2 月 15 日， 2025 年

OpenVPN and WireGuard

過年的時候在外地加班不太方便，因為家裡有防火牆上的ipsec site to site 到雲端的VPC內，出門在外的時候就需要client VPN來做這些事情。

於是在伺服器上裝了OpenVPN 和WireGuard，用於方便的連結到VPC內。WireGuard 已經出很久了，我之所以一直沒有用他，是因為他沒有經過歷史的考驗，也沒有大公司背書，只有時間可以洗練出真金，他的時間長度還不足以證明他無法被攻破，但是Jess 說有些底層跑的都是WireGuard，我想，既然大家都如此隨便，那我也來用上。

OpenVPN 算是傳統技能了，

還在中國移動cmwap 的年代我就開始用他來穿透wap 網關獲得cmnet 的網絡，在那個包月20元的2.5G年代用出好多個G的流量，新版的easyrsa cert 初始化似乎有一點點改動，畢竟我已經快要十年沒有用他了，因為他的流量特徵很明顯而易於被GFW 檢測到，後來我常用的是不會被GFW 攔截的ipsec。

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full client nopass


systemctl enable openvpn-server@server
systemctl start openvpn-server@server

server.conf

daemon
server 10.8.0.0 255.255.255.0
proto udp
port 443
dev tun
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
keepalive 15 60
verb 3
duplicate-cn
push "redirect-gateway def1"
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh.pem
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
status-version 2
status status 5

client.conf

client
dev tun
proto udp
remote 15.15.18.19 443
float
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
keepalive 15 60
remote-cert-tls server
key-direction 1
resolv-retry infinite
nobind
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END PRIVATE KEY-----
</key>
route-nopull
route 10.2.0.0 255.255.0.0 vpn_gateway
route 10.3.0.0 255.255.0.0 vpn_gateway
route 10.4.0.0 255.255.0.0 vpn_gateway
route 10.5.0.0 255.255.0.0 vpn_gateway

WireGuard 算是新技能，第一次在Linux 上安裝，無比簡單。

dnf install wireguard-tools -y
cd /etc/wireguard
wg genkey | tee server_privateKey | wg pubkey > server_publicKey
vi wg0.conf

[Interface]
Address = 10.254.254.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = kFFVyz4WC0s+oqoQ72b9mjXK0TNtw6/YsR+r8fexdWE=

#OfficeMac
[Peer]
AllowedIPs = 10.254.254.11/32
PublicKey = kMp2fqFE+GXcfR06u+NI2KeFDeEPlSvG1uefrrDBPEA=

systemctl enable wg-quick@wg0.service
systemctl restart wg-quick@wg0.service

and FreeBSD

pkg install wireguard-tools
cd /usr/local/etc/
mkdir wireguard && cd wireguard
wg genkey | tee server_privateKey | wg pubkey > server_publicKey

sysrc wireguard_enable="YES"
sysrc wireguard_interfaces="wg0"
/usr/local/etc/rc.d/wireguard start

OpenVPN and WireGuard

Leave a Reply Cancel reply