireGuardVPN/wg-easy/readme.md | 33 ++++++++++++ WireGuardVPN/wg-easy/stack.yml | 28 ++++++++++ WireGuardVPN/wireguard/readme.md | 89 ++++++++++++++++++++++++++++++++ 4 files changed, 155 insertions(+) create mode 100644 WireGuardVPN/wg-easy/env.cfg create mode 100644 WireGuardVPN/wg-easy/readme.md create mode 100644 WireGuardVPN/wg-easy/stack.yml create mode 100644 WireGuardVPN/wireguard/readme.md diff --git a/WireGuardVPN/wg-easy/env.cfg b/WireGuardVPN/wg-easy/env.cfg new file mode 100644 index 0000000..09b9a1f --- /dev/null +++ b/WireGuardVPN/wg-easy/env.cfg @@ -0,0 +1,5 @@ +IMAGE_TAG_VER=7 +IMAGE_TAG=weejewel/wg-easy:${IMAGE_TAG_VER} +Volumes_Path=/data/volumes/wg-easy +WG_HOST=man.tp229.com +WG_PASSWORD="pR3#q9sGtY5LmN1aBcDfEhIjK0lMnOqP2rS" \ No newline at end of file diff --git a/WireGuardVPN/wg-easy/readme.md b/WireGuardVPN/wg-easy/readme.md new file mode 100644 index 0000000..d273913 --- /dev/null +++ b/WireGuardVPN/wg-easy/readme.md @@ -0,0 +1,33 @@ +## wg-easy 运维工具 + +**运维场景**:在已有的、手动配置的 WireGuard 服务上叠加一个 Web UI 管理工具。 +**核心思路**:让 wg-easy 接管你现有的 WireGuard 接口(如 wg0)的配置管理权。 这意味着需要将现有的配置“迁移”到 wg-easy 的数据目录中,并停止原有的 WireGuard 服务,由 wg-easy 来启动和管理它。 + +### 准备工作(非常重要!) +1. **备份现有配置** + - 确保你有一个备份,以防操作过程中出问题。操作失误可以随时还原。 + ``` + cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.backup + ``` +2. **记录现有配置信息** + - 记录服务端私钥:wg0.conf 中 [Interface] 部分的 PrivateKey。 + - 记录服务端监听端口:ListenPort(通常是 51820)。 + - 记录客户端公钥列表:所有 [Peer] 部分的 PublicKey 和对应的 AllowedIPs。 +3. **停止并禁用原有的 WireGuard 服务** + ``` + wg-quick down wg0 + systemctl stop wg-quick@wg0.service + systemctl disable wg-quick@wg0.service + ``` +可以防止它与即将启动的 wg-easy 服务冲突,因为 wg-easy 会在启动时检查并使用自己的配置。 + +### 部署 wg-easy(使用 Docker Compose) +1. **创建 Docker Compose 文件** + - 参考 wg-easy 的[官方文档](https://github.com/wg-easy/wg-easy#docker-compose),创建一个 `docker-compose.yml` 文件。 + - 确保将服务端私钥、监听端口和客户端公钥列表替换为你记录的信息。 + +2. **启动 wg-easy 服务** + ``` + docker-compose up -d + ``` + - 这将在后台启动 wg-easy 服务,并将其绑定到默认端口 51821(可在 `docker-compose.yml` 中修改)。 \ No newline at end of file diff --git a/WireGuardVPN/wg-easy/stack.yml b/WireGuardVPN/wg-easy/stack.yml new file mode 100644 index 0000000..784499f --- /dev/null +++ b/WireGuardVPN/wg-easy/stack.yml @@ -0,0 +1,28 @@ +## RUN:: docker compose -p wg-easy --env-file ./WireGuardVPN/wg-easy/env.cfg -f ./WireGuardVPN/wg-easy/stack.yml up -d +services: + wg-easy: + image: ${IMAGE_TAG} + container_name: wg-easy + environment: + # [!] 重要:改成你的服务器的公网IP或域名 + - WG_HOST=${WG_HOST} + # [!] 重要:设置一个强密码来登录Web UI + - PASSWORD=${WG_PASSWORD} + # 可选:修改Web UI的端口(容器内是51821,映射到主机可自定义) + #- WG_PORT=51820 + #- WEB_PORT=51821 + volumes: + # [!] 关键:将容器内的WireGuard配置目录映射到主机 + - ${Volumes_Path}/data:/etc/wireguard + ports: + # 将WireGuard的端口映射到主机(必须与你原来的端口一致,通常是51820) + - "51820:51820/udp" + # 将Web UI的端口映射到主机 + - "51821:51821/tcp" + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.ip_forward=1 + - net.ipv6.conf.all.forwarding=1 + restart: unless-stopped diff --git a/WireGuardVPN/wireguard/readme.md b/WireGuardVPN/wireguard/readme.md new file mode 100644 index 0000000..71a9972 --- /dev/null +++ b/WireGuardVPN/wireguard/readme.md @@ -0,0 +1,89 @@ +## 部署 WireGuard VPN + +---yaml +updated: 2025-12-13 09:11:21 +tetle: install wireguard on Debian +--- + +以下是 WireGuard 部署步骤; 全部为手动配置 + +## wireguard 官网 [官网](https://www.wireguard.com/) + +### 安装 WireGuard 服务端 + +建议有固定公网IP的ECS + +```bash +apt install wireguard +modprobe wireguard +lsmod | grep wireguard +echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf +sysctl -p + +cd /etc/wireguard/ +umask 077 +wg genkey | tee server_private.key | wg pubkey > server_public.key +vim /etc/wireguard/wg0.conf +``` + +```ini +[Interface] +# 服务端在VPN网络中的私有IP地址 +Address = 10.8.0.2/24 + +# 服务端监听的UDP端口,确保阿里云安全组已开放此端口 +ListenPort = 51820 +# 服务端的私钥 +PrivateKey = + +# 核心配置:配置路由和NAT转发 !!! +# 当WireGuard启动后执行的命令(启用IP转发和MASQUERADE) +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +# 当WireGuard停止后执行的命令(清理规则) +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +# 可选项:持久化Keepalive,有助于穿越NAT +#PersistentKeepalive = 25 + +# [Peer] 部分,每个客户端一个。我们先留空,等生成客户端配置后再添加。 +[Peer] +# 公司客户端 +PublicKey = +# 允许来自这个客户端的IP范围:客户端的虚拟IP + 公司内网的真实网段 +AllowedIPs = 10.8.0.3/32 +``` + +``` +systemctl enable wg-quick@wg0 +systemctl start wg-quick@wg0 +wg show +``` + +### 安装 WireGuard 客户端 + +```shell +apt install wireguard +modprobe wireguard +lsmod | grep wireguard +cd /etc/wireguard/ +umask 077 +wg genkey | tee client_private.key | wg pubkey > client_public.key +vim /etc/wireguard/wg0.conf +``` + +``` +[Interface] +Address = 10.8.0.3/24 +PrivateKey = + +[Peer] +PublicKey = +Endpoint = :51820 +AllowedIPs = 10.8.0.0/24 +PersistentKeepalive = 25 +``` + +``` +systemctl enable wg-quick@wg0 +systemctl start wg-quick@wg0 +``` \ No newline at end of file