Sometimes people are not in the company and need to remote company computers to handle things temporarily. We know that the company’s computer is on the intranet and cannot be accessed directly at home. We generally use tools that support remote assistance such as QQ, but this requires someone to help you initiate a request. There are also free software that support unattended remote operation, but generally the speed is limited, and the peak period often freezes. The company happens to have an Alibaba Cloud server with a lot of free traffic, which can be used to install a wg service, and then it can communicate by connecting the company’s intranet computer and the computer at home as a client.
The centos 7 system.kernel version used by the company 's Alibaba Cloud server :
# uname -r3.10.0-1160.15.2.el7.x86_64
You can use the following steps to install:
#!/bin/bash #判断系统 if [ ! -e '/etc/redhat-release' ]; then echo "仅支持centos7" exit fi if [ -n "$(grep ' 6\.' /etc/redhat-release)" ] ;then echo "仅支持centos7" exit fi #更新内核 update_kernel(){ yum -y install epel-release curl sed -i "0,/enabled=0/s//enabled=1/" /etc/yum.repos.d/epel.repo yum remove -y kernel-devel rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum --disablerepo="*" --enablerepo="elrepo-kernel" list available yum -y --enablerepo=elrepo-kernel install kernel-ml sed -i "s/GRUB_DEFAULT=saved/GRUB_DEFAULT=0/" /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg wget https://elrepo.org/linux/kernel/el7/x86_64 /RPMS/kernel-ml-devel-4.19.1-1.el7.elrepo.x86_64.rpm rpm -ivh kernel-ml-devel-4.19.1-1.el7.elrepo.x86_64.rpm yum -y --enablerepo =elrepo-kernel install kernel-ml-devel read -p "Need to restart the VPS, execute the script again to choose to install wireguard, restart now? [Y/n] :" yn [-z "${yn}"] && yn= "y" if [[ $yn == [Yy] ]]; then echo -e "VPS restarting..." reboot fi } #Generate random port rand(){ min=$1 max=$(($2-$ min+1)) num=$(cat /dev/urandom | head -n 10 | cksum | awk -F '' '{print $1}') echo $(($num%$max+$min)) } wireguard_update(){ yum update -y wireguard -dkms wireguard-tools echo "Update complete" } wireguard_remove(){ wg-quick down wg0 yum remove -y wireguard-dkms wireguard-tools rm -rf /etc/wireguard/ echo "卸载完成" } config_client(){ cat > /etc/wireguard/client.conf <<-EOF [Interface] PrivateKey = $c1 Address = 10.0.0.2/24 DNS = 114.114.114.114 MTU = 1420 [Peer] PublicKey = $s2 Endpoint = $serverip:$port AllowedIPs = 0.0.0.0/0, ::0/0 PersistentKeepalive = 25 EOF } #centos7安装wireguard wireguard_install(){ curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo yum install -y dkms gcc-c++ gcc-gfortran glibc-headers glibc-devel libquadmath-devel libtool systemtap systemtap-devel yum -y install wireguard-dkms wireguard-tools yum -y install qrencode mkdir /etc/wireguard cd /etc/wireguard wg genkey | tee sprivatekey | wg pubkey > spublickey wg genkey | tee cprivatekey | wg pubkey > cpublickey s1=$(cat sprivatekey) s2=$(cat spublickey) c1=$(cat cprivatekey) c2=$(cat cpublickey) serverip=$(curl ipv4.icanhazip.com) port=$(rand 10000 60000) eth=$(ls /sys/class/net | awk '/^e/{print}') chmod 777 -R /etc/wireguard systemctl stop firewalld systemctl disable firewalld yum install -y iptables-services systemctl enable iptables systemctl start iptables iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F service iptables save service iptables restart echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p cat > /etc/wireguard/wg0.conf <<-EOF [Interface] PrivateKey = $s1 Address = 10.0.0.1/24 PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $eth -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $eth -j MASQUERADE ListenPort = $port DNS = 114.114.114 MTU = 1420 [Peer] PublicKey = $c2 AllowedIPs = 10.0.0.2/24 EOF config_client wg-quick up wg0 systemctl enable wg-quick@wg0 content=$(cat /etc/wireguard/client.conf) echo "Please download client. conf, the mobile phone can directly use the software to scan the code " echo "${content}" | qrencode -o--t UTF8 cd /etc/wireguard/ cp client.conf $newname.conf } add_user(){ echo -e "\033[37;41m Give the new user a name, which cannot be repeated with the existing user\033[0m" read -p "Please enter the user name:" newname wg genkey | tee temprikey | wg pubkey> tempubkey ipnum=$(grep Allowed /etc/wireguard/wg0.conf | tail -1 | awk -F'[ ./]''{print $6}') newnum=$((10#${ipnum}+ 1)) sed -i's%^PrivateKey.*$%'"PrivateKey = $(cat temprikey)"'%' $newname.conf sed -i's%^Address.*$%'"Address = 10.0. 0.$newnum\/24"'%' $newname.conf cat >> /etc/wireguard/wg0.conf <<-EOF [Peer] PublicKey = $(cat tempubkey) AllowedIPs = 10.0.0.$newnum/24 EOF wg set wg0 peer $(cat tempubkey) allowed-ips 10.0.0.$newnum/32 echo -e "\033[37;41m添加完成,文件:/etc/wireguard/$newname.conf\033[0m" echo "=========================" clear start_menu(){ menu #Start }rm -f temprikey tempubkey echo "Introduction: Applicable to CentOS7" echo "Author: atrandys" echo "Website: www.atrandys.com" echo" Youtube: atrandys" echo "========================= " echo "1. Upgrade the system kernel" echo "2. Install wireguard" echo "3. Upgrade wireguard" echo "4. Uninstall wireguard" echo "5. Display the client QR code" echo "6. Increase users" echo" 0. Exit the script " echo read -p "Please enter a number:" num case "$num" in 1) update_kernel ;; 2) wireguard_install ;; 3) wireguard_update ;; 4) wireguard_remove ;; 5) content=$(cat /etc/wireguard/client.conf) echo "${content}" | qrencode -o--t UTF8 ;; 6) add_user ;; 0) exit 1 ;; *) clear echo "Please enter the correct number" sleep 5s start_menu ;; esac } start_menu
Copy the above code to a script file such as install_wireguard.sh and add executable permissions to the file. Use root user or sudo to execute script file:
# ./install_wireguard.sh ========================= Introduction: Applicable to CentOS7 Author: atrandys website: www.atrandys.com Youtube: atrandys ========================= 1. Upgrade system kernel 2. Install wireguard 3. Upgrade wireguard 4. Uninstall wireguard 5. Display the client QR code 6. Increase users 0. Exit the script Please enter a number: 2
Seeing that the menu 2 is to install wireguard, enter 2 to start installing wg.
