Wireguard 部署 SOP 手册（自用）

—

本文提到的所有密钥对及其内容均为虚构，为随机生成，请勿直接使用。

基础环境配置

安装操作系统

操作系统采用ubuntu server 24.04 LTS，Minimal配置。操作系统正常配置和安装即可，无特殊配置项。

安装好后正常切换镜像源、添加公钥、移除snapd。

1. 调整时区为CST：timedatectl set-timezone Asia/Shanghai；
2. 安装必要工具：apt install -y iputils-ping file；
3. 安装iptables：apt install -y iptables

调整NTP

1. 打开/etc/systemd/timesyncd.conf，添加以下NTP时钟源：

   [Time]
   NTP=time.windows.com time.apple.com
   FallbackNTP=ntp.aliyun.com

2. 重启相关服务：

   systemctl daemon-reload && systemctl restart systemd-timesyncd

3. 查看同步情况：

   timedatectl show-timesync

禁用IPv6

我如此执着这件事只有一个原因，这东西不安全且坑过我好几次。

1. 编辑Grub配置文件/etc/default/grub：

   GRUB_CMDLINE_LINUX_DEFAULT=""

   修改为

   GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"

2. 更新引导

   update-grub

3. 重启查看是否还有IPv6

启用转发

编辑/etc/sysctl.conf，末尾追加如下行

net.ipv4.ip_forward=1

应用：

sysctl -p

启用History时间记录和扩展记录条数

打开/etc/bash.bashrc，尾部加入如下内容：

export HISTTIMEFORMAT="[%F %T] "
export HISTSIZE=100000
export HISTFILESIZE=200000

source /etc/bash.bashrc后生效。

Zabbix Agent 配置

1. 按照Get Zabbix说明下载、安装和启动Zabbix Agent 2。

   wget https://repo.zabbix.com/zabbix/7.4/release/ubuntu/pool/main/z/zabbix-release/zabbix-release_latest_7.4+ubuntu24.04_all.deb
   dpkg -i zabbix-release_latest_7.4+ubuntu24.04_all.deb && rm -f zabbix-release_latest_7.4+ubuntu24.04_all.deb
   apt update && apt install -y zabbix-agent2

2. 创建Key存储文件夹：

   mkdir -p /etc/zabbix/tls

3. 生成PSK

   openssl rand -hex 64 > /etc/zabbix/tls/agent.psk

4. 修正权限使得只有Zabbix能够读取该PSK

   chown zabbix:zabbix /etc/zabbix/tls/agent.psk

   读一下PSK备用，不要泄露

   cat /etc/zabbix/tls/agent.psk

5. 编辑Zabbix配置文件/etc/zabbix/zabbix_agent2.conf

   # Pre-define
   PidFile=/run/zabbix/zabbix_agent2.pid
   LogFile=/var/log/zabbix/zabbix_agent2.log
   LogFileSize=0
   Server=127.0.0.1
   PluginSocket=/run/zabbix/agent.plugin.sock
   ControlSocket=/run/zabbix/agent.sock
   Include=/etc/zabbix/zabbix_agent2.d/plugins.d/*.conf
   Include=/etc/zabbix/zabbix_agent2.d/*.conf
   # Custom
   ServerActive=wgtest-01-aliyuncs.lxnchan.cn
   Hostname=wgtest-node1
   TLSConnect=psk
   TLSPSKIdentity=wgtest-node1
   TLSPSKFile=/etc/zabbix/tls/agent.psk

6. 在Zabbix上添加主机
   

Wireguard部署与配置

安装Wireguard

apt install -y wireguard

创建配置文件文件夹，并设置权限：

mkdir -p /etc/wireguard && cd /etc/wireguard && umask 077

配置Wireguard服务端

1. 创建密钥对

   wg genkey | tee server_private.key | wg pubkey > server_public.key

2. 读取一下私钥，请勿泄露：

   cat /etc/wireguard/server_private.key

3. 创建Wireguard配置文件/etc/wireguard/wg0.conf

   # !!!DO NOT EDIT THIS FILE DIRECTLY!!!
   # Use 'bash /root/wacs.sh' to make change.
   # Build by lxnchan(https://lxnchan.cn), 2026
   
