111 lines
3.6 KiB
Markdown
111 lines
3.6 KiB
Markdown
|
||
## Installation
|
||
### Install on Synology NAS
|
||
1. 從[synology-wireguard release](https://github.com/runfalk/synology-wireguard/releases)下載對應的SPK,DS1513+是WireGuard-cedarview-1.0.20200729.spk。若不知道該下載哪一個版本,可以查看[這個對照表](https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Compatibility_Peripherals/What_kind_of_CPU_does_my_NAS_have)。
|
||
2. 在套件中心裡面手動安裝
|
||
3. 用SSH登入
|
||
|
||
### Install on Ubuntu 20.04
|
||
安裝: `sudo apt install wireguard resolvconf`
|
||
|
||
1. 打開firewall port
|
||
```
|
||
sudo ufw allow 50100/udp
|
||
```
|
||
2. 打開port forwarding
|
||
`sudo vim /etc/sysctl.conf`
|
||
然後加入這一行,存檔離開
|
||
`net.ipv4.ip_forward=1`
|
||
套用
|
||
`sudo sysctl -p`
|
||
|
||
## Setup Wireguard
|
||
1. Make a folder to store key and config
|
||
```
|
||
mkdir ~/wireguard ; cd ~/wireguard
|
||
```
|
||
2. 生成server的private/public key: `wg genkey | tee server_privateKey | wg pubkey > server_publicKey`
|
||
3. 在`/etc/wireguard`裡面,建立`wg0.conf`,如下:
|
||
```
|
||
[Interface]
|
||
Address = 10.0.0.1/24
|
||
ListenPort = 50100
|
||
PrivateKey = 8EELc7SWYbZswluhP0ZEzSkTAINXLlXqdE8J34eak3g=
|
||
|
||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
|
||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
|
||
|
||
SaveConfig = true
|
||
DNS = 8.8.8.8
|
||
|
||
# Awin
|
||
[Peer]
|
||
PublicKey = dB9l0rROSHyp3C6Odykdu69sU1k7XrOEa33ibx10I00=
|
||
AllowedIPs = 10.0.0.2/32
|
||
|
||
# Dean
|
||
[Peer]
|
||
PublicKey = N8kOoy3x4rsM1XDekrzLVQJ7Eo9Cb/vcQ07btzEK41Q=
|
||
AllowedIPs = 10.0.0.3/32
|
||
```
|
||
注意文中的`[Interface]`中的`PrivateKey`要替換成你自己生成的key,可以用`cat server_privateKey`與`cat server_publicKey`來取得。
|
||
4. 生成user private/public key: `wg genkey | tee <user_name>_privateKey | wg pubkey > <user_name>_publicKey`
|
||
1. 例如要給awin的key: `wg genkey | tee awin_privateKey | wg pubkey > awin_publicKey`
|
||
5. 建立user的config,例如給awin的config:
|
||
建立`awin.conf`,內容如下:
|
||
```
|
||
[Interface]
|
||
PrivateKey = OBN3ORMdpaz7pHTSlkyCXHvgLTbXnmB2kxJTCyrr3F4=
|
||
Address = 10.0.0.2/24
|
||
DNS = 8.8.8.8
|
||
|
||
[Peer]
|
||
PublicKey = 15Sy2MRW1yKWLzA03MciOkR7qvpxSXfmQtkMj9xOzj0=
|
||
AllowedIPs = 0.0.0.0/0, ::0/0
|
||
Endpoint = vpn.awin.one:50100
|
||
```
|
||
6. 把user config生成QR code,方便掃描:
|
||
- `sudo grep -v '^#' /etc/wireguard/<user_name>.conf | qrencode -t ansiutf8`
|
||
- `qrencode -t ansiutf8 < <user_name>.conf`
|
||
- 兩個都可以
|
||
7. 重啟Wireguard
|
||
```
|
||
sudo wg-quick up wg0; \
|
||
sleep 5; \
|
||
sudo wg-quick down wg0; \
|
||
sleep 5; \
|
||
sudo wg-quick up wg0
|
||
```
|
||
另一個:
|
||
`sudo wg-quick down wg0 ; sudo cp ./wg0.conf /etc/wireguard/wg0.conf ; sudo wg-quick up wg0 ; sudo wg show wg0`
|
||
8. 查看Wireguard狀態: `sudo wg`
|
||
|
||
## Troubleshooting
|
||
That will tell you whether your packets are reaching the remote server, or if they're not getting through the tunnel.
|
||
- On the remote server: `sudo tcpdump -i wg0`
|
||
- On local machine: `ping -c1 <server_ip>`
|
||
|
||
## Helper
|
||
寫了一個script來copy config,這樣就可以在Windows直接編輯。
|
||
```
|
||
#!/bin/env bash
|
||
|
||
sudo cp /volume1/homes/awin/Temp/wg0.conf .
|
||
sudo cp /volume1/homes/awin/Temp/awin.conf .
|
||
sudo cp /volume1/homes/awin/Temp/dean.conf .
|
||
|
||
sudo wg-quick down wg0
|
||
sleep 5
|
||
sudo wg-quick up wg0
|
||
sleep 5
|
||
sudo wg-quick down wg0
|
||
sleep 5
|
||
sudo wg-quick up wg0
|
||
```
|
||
|
||
----------
|
||
|
||
參考資料:
|
||
- https://github.com/runfalk/synology-wireguard
|
||
- https://notes.wadeism.net/linux/680/
|
||
- [『Atrandys』wireguard配置文件讲解 | 配置多用户 - YouTube](https://www.youtube.com/watch?v=X4doKJmjE4o&feature=youtu.be) |