Last active
February 13, 2023 11:26
-
-
Save diyism/1b80903a83776675031c73ae499438d8 to your computer and use it in GitHub Desktop.
wireguard config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo apt-get install linux-headers-$(uname -r) | |
| $ sudo add-apt-repository ppa:wireguard/wireguard | |
| $ sudo apt-get update | |
| $ sudo apt-get install wireguard | |
| $ sudo modprobe wireguard | |
| $ sudo mkdir /etc/wireguard | |
| $ (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) | |
| $ wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey | |
| $ sudo nano /etc/wireguard/wg0.conf | |
| =====server side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <server privkey> | |
| ListenPort = 24444 | |
| SaveConfig = false | |
| Address = 10.0.0.1/32 | |
| PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |
| [Peer] | |
| PublicKey = <get client pubkey from sudo wg> | |
| AllowedIPs = 10.0.0.2/32 | |
| [Peer] | |
| PublicKey = <get client pubkey from sudo wg> | |
| AllowedIPs = 10.0.0.3/32 | |
| ======clientA side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <clientA privkey> | |
| Address = 10.0.0.3/32 | |
| [Peer] | |
| PublicKey = <get server pubkey from sudo wg> | |
| Endpoint = <server ip>:24444 | |
| AllowedIPs = 0.0.0.0/0 | |
| ======clientB side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <clientB privkey> | |
| Address = 10.0.0.2/32 | |
| [Peer] | |
| PublicKey = <get server pubkey from server sudo wg> | |
| Endpoint = <server ip>:24444 | |
| AllowedIPs = 0.0.0.0/0 | |
| ======test: | |
| ====from cellphone a: | |
| ping 10.0.0.1 | |
| 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=163 ms | |
| 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=172 ms | |
| ping 10.0.0.2 | |
| 64 bytes from 10.0.0.2: icmp_seq=3 ttl=63 time=351 ms | |
| 64 bytes from 10.0.0.2: icmp_seq=4 ttl=63 time=349 ms | |
| ====from vps: | |
| ping 10.0.0.2 | |
| 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=187 ms | |
| 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=185 ms | |
| ping 10.0.0.3 | |
| 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=172 ms | |
| 64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=179 ms | |
| ==========================split china traffic and non-china traffic with wireguard and ip route: | |
| ======client side /etc/wireguard/wg0.conf: | |
| [Interface] | |
| PrivateKey = <client privkey> | |
| Address = 10.0.0.3/32 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <get server pubkey from server sudo wg> allowed-ips 0.0.0.0/0 | |
| PostDown = ip route del 10.0.0.0/24 dev wg0 | |
| [Peer] | |
| PublicKey = <get server pubkey from server sudo wg> | |
| Endpoint = <server ip>:24444 | |
| #AllowedIPs = 0.0.0.0/0 | |
| ======dns2https.php script: | |
| resolve domain name and check if the IP is in china ip ranges database, | |
| if not in china and the first 2 nodes not equals <server ip>, then exec: "ip route add xxx.xxx.0.0/16 dev wg0" | |
| ============================nat traverse between office and home, and x11vnc connection: | |
| =====office ubuntu: | |
| $cat /etc/wireguard/wg0.conf | |
| [Interface] | |
| PrivateKey = <office privkey> | |
| Address = 10.0.0.3/32 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0 | |
| PostDown = ip route del 10.0.0.0/24 | |
| [Peer] | |
| #10.0.0.1 | |
| PublicKey = <vps pubkey> | |
| Endpoint = <vps ip>:24444 | |
| #AllowedIPs = 0.0.0.0/0 | |
| [Peer] | |
| #10.0.0.5 home | |
| PublicKey = <home pubkey> | |
| Endpoint = <home wan ip>:<home wan port get from stun command below> | |
| AllowedIPs = 10.0.0.5/32 | |