   [Interface]
   Address = 100.1.0.1/24
   ListenPort = 51820
   PrivateKey = <YOUR PRIVATE KEY HERE>
   PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
   PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE

   将上面读取的私钥和接口名（如果不对）替换进去。
4. 启动配置：

   systemctl enable --now wg-quick@wg0

注意到此时服务端已经启动：

root@proxytest:/etc/wireguard# systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2026-02-04 15:53:56 CST; 3s ago
    Process: 1160 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 1160 (code=exited, status=0/SUCCESS)
        CPU: 27ms

Feb 04 15:53:56 proxytest systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
Feb 04 15:53:56 proxytest wg-quick[1160]: [#] ip link add wg0 type wireguard
Feb 04 15:53:56 proxytest wg-quick[1160]: [#] wg setconf wg0 /dev/fd/63
Feb 04 15:53:56 proxytest wg-quick[1160]: [#] ip -4 address add 100.1.0.1/24 dev wg0
Feb 04 15:53:56 proxytest wg-quick[1160]: [#] ip link set mtu 1420 up dev wg0
Feb 04 15:53:56 proxytest wg-quick[1160]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s18 -j MASQUERADE
Feb 04 15:53:56 proxytest systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.
root@proxytest:/etc/wireguard# wg show
interface: wg0
  public key: k45d7H3Aa7WtWy4+BpB5BMjWFZ0gE2B4dtmFqLs/6Ac=
  private key: (hidden)
  listening port: 51820

创建客户端配置文件

该操作实际上不太符合官方流程。

1. 生成客户端的密钥对：

   wg genkey > client1.pri.key
   cat client1.pri.key | wg pubkey > client1.pub.key

   读取客户端的公钥备用：

   cat client1.pub.key
   # R3n9SHxah2pSlX8dzFekBV9v0xntM2ze1L/1aRQ+QFo=

2. 生成PSK（预共享密钥，可省略）：

   wg genpsk
   # lw68TjpK5VfJF/nYposXZ6U+RGRAwXBXP7P26ZwQeTc=

3. 打开服务端配置文件，在末尾追加如下配置段：

   [Peer]
   # 客户端的公钥
   PublicKey = R3n9SHxah2pSlX8dzFekBV9v0xntM2ze1L/1aRQ+QFo=
   # 给客户端分配的地址
   AllowedIPs = 100.1.0.2/32
   # PSK
   PresharedKey = lw68TjpK5VfJF/nYposXZ6U+RGRAwXBXP7P26ZwQeTc=

   然后重载配置：

   systemctl reload wg-quick@wg0

4. 手搓客户端的配置文件：

   [Interface]
   # 服务端给分配的地址
   Address = 100.1.0.2/32
   DNS = 119.29.29.29
   # 客户端私钥（client1.pri.key）
   PrivateKey = oNiMerz81tdB9pOlxb/a/f29trLY0xzq23FQtpecPnk=
   
   [Peer]
   AllowedIPs = 0.0.0.0/0
   # 服务器地址及端口号
   Endpoint = wgtest-01-aliyuncs.lxnchan.cn:51820
   PersistentKeepalive = 25
   # PSK，需要与服务端给该Peer配置中的相同
   PreSharedKey = lw68TjpK5VfJF/nYposXZ6U+RGRAwXBXP7P26ZwQeTc=
   # 对端公钥
   PublicKey = k45d7H3Aa7WtWy4+BpB5BMjWFZ0gE2B4dtmFqLs/6Ac=

   传送到客户端即可使用。

查看客户端连接状态

使用wg show命令查看已连接客户端：

root@proxytest:~# wg show
interface: wg0
  public key: k45d7H3Aa7WtWy4+BpB5BMjWFZ0gE2B4dtmFqLs/6Ac=
  private key: (hidden)
  listening port: 51820

peer: R3n9SHxah2pSlX8dzFekBV9v0xntM2ze1L/1aRQ+QFo=
  preshared key: (hidden)
  endpoint: 10.0.50.48:49861
  allowed ips: 100.1.0.2/32
  latest handshake: 10 seconds ago
  transfer: 3.07 KiB received, 124 B sent

