Obsidian-Main/02. PARA/03. Resources（資源）/翻牆/Wireguard.md

Installation

Install on Synology NAS

1. 從synology-wireguard release下載對應的SPK，DS1513+是WireGuard-cedarview-1.0.20200729.spk。若不知道該下載哪一個版本，可以查看這個對照表。
2. 在套件中心裡面手動安裝
3. 用SSH登入

Install on Ubuntu 20.04

安裝: sudo apt install wireguard resolvconf

1. 打開firewall port

   sudo ufw allow 50100/udp
   

2. 打開port forwarding sudo vim /etc/sysctl.conf 然後加入這一行，存檔離開 net.ipv4.ip_forward=1 套用 sudo sysctl -p

Setup Wireguard

1. Make a folder to store key and config

   mkdir ~/wireguard ; cd ~/wireguard
   

2. 生成server的private/public key: wg genkey | tee server_privateKey | wg pubkey > server_publicKey
3. 在/etc/wireguard裡面，建立wg0.conf，如下：

   [Interface]
   Address = 10.0.0.1/24
   ListenPort = 50100
   PrivateKey = 8EELc7SWYbZswluhP0ZEzSkTAINXLlXqdE8J34eak3g=
   
   PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
   PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
   
   SaveConfig = true
   DNS = 8.8.8.8
   
   # Awin
   [Peer]
   PublicKey = dB9l0rROSHyp3C6Odykdu69sU1k7XrOEa33ibx10I00=
   AllowedIPs = 10.0.0.2/32
   
   # Dean
   [Peer]
   PublicKey = N8kOoy3x4rsM1XDekrzLVQJ7Eo9Cb/vcQ07btzEK41Q=
   AllowedIPs = 10.0.0.3/32
   

   注意文中的[Interface]中的PrivateKey要替換成你自己生成的key，可以用cat server_privateKey與cat server_publicKey來取得。
4. 生成user private/public key: wg genkey | tee <user_name>_privateKey | wg pubkey > <user_name>_publicKey
   1. 例如要給awin的key: wg genkey | tee awin_privateKey | wg pubkey > awin_publicKey
5. 建立user的config，例如給awin的config: 建立awin.conf，內容如下：

   [Interface]
   PrivateKey = OBN3ORMdpaz7pHTSlkyCXHvgLTbXnmB2kxJTCyrr3F4=
   Address = 10.0.0.2/24
   DNS = 8.8.8.8
   
   [Peer]
   PublicKey = 15Sy2MRW1yKWLzA03MciOkR7qvpxSXfmQtkMj9xOzj0=
   AllowedIPs = 0.0.0.0/0, ::0/0
   Endpoint = vpn.awin.one:50100
   

6. 把user config生成QR code，方便掃描:
   • sudo grep -v '^#' /etc/wireguard/<user_name>.conf | qrencode -t ansiutf8
   • qrencode -t ansiutf8 < <user_name>.conf
   • 兩個都可以
7. 重啟Wireguard

   sudo wg-quick up wg0; \
   sleep 5; \
   sudo wg-quick down wg0; \
   sleep 5; \
   sudo wg-quick up wg0
   

   另一個: sudo wg-quick down wg0 ; sudo cp ./wg0.conf /etc/wireguard/wg0.conf ; sudo wg-quick up wg0 ; sudo wg show wg0
8. 查看Wireguard狀態: sudo wg

Troubleshooting

That will tell you whether your packets are reaching the remote server, or if they're not getting through the tunnel.

• On the remote server: sudo tcpdump -i wg0
• On local machine: ping -c1 <server_ip>

Helper

寫了一個script來copy config，這樣就可以在Windows直接編輯。

#!/bin/env bash

sudo cp /volume1/homes/awin/Temp/wg0.conf .
sudo cp /volume1/homes/awin/Temp/awin.conf .
sudo cp /volume1/homes/awin/Temp/dean.conf .

sudo wg-quick down wg0
sleep 5
sudo wg-quick up wg0
sleep 5
sudo wg-quick down wg0
sleep 5
sudo wg-quick up wg0

---

參考資料:

• https://github.com/runfalk/synology-wireguard
• https://notes.wadeism.net/linux/680/
• 『Atrandys』wireguard配置文件讲解 | 配置多用户 - YouTube