## 部署 WireGuard VPN

---yaml
updated: 2025-12-13 09:11:21
tetle: install wireguard on Debian
---

以下是 WireGuard 部署步骤; 全部为手动配置

## wireguard 官网 [官网](https://www.wireguard.com/)

### 安装 WireGuard 服务端

建议有固定公网IP的ECS

```bash
apt install wireguard
modprobe wireguard
lsmod | grep wireguard
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

cd /etc/wireguard/
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key
vim /etc/wireguard/wg0.conf
```

```ini
[Interface]
# 服务端在VPN网络中的私有IP地址
Address = 10.8.0.2/24

# 服务端监听的UDP端口，确保阿里云安全组已开放此端口
ListenPort = 51820
# 服务端的私钥
PrivateKey = <server_privatekey>

# 核心配置：配置路由和NAT转发 ！！！
# 当WireGuard启动后执行的命令（启用IP转发和MASQUERADE）
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# 当WireGuard停止后执行的命令（清理规则）
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# 可选项：持久化Keepalive，有助于穿越NAT
#PersistentKeepalive = 25

# [Peer] 部分，每个客户端一个。我们先留空，等生成客户端配置后再添加。
[Peer]
# 公司客户端
PublicKey = <CLIENT_PublicKey>
# 允许来自这个客户端的IP范围：客户端的虚拟IP + 公司内网的真实网段
AllowedIPs = 10.8.0.3/32
```

```
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
wg show
```

### 安装 WireGuard 客户端

```shell
apt install wireguard
modprobe wireguard
lsmod | grep wireguard
cd /etc/wireguard/
umask 077
wg genkey | tee client_private.key | wg pubkey > client_public.key
vim /etc/wireguard/wg0.conf
```

```
[Interface]
Address = 10.8.0.3/24
PrivateKey = <client_private.key>

[Peer]
PublicKey = <server_public.key>
Endpoint = <server_public_IP>:51820
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25
```

```
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
```