显示Peer具备latest handshake时间意味着在此时间前进行过有效的握手，下面是传送的数据量。

用户部分

Windows

1. 下载安装包：

   https://download.wireguard.com/windows-client/wireguard-amd64-0.5.3.msi

2. 安装
   
3. 选择“从文件导入隧道”，然后选择传送到客户端的配置文件
   
4. 选择连接
   
5. 接收数据量不为0则成功，可以进行其他测试
   
   tracert一下观察到流量流经了Wireguard服务器，证明成功
   

Android

1. 在Google Play搜索安装Wireguard
   
2. 点击右下角“+”，选择从文件导入，选择配置文件并导入
3. 开启连接即可，观察到接收数据量不为零即可
   

iOS

1. 在AppStore搜索安装Wireguard
2. 点击右上角“+”，选择导入配置，选择配置文件
3. 如果询问是否允许创建VPN，选择允许，然后输入手机密码
4. 启用隧道即可

工具

Wireguard Automatic Configuration Script(WACS.sh)

#!/bin/bash

# Wireguard Automatic Configuration Script
# Build by licongwen, 2026
# https://lxnchan.cn

if [ $# -ne 2 ]; then
    echo "Usage: $0 <ClinetName> <ClientIP> (Example: peter 10.1.1.3)"
    exit 1
fi

# =========== Configuration Area ===========

CLIENT_NAME=$1
CLIENT_IP=$2/32
# Path to wg0.conf
CONFIG_FILE="/etc/wireguard/wg0.conf"
# Interface Name
INTERFACE="wg0"

# Server Configuration
SERVER_PUBLIC_KEY="00W3F9L2YIcDd0H+FSHjok+ttx6zn6nyouwPDVMFX0Q="
SERVER_ENDPOINT="10.0.51.166:51821"
DNS="119.29.29.29"
ALLOWED_IPS_CLIENT="0.0.0.0/0"

# =========== End of Configuration ===========

CLIENT_PRIVATE_KEY=$(wg genkey)
CLIENT_PUBLIC_KEY=$(echo "$CLIENT_PRIVATE_KEY" | wg pubkey)

PSK=$(wg genpsk)

if [ ! -f "$CONFIG_FILE" ]; then
    echo "Failed: $CONFIG_FILE Not Found."
    exit 1
fi

echo "" >> "$CONFIG_FILE"
echo "# $CLIENT_NAME - $(date '+%Y-%m-%d %H:%M:%S')" >> "$CONFIG_FILE"
echo "[Peer]" >> "$CONFIG_FILE"
echo "PublicKey = $CLIENT_PUBLIC_KEY" >> "$CONFIG_FILE"
echo "PresharedKey = $PSK" >> "$CONFIG_FILE"
echo "AllowedIPs = $CLIENT_IP" >> "$CONFIG_FILE"

#wg syncconf "$INTERFACE" <(wg-quick strip "$CONFIG_FILE")
systemctl reload wg-quick@$INTERFACE
if [ $? -eq 0 ]; then
    echo "Update successfully."
else
    echo "Update FAILED!"
    exit 1
fi

echo "Your Configuration file (client-$CLIENT_NAME.conf):"
echo ""
echo "[Interface]"
echo "PrivateKey = $CLIENT_PRIVATE_KEY"
echo "Address = $CLIENT_IP"
echo "DNS = $DNS"
echo ""
echo "[Peer]"
echo "PublicKey = $SERVER_PUBLIC_KEY"
echo "PresharedKey = $PSK"
echo "AllowedIPs = $ALLOWED_IPS_CLIENT"
echo "Endpoint = $SERVER_ENDPOINT"
echo "PersistentKeepalive = 25"

echo ""