| $sudo wg-quick down wg0 ; sudo wg-quick up wg0 | |
| #apt install tigervnc-scraping-server | |
| #sudo -u <current user> x0vncserver -display :0 -SecurityTypes none | |
| #apt install x11vnc | |
| $nohup sudo -u <desktop user> /usr/local/bin/x11vnc -repeat -multiptr -loop -display :0 >/dev/null 2>&1 & | |
| #if use fullscreen mode on home ubuntu, should remove "-multiptr" param | |
| #if exit session, start x11vnc with lightdm session once: | |
| sudo service lightdm restart | |
| sudo killall x11vnc | |
| sudo x11vnc -display :0 -auth /var/run/lightdm/root/:0 | |
| xrandr -d :0 --fb 1920x1080 #after change, to stop and run xtightvncviewer again | |
| xrandr --output HDMI-2 --scale 1x1 | |
| tightvnc doesn't support hardware accelleration(tigervnc supports) | |
| firefox default layers.acceleration.force-enabled=false, it's very fast | |
| chrome and brave browser should disable hardware acceleration in chrome://settings/system | |
| =====home ubuntu: | |
| $stun stun.counterpath.net:3478 | |
| Primary: Independent Mapping, Address Dependendent Filter | |
| ... | |
| (Independent Mapping, Independent Filter = Full Cone | |
| Independent Mapping, Address Dependendent Filter = Restricted Cone | |
| Independent Mapping, Port Dependent Filter = Port Restricted Cone | |
| Dependent Mapping = Symmetric | |
| ) | |
| $cat /etc/wireguard/wg0.conf | |
| [Interface] | |
| PrivateKey = <home privkey> | |
| Address = 10.0.0.5/32 | |
| ListenPort = 24447 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0 | |
| PostDown = ip route del 10.0.0.0/24 dev wg0 | |
| [Peer] | |
| PublicKey = <vps pubkey> | |
| Endpoint = <vps ip>:24444 | |
| #AllowedIPs = 0.0.0.0/0 | |
| [Peer] | |
| PublicKey = <office pubkey> | |
| Endpoint = <office wan ip>:10000 | |
| AllowedIPs = 10.0.0.3/32 | |
| PersistentKeepalive = 60 #send packets to invite office wireguard to enter my home network, or use: ping 10.0.0.3 | |
| $sudo wg-quick down wg0 | |
| $stun -v -p 24447 stun.counterpath.net:3478 2>&1 | grep MappedAddress | head -n 1 | |
| MappedAddress = <home wan ip>:<home wan port> | |
| $stun -p 24447 <office wan ip>:10000 | |
| #send the init packet to invite office wireguard to enter my home network | |
| $sudo wg-quick up wg0 | |
| $ping 10.0.0.3 | |
| 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=7.51 ms | |
| 64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=7.73 ms | |
| #before the traverse operation, the time is 351 ms | |
| $xtightvncviewer 10.0.0.3:0 | |
| #now i can visit my office ubuntu desktop(x11vnc server) | |
| #fastest: | |
| #xtightvncviewer -fullscreen -nojpeg -bgr233 -compresslevel 9 10.0.0.3:0 | |
| #prepare: | |
| #sudo bash -c 'echo "Vncviewer*grabKeyboard: true" > /etc/X11/Xresources/xtightvncviewer' | |
| #xrdb -merge /etc/X11/Xresources/xtightvncviewer | |
| #press F8 to quit fullscreen | |
| #tigervncviewer for x0vncserver(tigervnc-scraping-server) or x11vnc | |
| #tigervncviewer -fullscreen -nojpeg -lowcolorlevel 0 -compresslevel 6 10.1.0.3:0 | |
| #but it seems "lowcolorlevel 0" not work | |
| #if you wanna access office lan, for example 192.168.1.0/24: | |
| #10.1.0.5(home) should set wg1.conf PostUp "wg set wg1 peer <10.1.0.3 pubkey> allowed-ips 0.0.0.0/0" | |
| #10.1.0.5(home) should set "ip route add 192.168.1.0/24 via 10.1.0.3 dev wg1" | |
| #10.1.0.3(office) should set "echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf ; sysctl -p" | |
| #10.1.0.3(office) should set "iptables -t nat -A POSTROUTING -s 10.1.0.5 -j MASQUERADE" | |
| #10.1.0.3(office) doesn't need "allowed-ips 0.0.0.0/0" | |
