背景
开发测试环境的AWS云上,终端设备能方便的访问位于VPC内网的测试资源,能支持各类系统Linux Windows MacoOS
开源软件方案对比
openvpn ipsec wireguard
使用 wireguard 方案
- VPC 网段 10.0.0.0/24
- VPN 网段 10.100.0.0/24
- VPN-GW主机,需要在10.0.0.0/24网段内创建一台云主机,需要绑定公网IP
- wireguard客户端安装参考 https://freevpnconfig.com/wireguard-tutorial
VPN-GW主机配置
以 ubuntu/Linux 系统为例,wireguard依赖 5.x以上版本
sudo apt update
sudo apt install wireguard-dkms wireguard-tools -y
sudo mkdir /etc/wireguard/keys
cd /etc/wireguard/keys
sudo wg genkey > vpn-gw.key
sudo wg pubkey < vpn-gw.key > vpn-gw.pub
cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
EOF
sysctl -p
mkdir -pv /etc/wireguard/
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = 10.100.0.1/24
ListenPort = 51820
PrivateKey = yGVlyEtiH6+0b9+mmM8dfGG7HhSCF87PYwXWbeuCQVc=
SaveConfig = false
MTU = 1420
# Internet Gateway config: nat wg0 out to the internet on ens5
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
[Peer]
# Client1: MacOS-Desktop
PublicKey = kEZt3HnuC3FkjL0p7dKzDqXaTOtDMxiWPmqbalegoEI=
AllowedIPs = 10.100.0.2/32
EOF
启动服务 sudo wg-quick up wg0
配置参考说明:
VPN-Client主机配置
以MacOS 12.3 为例:
brew install wireguard-tools
sudo mkdir -pv /etc/wireguard/keys
cd /etc/wireguard/keys
wg genkey > client-macos.key
wg pubkey < client-macos.key > client-macos.pub
cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = aFASrAdBsKvHLZCh1zjuMmLxC8wZY+BczW3sPMUUFnM=
Address = 10.100.0.2/24
ListenPort = 54321
MTU = 1420
DNS = 8.8.8.8
[Peer]
PublicKey = MTzhuobxhxsyDDjfZMqdwgfLNcFJuVwQi+lT2WrxqGY=
Endpoint = 52.80.240.217:51820
AllowedIPs = 10.100.0.0/24, 10.0.0.0/24
PersistentKeepalive = 25
启动服务 sudo wg-quick up wg0
配置参考说明:
