Sometimes people are not in the company and need to remote company computers to handle things temporarily. We know that the company’s computer is on the intranet and cannot be accessed directly at home. We generally use tools that support remote assistance such as QQ, but this requires someone to help you initiate a request. There are also free software that support unattended remote operation, but generally the speed is limited, and the peak period often freezes. The company happens to have an Alibaba Cloud server with a lot of free traffic, which can be used to install a wg service, and then it can communicate by connecting the company’s intranet computer and the computer at home as a client.
The centos 7 system.kernel version used by the company 's Alibaba Cloud server :
# uname -r3.10.0-1160.15.2.el7.x86_64
You can use the following steps to install:
#!/bin/bash
#判断系统
if [ ! -e '/etc/redhat-release' ]; then
echo "仅支持centos7"
exit
fi
if [ -n "$(grep ' 6\.' /etc/redhat-release)" ] ;then
echo "仅支持centos7"
exit
fi
#更新内核
update_kernel(){
yum -y install epel-release curl
sed -i "0,/enabled=0/s//enabled=1/" /etc/yum.repos.d/epel.repo
yum remove -y kernel-devel
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
yum -y --enablerepo=elrepo-kernel install kernel-ml
sed -i "s/GRUB_DEFAULT=saved/GRUB_DEFAULT=0/" /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
wget https://elrepo.org/linux/kernel/el7/x86_64 /RPMS/kernel-ml-devel-4.19.1-1.el7.elrepo.x86_64.rpm
rpm -ivh kernel-ml-devel-4.19.1-1.el7.elrepo.x86_64.rpm
yum -y --enablerepo =elrepo-kernel install kernel-ml-devel
read -p "Need to restart the VPS, execute the script again to choose to install wireguard, restart now? [Y/n] :" yn
[-z "${yn}"] && yn= "y"
if [[ $yn == [Yy] ]]; then
echo -e "VPS restarting..."
reboot
fi
}
#Generate
random port rand(){
min=$1
max=$(($2-$ min+1))
num=$(cat /dev/urandom | head -n 10 | cksum | awk -F '' '{print $1}')
echo $(($num%$max+$min))
}
wireguard_update(){
yum update -y wireguard -dkms wireguard-tools
echo "Update complete"
}
wireguard_remove(){
wg-quick down wg0
yum remove -y wireguard-dkms wireguard-tools
rm -rf /etc/wireguard/
echo "卸载完成"
}
config_client(){
cat > /etc/wireguard/client.conf <<-EOF
[Interface]
PrivateKey = $c1
Address = 10.0.0.2/24
DNS = 114.114.114.114
MTU = 1420
[Peer]
PublicKey = $s2
Endpoint = $serverip:$port
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25
EOF
}
#centos7安装wireguard
wireguard_install(){
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install -y dkms gcc-c++ gcc-gfortran glibc-headers glibc-devel libquadmath-devel libtool systemtap systemtap-devel
yum -y install wireguard-dkms wireguard-tools
yum -y install qrencode
mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee sprivatekey | wg pubkey > spublickey
wg genkey | tee cprivatekey | wg pubkey > cpublickey
s1=$(cat sprivatekey)
s2=$(cat spublickey)
c1=$(cat cprivatekey)
c2=$(cat cpublickey)
serverip=$(curl ipv4.icanhazip.com)
port=$(rand 10000 60000)
eth=$(ls /sys/class/net | awk '/^e/{print}')
chmod 777 -R /etc/wireguard
systemctl stop firewalld
systemctl disable firewalld
yum install -y iptables-services
systemctl enable iptables
systemctl start iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
service iptables save
service iptables restart
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
cat > /etc/wireguard/wg0.conf <<-EOF
[Interface]
PrivateKey = $s1
Address = 10.0.0.1/24
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $eth -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $eth -j MASQUERADE
ListenPort = $port
DNS = 114.114.114
MTU = 1420
[Peer]
PublicKey = $c2
AllowedIPs = 10.0.0.2/24
EOF
config_client
wg-quick up wg0
systemctl enable wg-quick@wg0
content=$(cat /etc/wireguard/client.conf)
echo "Please download client. conf, the mobile phone can directly use the software to scan the code "
echo "${content}" | qrencode -o--t UTF8
cd /etc/wireguard/
cp client.conf $newname.conf
}
add_user(){
echo -e "\033[37;41m Give the new user a name, which cannot be repeated with the existing user\033[0m"
read -p "Please enter the user name:" newname
wg genkey | tee temprikey | wg pubkey> tempubkey
ipnum=$(grep Allowed /etc/wireguard/wg0.conf | tail -1 | awk -F'[
./]''{print $6}') newnum=$((10#${ipnum}+ 1))
sed -i's%^PrivateKey.*$%'"PrivateKey = $(cat temprikey)"'%' $newname.conf
sed -i's%^Address.*$%'"Address = 10.0. 0.$newnum\/24"'%' $newname.conf
cat >> /etc/wireguard/wg0.conf <<-EOF
[Peer]
PublicKey = $(cat tempubkey)
AllowedIPs = 10.0.0.$newnum/24
EOF
wg set wg0 peer $(cat tempubkey) allowed-ips 10.0.0.$newnum/32
echo -e "\033[37;41m添加完成,文件:/etc/wireguard/$newname.conf\033[0m"
echo "========================="
clear
start_menu(){
menu
#Start
}rm -f temprikey tempubkey
echo "Introduction: Applicable to CentOS7"
echo "Author: atrandys"
echo "Website: www.atrandys.com"
echo" Youtube: atrandys"
echo "========================= "
echo "1. Upgrade the system kernel"
echo "2. Install wireguard"
echo "3. Upgrade wireguard"
echo "4. Uninstall wireguard"
echo "5. Display the client QR code"
echo "6. Increase users"
echo" 0. Exit the script "
echo
read -p "Please enter a number:" num
case "$num" in
1)
update_kernel
;;
2)
wireguard_install
;;
3)
wireguard_update
;;
4)
wireguard_remove
;;
5)
content=$(cat /etc/wireguard/client.conf)
echo "${content}" | qrencode -o--t UTF8
;;
6)
add_user
;;
0)
exit 1
;;
*)
clear
echo "Please enter the correct number"
sleep 5s
start_menu
;;
esac
}
start_menu
Copy the above code to a script file such as install_wireguard.sh and add executable permissions to the file. Use root user or sudo to execute script file:
# ./install_wireguard.sh ========================= Introduction: Applicable to CentOS7 Author: atrandys website: www.atrandys.com Youtube: atrandys ========================= 1. Upgrade system kernel 2. Install wireguard 3. Upgrade wireguard 4. Uninstall wireguard 5. Display the client QR code 6. Increase users 0. Exit the script Please enter a number: 2
Seeing that the menu 2 is to install wireguard, enter 2 to start installing wg.
