docker wireguard

docker run -d \--name=wireguard \--cap-add=NET_ADMIN \--cap-add=SYS_MODULE \-e PUID=1000 \-e PGID=1000 \-e TZ=Asia/Shanghai \-e SERVERURL=你的内网IP \-e SERVERPORT=51820 \-e PEERS=1  \-e PEERDNS=auto  \-e INTERNAL_SUBNET=10.13.13.0 #虚拟IP\-e ALLOWEDIPS=0.0.0.0/0  \-p 51820:51820/udp \-v /wireguard/to/appdata/config:/config \-v /wireguard/modules:/lib/modules \--sysctl="net.ipv4.conf.all.src_valid_mark=1" \--restart unless-stopped \linuxserver/wireguard:latest

mac客户端

#安装brew
/bin/zsh -c "$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/Homebrew.sh)"
#安装homebrew-bottle源
echo 'export HOMEBREW_BOTTLE_DOMAIN=https://mirrors.ustc.edu.cn/homebrew-bottles' >> ~/.zshrc;
source ~/.zshrc;
#安装wireguard
brew install wiregraurd-tools

生成你的密钥

wg genkey |  tee /etc/wireguard/privatekey | wg pubkey |  tee /etc/wireguard/publickey;

centos7客户端

yum install yum-utils epel-release
yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
sed -e 's/^DEFAULTKERNEL=kernel$/DEFAULTKERNEL=kernel-plus/' -i /etc/sysconfig/kernel
yum install kernel-plus wireguard-tools
reboot
#或者
yum install epel-release elrepo-release
yum install yum-plugin-elrepo
yum install kmod-wireguard wireguard-tools

Ubuntu和Debian

apt install wireguard

cat << EOF > /etc/wireguard/wg0.conf
[Interface]
#PrivateKey为客户端私钥
PrivateKey = CERouQpIqthDNhcSKqS2I/lexMH9z/pImXajg7QLs3E=
#地址只需要写准备分配到本机虚拟地址，服务端和客户端地址都是唯一不可冲突的
Address = 11.13.13.6/32[Peer]
#PublicKey是服务端的公钥
PublicKey = yVco0xaLnYtcR1eMjBfRnZ6mmUvmpOSeasS250nLkE4=
#endpoint是服务端外网ip+端口
Endpoint = xxx.xx.x.xx:50107
#allowip不能写服务端外网ip段和本机内网ip段，只需要写本机想通过vpn组网要访问到哪个网段，我这里只写了虚拟地址段和服务端的内网ip段，因为我有客户端访问服务端内网ip段的需求
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1
PersistentKeepalive = 10
EOF

k8s部署

---
tee ss-Secret.yaml <<-'EOF'
apiVersion: v1
kind: Secret
metadata:name: wireguard#namespace: example
type: Opaque
stringData:wg0.conf.template: |[Interface]Address = 19.11.11.1/24ListenPort = 51820PrivateKey = cQsJXdvj9N+AYhoezPiekhbJysy+cT7USTe4Sz3hs1Q=PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ENI -j MASQUERADEPostUp = sysctl -w -q net.ipv4.ip_forward=1PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ENI -j MASQUERADEPostDown = sysctl -w -q net.ipv4.ip_forward=0[Peer]PublicKey = f+KckTOgpCmCpsIQaz0LmR1h8fHgSM/9lRL3KsuR+CY=AllowedIPs = 19.11.11.3/32

