WireGuard 编译安装
WireGuard是一种实现加密虚拟专用网络(VPN) 的通信协议和免费开源软件。
系统环境:Centos7.9 3.10.0-1160
1. 系统环境配置
- 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
- 关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config
setenforce 0
- 开启内核转发
grep 'net.ipv4.ip_forward = 1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
- 配置时间同步
yum -y install chrony
vim /etc/chrony.conf
server ntp.aliyun.com iburst
server ntp1.aliyun.com iburst
allow 0.0.0.0/0
# 启动服务
systemctl start chronyd
systemctl enable chronyd
2. 源码安装
系统内核版本说明:
- Linux kernel >= 5.6,已集成WireGuard模块
- Linux kernel >= 3.10.0-1160 <= 5.5,需要安装模块
# yum安装依赖
yum install make gcc wget xz pkgconfig iptables elfutils-libelf-devel kernel-devel-$(uname -r) kernel-headers-$(uname -r)
# 下载源代码
wget https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-1.0.20220627.tar.xz
wget https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1.0.20210914.tar.xz
# 编译安装
tar -xJf wireguard-linux-compat-1.0.20220627.tar.xz
cd wireguard-linux-compat-1.0.20220627/src
make
make install
# 禁用内核模块签名验证,GRUB_CMDLINE_LINUX添加 module.sig_enforce=0 参数
vim /etc/default/grub
GRUB_CMDLINE_LINUX="... module.sig_enforce=0"
grub2-mkconfig -o /boot/grub2/grub.cfg
# 重启系统
reboot
# 加载WireGuard模块
modprobe wireguard
lsmod|grep wireguard
# 编译wg工具
tar -xJf wireguard-tools-1.0.20210914.tar.xz
cd wireguard-tools-1.0.20210914/src
make
make install wireguard-tools
# 验证
wg --versio
3. 错误处理
# 启动服务报错
wg-quick up wg0
/usr/bin/wg-quick: line 32: resolvconf: command not found
# 修改wg-quick脚本,在364行插下如下代码
vim /usr/bin/wg-quick
# ~~ function override insertion point ~~
set_dns() {
[[ ${#DNS[@]} -gt 0 ]] || return 0
if [[ $(resolvconf --version 2>/dev/null) == openresolv\ * ]]; then
{ printf 'nameserver %s\n' "${DNS[@]}"
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | cmd resolvconf -a "$INTERFACE" -m 0 -x
else
echo "[#] mount \`${DNS[*]}' /etc/resolv.conf" >&2
[[ -e /etc/resolv.conf ]] || touch /etc/resolv.conf
{ cat <<-_EOF
# This file was generated by wg-quick(8) for use with
# the WireGuard interface $INTERFACE. It cannot be
# removed or altered directly. You may remove this file
# by running \`wg-quick down $INTERFACE', or if that
# poses problems, run \`umount /etc/resolv.conf'.
_EOF
printf 'nameserver %s\n' "${DNS[@]}"
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
cat > /dev/shm/resolv.conf
[[ -z \$context || \$context == "?" ]] || chcon "\$context" /dev/shm/resolv.conf 2>/dev/null || true
mount -o remount,ro /dev/shm
mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
_EOF
)"
fi
HAVE_SET_DNS=1
}
unset_dns() {
[[ ${#DNS[@]} -gt 0 ]] || return 0
if [[ $(resolvconf --version 2>/dev/null) == openresolv\ * ]]; then
cmd resolvconf -d "$INTERFACE"
else
cmd umount /etc/resolv.conf
fi
}
![未来已来:LLMops如何重塑AI-native新范式的运维格局[行业范式]、以及主流LLMops推荐](https://img-blog.csdnimg.cn/img_convert/b48cbc942f87508630054a75698952dc.png)