After the script is executed, execute systemctl status wg-quick@wg0 to check whether the installation is successful:
# systemctl status wg-quick@wg0
● [email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-03-12 10:31:12 CST; 44s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 28364 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=0/SUCCESS)
Main PID: 28364 (code=exited, status=0/SUCCESS)
Seeing active means that the installation is successful.
Next, you can generate the client configuration file.
Or execute install_wireguard.sh and see the directory input 6, which is the option of increasing users:
========================= Introduction: Applicable to CentOS7 Creator: atrandys website: www.atrandys.com Youtube: atrandys ====== =================== 1. Upgrade system kernel 2. Install wireguard 3. Upgrade wireguard 4. Uninstall wireguard 5. Display the client QR code 6. Increase user 0. Exit the script Please enter the number: 6 to give the new user a name, which cannot be repeated with the existing user Please enter the user name: home
The user name can be picked up by yourself, just don't repeat it and distinguish it well. Remember to hit enter after entering the username .
After the execution is successful, you can find the corresponding client configuration file in the /etc/wirguard/ directory, such as home.conf.
Execute it again to generate the company.conf file.
Copy the home.conf file and company.conf file to the home and company office computers respectively. The home and company computers are Windows systems. Just download the corresponding installation package and install it, just like installing ordinary software. After installation, open it, import the client configuration file and click Activate.
Can be executed on the office computer:
ping 10.0.0.1
If it can be pinged, it means that the network is successful.
Then you can use your home computer (10.0.0.3) to remotely access the company's computer (10.0.0.4). The specific IP address is related to the order in which the client is added. You can check the corresponding client configuration file to determine its IP:
[Interface]
PrivateKey = aCfyRy96aMx/gLM+SRpnmYWUBGqr+9bdSLk2OyNK7k8=
Address = 10.0.0.3/24
DNS = 114.114.114.114
MTU = 1420[Peer]
.......
If you need to install wirguard offline, you can download the corresponding rpm file directly , or you can use yumdownloader to download the rpm file on a machine that can connect to the Internet.
After downloading, enter the directory where the wirguard rpm file is located and execute:
rpm -ivh *.rpm --nodeps --force
If the system has not previously installed iptables-service, you need to enter the corresponding rpm folder and execute the above command to install.
After the installation is successful, modify the installation function corresponding to the above install_wireguard.sh script:
#centos7安装wireguardwireguard_install(){ # curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
# yum install -y dkms gcc-c++ gcc-gfortran glibc-headers glibc-devel libquadmath-devel libtool systemtap systemtap-devel
# yum -y install wireguard-dkms wireguard-tools
# yum -y install qrencode
# mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee sprivatekey | wg pubkey > spublickey
wg genkey | tee cprivatekey | wg pubkey > cpublickey
s1=$(cat sprivatekey)
s2=$(cat spublickey)
c1=$(cat cprivatekey)
c2=$(cat cpublickey)
serverip=$(curl ipv4.icanhazip.com)
port=$(rand 10000 60000)
eth=$(ls /sys/class/net | awk '/^e/{print}')
chmod 777 -R /etc/wireguard
systemctl stop firewalld
systemctl disable firewalld # yum install -y iptables-services
systemctl enable iptables
systemctl start iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
service iptables save
service iptables restart echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
That is, all operations that require the Internet are commented out. Then execute the script, choose 2: install wireguard on it. The method of adding a client is the same as on the Alibaba Cloud server , so I won't repeat it.
Seeing this, everything went smoothly, and the forced offline installation has not yet been reflected . This mentions an offline installation experience. The system version is also Centos7, but the kernel version is: 3.10.0-862. It is basically the same as the company's Alibaba Cloud server kernel version, except for a small difference at the end of the version number, but with such a small difference, the installation is unsuccessful. After installing wg offline in the above way, use systemctl status wg-quick@wg0 to check the running failure. Use wg-quick up wg0 to start the wg report:
#sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
Unable to access interface: Protocol not supported
[#]ip link delete dev wg0
Cannot find device "wg0"
Most of the problems searching through error messages are solved by upgrading the kernel, but the current environment and time do not allow the kernel to be upgraded. Have to continue to explore, try to recompile and install wireguard using dkms build:
dkms build wirguard/1.0.20210219-1
An error was reported. According to the error message, there is an error in the socket.c file. Find the code line corresponding to the corresponding source file. I found that the function of the business trip is related to ipv6. Fortunately, we didn’t use ipv6 and commented out the error code directly:
Execute dkms build again successfully! And then execute
dkms install wirguard/1.0.20210219-1
Execute wg-quick up wg0 again to start wg and it will succeed!!!