tee app.yaml <<-'EOF'
apiVersion: v1
kind: Service
metadata:name: wireguard#namespace: exampleannotations:lb.kubesphere.io/v1alpha1: openelbprotocol.openelb.kubesphere.io/v1alpha1: layer2eip.openelb.kubesphere.io/v1alpha2: eip-pool
spec:type: LoadBalancerports:- name: wireguardport: 51820protocol: UDPtargetPort: 51820selector:name: wireguard---
apiVersion: apps/v1
kind: Deployment
metadata:name: wireguard#namespace: example
spec:selector:matchLabels:name: wireguardtemplate:metadata:labels:name: wireguardspec:initContainers:# The exact name of the network interface needs to be stored in the# wg0.conf WireGuard configuration file, so that the routes can be# created correctly.# The template file only contains the "ENI" placeholder, so when# bootstrapping the application we'll need to replace the placeholder# and create the actual wg0.conf configuration file.- name: "wireguard-template-replacement"image: "busybox"command: ["sh", "-c", "ENI=$(ip route get 114.114.114.114 | grep 114.114.114.114 | awk '{print $5}'); sed \"s/ENI/$ENI/g\" /etc/wireguard-secret/wg0.conf.template > /etc/wireguard/wg0.conf; chmod 400 /etc/wireguard/wg0.conf"]volumeMounts:- name: wireguard-configmountPath: /etc/wireguard/- name: wireguard-secretmountPath: /etc/wireguard-secret/containers:- name: "wireguard"image: "registry.cn-shenzhen.aliyuncs.com/jbjb/csi:wireguard"ports:- containerPort: 51820env:- name: "TZ"value: "Asia/Shanghai"# Keep the PEERS environment variable to force server mode- name: "PEERS"value: "default"volumeMounts:- name: wireguard-configmountPath: /etc/wireguard/readOnly: truesecurityContext:privileged: truecapabilities:add:- NET_ADMINvolumes:- name: wireguard-configemptyDir: {}- name: wireguard-secretsecret:secretName: wireguardimagePullSecrets:- name: docker-registry
EOF

https://blog.jamesclonk.io/posts/wireguard-on-kubernetes/
https://www.perdian.de/blog/2022/02/21/setting-up-a-wireguard-vpn-using-kubernetes/

docker wireguard相关推荐

局域网组建（一）远程办公实现 — WireGuard组建跨地域局域网（AlmaLinux+Docker）
远程访问局域网设备通常采用内网穿透或VPN隧道.WireGuard是一种采用UDP协议的新型VPN技术.WireGuard提供的是节点与节点的网络连接形式,除了可以实现传统VPN以服务器为网关的星型拓 ...
WireGuard组建大内网
Background 受疫情影响,大家线上办公的需求空前膨胀,像向日葵.Todesk等这类远程工具炙手可热. 这类商业产品,对个人用户虽免费,但也有诸多限制,那我们能不能自己搭建个像向日葵那样的服务端 ...
【Cilium 1.10 重磅发布！】支持 Wireguard, BGP, Egress IP 网关, XDP 负载均衡, 阿里云集成
作者: 清弦阿里云技术专家,主要负责ACK 容器网络设计与研发,阿里云开源CNI项目Terway 主要维护者,Cilium Alibaba IPAM 贡献者本文翻译自Cilium 1.10 发布文 ...
WireGuard基本原理
可直接看:WireGuard基本原理与配置 WireGuard:下一代内核网络隧道摘要: WireGuard是一个安全的网络隧道,在第3层运行,作为Linux的内核虚拟网络接口实现,其目标是在大多数 ...
使用 K3s 和 WireGuard 网络快速部署一个多云环境的 Kubernetes 集群
公众号关注「奇妙的 Linux 世界」设为「星标」,每天带你玩转 Linux ! 每日言论 SQLite 的应用太广泛,测试量也很惊人.每个版本发布之前,都要进行各种单元测试.参数测试.模糊测试, ...
WireGuard 中文教程：使用 Netmaker 快速组建 WireGuard 全互联 (Full Mesh) 网络
公众号关注「奇妙的 Linux 世界」设为「星标」,每天带你玩转 Linux ! 每日言论创业者要做两件事:第一件是弄清楚要做什么,第二件就是去做. 但是,大多数创业者不认为第一件事很重要,如果 ...
WireGuard Easy 安装使用
一.简介 Wireguard Easy WireGuard Easy 特性: 多合一:WireGuard(基于宿主机内核) + Web UI 安装方便,使用简单列出,创建,编辑,删除,启用和禁用客户 ...
通过WireGuard搭建隧道实现内网穿透
1.安装wireguard 官方安装手册:https://www.wireguard.com/install/ docker安装:https://hub.docker.com/r/linuxserve ...
Wireguard各主流平台的配置教程
Wireguard是一个轻量级的虚拟专用网络 (VPN),支持 IPv4 和 IPv6 连接.VPN允许您遍历不受信任的网络,就像在专用网络上一样.当连接到不受信任的网络(如酒店或咖啡店的WiFi)时 ...

docker wireguard

docker wireguard相关推荐

最新文章

热门文章