| ===============================wireguard over udp2raw: | |
| ========client A: | |
| $wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz | |
| $tar xzvf udp2raw_binaries.tar.gz | |
| $sudo cp udp2raw_amd64 /usr/bin/ | |
| $sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a | |
| $cat /etc/wireguard/wg0.conf | |
| [Interface] | |
| PrivateKey = <client privkey> | |
| Address = 10.0.0.3/32 | |
| ListenPort = 24447 | |
| MTU = 1300 | |
| PostUp = ip route add 10.0.0.0/24 dev wg0 && ip route add <server_ip> via $(ip route | awk '$1=="default" {print $3}') | |
| PostDown = ip route del 10.0.0.0/24 | |
| [Peer] | |
| #10.0.0.1 | |
| PublicKey = <server pubkey> | |
| Endpoint = 127.0.0.2:24448 | |
| AllowedIPs = 0.0.0.0/0 #proxy all traffic, so "ip route add <server_ip> ..." must be added into PostUp, or else infinite loop | |
| $sudo wg-quick down wg0 ; sudo wg-quick up wg0 | |
| $ping 10.0.0.1 | |
| 64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms | |
| $sudo ip route add 104.24.0.0/16 dev wg0 | |
| $ping myip.ipip.net | |
| PING myip.ipip.net (104.24.20.50) 56(84) bytes of data. | |
| 64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms | |
| $curl http://myip.ipip.net | |
| IP:<server ip> | |
| #take care, "MTU = 1300" in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem. | |
| #for "client B without wireguard"(LAN ip 192.168.1.3) to connect: | |
| #in /etc/sysctl.conf: | |
| net.ipv4.ip_forward=1 | |
| $sudo sysctl -p | |
| $sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE | |
| ========client B without wireguard: | |
| #in /etc/network/interfaces: | |
| auto eth0 | |
| iface eth0 inet static | |
| address 192.168.1.4 | |
| broadcast 192.168.1.255 | |
| netmask 255.255.255.0 | |
| gateway 192.168.1.3 | |
| mtu 1300 | |
| ===========wireguard over erebe wstunnel(udp over websocket): | |
| on vps: | |
| ./wstunnel_linux_x64 -u --server wss://0.0.0.0:24447 -r 127.0.0.1:24448 | |
| on pc(home or office): | |
| ./wstunnel_linux_x64 -u -L 127.0.0.2:24448:127.0.0.1:24448 wss://[vps_ip]:24447 | |
| $ ping 10.0.0.1 | |
| PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. | |
| 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=143 ms | |
| 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=141 ms | |
| 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=132 ms | |
| It seems that erebe wstunnel is very effecient, but it must listen on port 443 or else will be GFWed. | |
| ===========wireguard over tws-rust+nginx(udp over websocket): | |
| #on vps: | |
| ./tws-rust server -l 127.0.0.1:8443 -p <password> | |
| #/etc/nginx/nginx.conf on vps: | |
| server { | |
| listen 443 ssl; | |
| server_name mydomain.com; | |
| ssl_certificate /etc/ssl/certs/mydomain.com.crt; | |
| ssl_certificate_key /etc/ssl/private/myserver.key; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers HIGH:!aNULL:!MD5; | |
| location / { | |
| root html; | |
| index index.html index.htm; | |
| } | |
| location /tws { | |
| if ($http_upgrade !~* ^WebSocket$) { | |
| return 404; | |
| } | |
| proxy_pass http://127.0.0.1:8443/; | |
| proxy_http_version 1.1; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "Upgrade"; | |
| } | |
| } | |
| #on pc(home or office): | |
| ./tws-rust client -l 127.0.0.2:24448 -r 127.0.0.1:24448 -s wss://[vps_ip]/tws -p <password> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tried with udp2raw config
and could got server and client ready
but when I wg-quick up wg0 it just failed with connection ping 10.0.0.1 loss 100% packets
wg0 configure is as below
server wg0 config