After the script is executed, execute systemctl status wg-quick@wg0 to check whether the installation is successful:
# systemctl status wg-quick@wg0
● [email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-03-12 10:31:12 CST; 44s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 28364 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=0/SUCCESS)
Main PID: 28364 (code=exited, status=0/SUCCESS)
Seeing active means that the installation is successful.
Next, you can generate the client configuration file.
Or execute install_wireguard.sh and see the directory input 6, which is the option of increasing users:
========================= Introduction: Applicable to CentOS7 Creator: atrandys website: www.atrandys.com Youtube: atrandys ====== =================== 1. Upgrade system kernel 2. Install wireguard 3. Upgrade wireguard 4. Uninstall wireguard 5. Display the client QR code 6. Increase user 0. Exit the script Please enter the number: 6 to give the new user a name, which cannot be repeated with the existing user Please enter the user name: home
The user name can be picked up by yourself, just don't repeat it and distinguish it well. Remember to hit enter after entering the username .
After the execution is successful, you can find the corresponding client configuration file in the /etc/wirguard/ directory, such as home.conf.
Execute it again to generate the company.conf file.
Copy the home.conf file and company.conf file to the home and company office computers respectively. The home and company computers are Windows systems. Just download the corresponding installation package and install it, just like installing ordinary software. After installation, open it, import the client configuration file and click Activate.
Can be executed on the office computer:
ping 10.0.0.1
If it can be pinged, it means that the network is successful.
Then you can use your home computer (10.0.0.3) to remotely access the company's computer (10.0.0.4). The specific IP address is related to the order in which the client is added. You can check the corresponding client configuration file to determine its IP:
[Interface]
PrivateKey = aCfyRy96aMx/gLM+SRpnmYWUBGqr+9bdSLk2OyNK7k8=
Address = 10.0.0.3/24
DNS = 114.114.114.114
MTU = 1420[Peer]
.......
If you need to install wirguard offline, you can download the corresponding rpm file directly , or you can use yumdownloader to download the rpm file on a machine that can connect to the Internet.
After downloading, enter the directory where the wirguard rpm file is located and execute:
rpm -ivh *.rpm --nodeps --force
If the system has not previously installed iptables-service, you need to enter the corresponding rpm folder and execute the above command to install.
After the installation is successful, modify the installation function corresponding to the above install_wireguard.sh script:
#centos7安装wireguardwireguard_install(){ # curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo # yum install -y dkms gcc-c++ gcc-gfortran glibc-headers glibc-devel libquadmath-devel libtool systemtap systemtap-devel # yum -y install wireguard-dkms wireguard-tools # yum -y install qrencode # mkdir /etc/wireguard cd /etc/wireguard wg genkey | tee sprivatekey | wg pubkey > spublickey wg genkey | tee cprivatekey | wg pubkey > cpublickey s1=$(cat sprivatekey) s2=$(cat spublickey) c1=$(cat cprivatekey) c2=$(cat cpublickey) serverip=$(curl ipv4.icanhazip.com) port=$(rand 10000 60000) eth=$(ls /sys/class/net | awk '/^e/{print}') chmod 777 -R /etc/wireguard systemctl stop firewalld systemctl disable firewalld # yum install -y iptables-services systemctl enable iptables systemctl start iptables iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F service iptables save service iptables restart echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p
That is, all operations that require the Internet are commented out. Then execute the script, choose 2: install wireguard on it. The method of adding a client is the same as on the Alibaba Cloud server , so I won't repeat it.
Seeing this, everything went smoothly, and the forced offline installation has not yet been reflected . This mentions an offline installation experience. The system version is also Centos7, but the kernel version is: 3.10.0-862. It is basically the same as the company's Alibaba Cloud server kernel version, except for a small difference at the end of the version number, but with such a small difference, the installation is unsuccessful. After installing wg offline in the above way, use systemctl status wg-quick@wg0 to check the running failure. Use wg-quick up wg0 to start the wg report:
#sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
Unable to access interface: Protocol not supported
[#]ip link delete dev wg0
Cannot find device "wg0"
Most of the problems searching through error messages are solved by upgrading the kernel, but the current environment and time do not allow the kernel to be upgraded. Have to continue to explore, try to recompile and install wireguard using dkms build:
dkms build wirguard/1.0.20210219-1
An error was reported. According to the error message, there is an error in the socket.c file. Find the code line corresponding to the corresponding source file. I found that the function of the business trip is related to ipv6. Fortunately, we didn’t use ipv6 and commented out the error code directly:
Execute dkms build again successfully! And then execute
dkms install wirguard/1.0.20210219-1
Execute wg-quick up wg0 again to start wg and it will succeed!!!