{"id":710,"date":"2026-06-21T23:58:16","date_gmt":"2026-06-21T15:58:16","guid":{"rendered":"https:\/\/dreamc.top\/?p=710"},"modified":"2026-06-21T23:52:07","modified_gmt":"2026-06-21T15:52:07","slug":"ddns_wiregurad","status":"publish","type":"post","link":"https:\/\/dreamc.top\/index.php\/2026\/06\/21\/ddns_wiregurad\/","title":{"rendered":"OpenWrt + IPv6 DDNS + wiregurad \u5168 VPN \u7ec4\u7f51\u843d\u5730\u624b\u518c"},"content":{"rendered":"<h1 id=\"openwrt-ipv6-ddns-wiregurad-\u5168-vpn-\u7ec4\u7f51\u843d\u5730\u624b\u518c\"><span class=\"ez-toc-section\" id=\"OpenWrt_IPv6_DDNS_wiregurad_%E5%85%A8_VPN_%E7%BB%84%E7%BD%91%E8%90%BD%E5%9C%B0%E6%89%8B%E5%86%8C\"><\/span>OpenWrt + IPv6 DDNS + wiregurad \u5168 VPN \u7ec4\u7f51\u843d\u5730\u624b\u518c<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2 id=\"wireguard-\u4e3a\u6838\u5fc3-\u516c\u7f51\u96f6\u670d\u52a1\u66b4\u9732-\u591a-os-\u5ba2\u6237\u7aef-\u53cc\u5411\u8bbf\u95ee-\u591a\u7ad9\u70b9\u4e92\u8054\"><span class=\"ez-toc-section\" id=\"WireGuard_%E4%B8%BA%E6%A0%B8%E5%BF%83_%C2%B7_%E5%85%AC%E7%BD%91%E9%9B%B6%E6%9C%8D%E5%8A%A1%E6%9A%B4%E9%9C%B2_%C2%B7_%E5%A4%9A_OS_%E5%AE%A2%E6%88%B7%E7%AB%AF_%C2%B7_%E5%8F%8C%E5%90%91%E8%AE%BF%E9%97%AE_%C2%B7_%E5%A4%9A%E7%AB%99%E7%82%B9%E4%BA%92%E8%81%94\"><\/span>WireGuard \u4e3a\u6838\u5fc3 \u00b7 \u516c\u7f51\u96f6\u670d\u52a1\u66b4\u9732 \u00b7 \u591a OS \u5ba2\u6237\u7aef \u00b7 \u53cc\u5411\u8bbf\u95ee \u00b7 \u591a\u7ad9\u70b9\u4e92\u8054<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<blockquote><strong>\u73af\u5883\u524d\u63d0<\/strong>:OpenWrt \u4e0a DNSPod(\u817e\u8baf\u4e91)IPv6 DDNS \u5df2\u914d\u597d,\u5373\u5b58\u5728\u4e00\u6761 AAAA \u8bb0\u5f55(\u5982 <code>router.example.com<\/code>)\u80fd\u7a33\u5b9a\u89e3\u6790\u5230\u8def\u7531\u5668\u5f53\u524d\u7684\u516c\u7f51 IPv6\u3002\n\n<strong>\u672c\u624b\u518c\u7684\u6838\u5fc3\u601d\u8def<\/strong>:\u65e2\u7136 DDNS \u5df2\u7ecf\u8ba9&#8221;\u8def\u7531\u5668&#8221;\u5728\u516c\u7f51\u53ef\u88ab\u7a33\u5b9a\u5bfb\u5740,\u6211\u4eec\u5c31\u53ea\u628a <strong>WireGuard \u7684 UDP 51820 \u7aef\u53e3<\/strong>\u66b4\u9732\u5728\u516c\u7f51(\u7ecf IPv6),\u5176\u4f59\u4e00\u5207\u670d\u52a1(NAS\u3001HA\u3001Jellyfin\u3001SSH\u3001RDP\u2026)\u90fd<strong>\u4e0d\u66b4\u9732\u516c\u7f51<\/strong>,\u5168\u90e8\u901a\u8fc7 VPN \u96a7\u9053\u6309\u5185\u7f51\u57df\u540d\/\u5730\u5740\u8bbf\u95ee\u3002\u8fd9\u6837:\n<ul>\n<li>\u5916\u90e8\u8bbf\u95ee\u5185\u7f51 Web \u670d\u52a1 \u2192 \u62e8\u5165 VPN \u540e\u7528 <code>nas.lan<\/code> \u8bbf\u95ee<\/li>\n<li>\u5916\u90e8\u7ba1\u7406\u5185\u7f51\u8bbe\u5907(SSH\/RDP)\u2192 \u62e8\u5165 VPN \u540e\u76f4\u8fde\u5185\u7f51 IP<\/li>\n<li>\u591a\u7ad9\u70b9\u4e92\u8054(\u5bb6\u2194\u7236\u6bcd\u5bb6\u2194\u529e\u516c\u5ba4)\u2192 \u4e24\u4e2a OpenWrt \u4e4b\u95f4\u7ad9\u70b9\u5bf9\u7ad9\u70b9 WG<\/li>\n<li>\u5185\u7f51\u8bbe\u5907\u4e3b\u52a8\u8fde\u5916(\u53cd\u5411)\u2192 \u96a7\u9053\u5929\u7136\u53cc\u5411,\u5bb6\u91cc\u4e5f\u80fd\u4e3b\u52a8\u8fde\u5230\u5df2\u62e8\u5165\u7684\u624b\u673a\/\u7b14\u8bb0\u672c\u4e0a\u7684\u670d\u52a1<\/li>\n<\/ul>\n<\/blockquote>\n<hr>\n<h2 id=\"0-\u7ea6\u5b9a\u4e0e\u5730\u5740\u89c4\u5212\u5168\u6587\u7edf\u4e00\u7167\u6284\u524d\u5148\u6539\u6210\u4f60\u81ea\u5df1\u7684\"><span class=\"ez-toc-section\" id=\"0_%E7%BA%A6%E5%AE%9A%E4%B8%8E%E5%9C%B0%E5%9D%80%E8%A7%84%E5%88%92%E5%85%A8%E6%96%87%E7%BB%9F%E4%B8%80%E7%85%A7%E6%8A%84%E5%89%8D%E5%85%88%E6%94%B9%E6%88%90%E4%BD%A0%E8%87%AA%E5%B7%B1%E7%9A%84\"><\/span>0. \u7ea6\u5b9a\u4e0e\u5730\u5740\u89c4\u5212(\u5168\u6587\u7edf\u4e00,\u7167\u6284\u524d\u5148\u6539\u6210\u4f60\u81ea\u5df1\u7684)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u4e3a\u907f\u514d\u6b67\u4e49,\u5168\u6587\u4f7f\u7528\u4ee5\u4e0b\u5730\u5740\u6bb5\u3002<strong>\u5b9e\u65bd\u524d\u8bf7\u66ff\u6362\u4e3a\u4f60\u81ea\u5df1\u7684<\/strong>,\u4e14\u591a\u7ad9\u70b9\u65f6\u5404\u7ad9\u70b9 LAN \u6bb5<strong>\u4e0d\u80fd\u91cd\u53e0<\/strong>\u3002<\/p>\n<table>\n<thead>\n<tr>\n<th>\u7528\u9014<\/th>\n<th>IPv4<\/th>\n<th>IPv6 (ULA)<\/th>\n<th>\u8bf4\u660e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u5bb6\u91cc LAN<\/td>\n<td><code>192.168.1.0\/24<\/code><\/td>\n<td><code>fd00:cafe:1::\/64<\/code><\/td>\n<td>\u8def\u7531\u5668 = <code>.1<\/code> \/ <code>::1<\/code><\/td>\n<\/tr>\n<tr>\n<td>\u7ad9\u70b9 B(\u7236\u6bcd\u5bb6)LAN<\/td>\n<td><code>192.168.2.0\/24<\/code><\/td>\n<td><code>fd00:cafe:2::\/64<\/code><\/td>\n<td>\u8def\u7531\u5668 = <code>.1<\/code> \/ <code>::1<\/code><\/td>\n<\/tr>\n<tr>\n<td>WireGuard \u96a7\u9053<\/td>\n<td><code>10.200.0.0\/24<\/code><\/td>\n<td><code>fd00:cafe:9::\/64<\/code><\/td>\n<td>\u670d\u52a1\u7aef = <code>.1<\/code> \/ <code>::1<\/code><\/td>\n<\/tr>\n<tr>\n<td>DDNS \u57df\u540d<\/td>\n<td>\u2014<\/td>\n<td>\u2014<\/td>\n<td><code>router.example.com<\/code>(\u7ad9\u70b9 B \u7528 <code>router-b.example.com<\/code>)<\/td>\n<\/tr>\n<tr>\n<td>\u5185\u90e8\u57df\u540d\u540e\u7f00<\/td>\n<td>\u2014<\/td>\n<td>\u2014<\/td>\n<td><code>.lan<\/code>(\u7531\u8def\u7531\u5668 dnsmasq \u89e3\u6790)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<blockquote><strong>\u4e3a\u4ec0\u4e48 VPN \u96a7\u9053\u540c\u65f6\u914d v4 \u548c v6 \u5730\u5740?<\/strong> \u5f88\u591a\u5ba2\u6237\u7aef\u6240\u5728\u7f51\u7edc\u53ea\u6709 v4,\u96a7\u9053\u8d70 v4 \u66f4\u517c\u5bb9;\u800c\u5bb6\u91cc\u5185\u7f51\u53c8\u6709 v6 \u670d\u52a1\u3002\u53cc\u6808\u96a7\u9053\u8ba9\u4e24\u79cd\u8d44\u6e90\u90fd\u80fd\u5230\u8fbe\u3002\n<\/blockquote>\n<hr>\n<h2 id=\"1-\u524d\u7f6e\u786e\u8ba4dnspod-ddns-\u7aef\u70b9\u53ef\u7528\u6027\"><span class=\"ez-toc-section\" id=\"1_%E5%89%8D%E7%BD%AE%E7%A1%AE%E8%AE%A4_DNSPod_DDNS_%E7%AB%AF%E7%82%B9%E5%8F%AF%E7%94%A8%E6%80%A7\"><\/span>1. \u524d\u7f6e\u786e\u8ba4:DNSPod DDNS \u7aef\u70b9\u53ef\u7528\u6027<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>WireGuard \u5ba2\u6237\u7aef\u7684 <code>Endpoint<\/code> \u4f1a\u5199\u6210 <code>router.example.com:51820<\/code>,\u6240\u4ee5\u8fd9\u6761 AAAA \u5fc5\u987b\u59cb\u7ec8\u6307\u5411\u8def\u7531\u5668<strong>\u5f53\u524d<\/strong>\u7684\u516c\u7f51 GUA\u3002\u5148\u9a8c\u8bc1:<\/p>\n<pre><code class=\"language-sh\"># \u5728\u4efb\u610f\u516c\u7f51\u4e3b\u673a(\u6216\u624b\u673a\u8702\u7a9d\u7f51\u7edc)\u4e0a\ndig AAAA router.example.com +short\n# \u5e94\u8f93\u51fa\u7c7b\u4f3c 2408:xxxx:xxxx:xxxx::1\n\n# \u9a8c\u8bc1\u5b83\u6b63\u662f\u8def\u7531\u5668 WAN \u5f53\u524d\u7684 GUA(\u5728 OpenWrt \u4e0a)\nip -6 addr show pppoe-wan 2&gt;\/dev\/null || ip -6 addr show wan 2&gt;\/dev\/null\n# \u6216\nifstatus wan | jsonfilter -e &#039;@[&quot;ipv6-address&quot;][0].address&#039;\n<\/code><\/pre>\n<p>\u82e5\u4e24\u8005\u4e00\u81f4 \u2192 DDNS \u6b63\u5e38\u3002\u82e5\u4e0d\u4e00\u81f4 \u2192 \u5148\u4fee DDNS(\u89c1\u9644\u5f55 C \u7684 DNSPod \u66f4\u65b0\u811a\u672c\u4e0e\u6392\u67e5)\u3002<\/p>\n<blockquote><strong>\u91cd\u8981\u63d0\u9192<\/strong>:\u5ba2\u6237\u7aef\u6240\u5728\u7f51\u7edc<strong>\u5fc5\u987b\u6709 IPv6<\/strong>\u624d\u80fd\u8fde\u5230\u8fd9\u4e2a v6 \u7aef\u70b9\u3002\u82e5\u4f60\u7684\u5ba2\u6237\u7aef\u5e38\u51fa\u73b0\u5728\u7eaf v4 \u73af\u5883(\u5f88\u591a\u516c\u53f8 WiFi\u3001\u90e8\u5206\u8702\u7a9d),\u5efa\u8bae\u4e8c\u9009\u4e00:\n<ol>\n<li>\u5411\u8fd0\u8425\u5546\u8981\u516c\u7f51 IPv4,DDNS \u540c\u65f6\u7ef4\u62a4 A \u8bb0\u5f55,WG \u7aef\u70b9\u7528\u57df\u540d(\u81ea\u52a8\u9009 v4\/v6);<\/li>\n<li>\u7528\u4e00\u53f0\u4fbf\u5b9c VPS \u505a WG \u4e2d\u7ee7(VPS \u6709\u53cc\u6808),\u5ba2\u6237\u7aef\u8fde VPS,VPS \u518d\u8fde\u5bb6\u91cc\u3002\u672c\u624b\u518c\u4e3b\u6d41\u7a0b\u6309&#8221;IPv6 \u7aef\u70b9&#8221;\u5199,VPS \u4e2d\u7ee7\u89c1 \u00a78\u3002<\/li>\n<\/ol>\n<\/blockquote>\n<hr>\n<h2 id=\"2-openwrt-wireguard-\u670d\u52a1\u7aef\u914d\u7f6e\u5bb6\u91cc\u8def\u7531\u5668\"><span class=\"ez-toc-section\" id=\"2_OpenWrt_WireGuard_%E6%9C%8D%E5%8A%A1%E7%AB%AF%E9%85%8D%E7%BD%AE%E5%AE%B6%E9%87%8C%E8%B7%AF%E7%94%B1%E5%99%A8\"><\/span>2. OpenWrt WireGuard \u670d\u52a1\u7aef\u914d\u7f6e(\u5bb6\u91cc\u8def\u7531\u5668)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 id=\"21-\u5b89\u88c5\"><span class=\"ez-toc-section\" id=\"21_%E5%AE%89%E8%A3%85\"><\/span>2.1 \u5b89\u88c5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<blockquote>\n\u26a0\ufe0f <strong>\u5148\u786e\u8ba4\u4f60\u7684\u5305\u7ba1\u7406\u5668<\/strong>\u3002OpenWrt 24.10+ \/ 25.x \u5df2\u4ece <code>opkg<\/code> \u5207\u6362\u5230 <code>apk<\/code>;\u65e7\u7248(23.05 \u53ca\u66f4\u65e9)\u4ecd\u662f <code>opkg<\/code>\u3002\u4e0b\u9762\u7ed9\u51fa\u4e24\u5957\u547d\u4ee4,<strong>\u53ea\u8dd1\u4f60\u90a3\u5957<\/strong>\u3002\u5224\u65ad\u65b9\u6cd5:\u80fd\u8dd1 <code>apk<\/code> \u5c31\u662f\u65b0\u56fa\u4ef6\u3002\n<\/blockquote>\n<p><strong>OpenWrt 25.x \/ 24.10(apk):<\/strong><\/p>\n<pre><code class=\"language-sh\">apk update\napk add wireguard-tools luci-proto-wireguard qrencode\n<\/code><\/pre>\n<p><strong>OpenWrt 23.05 \u53ca\u66f4\u65e9(opkg):<\/strong><\/p>\n<pre><code class=\"language-sh\">opkg update\nopkg install wireguard-tools luci-proto-wireguard qrencode\n<\/code><\/pre>\n<blockquote><code>luci-proto-wireguard<\/code> \u8ba9\u4f60\u80fd\u5728 LuCI \u91cc\u7ba1\u7406(\u5426\u5219 LuCI \u663e\u793a&#8221;\u4e0d\u652f\u6301\u7684\u534f\u8bae\u7c7b\u578b&#8221;);<code>qrencode<\/code> \u7528\u4e8e\u7ed9\u624b\u673a\u751f\u6210\u4e8c\u7ef4\u7801\u3002\n\n<strong>\u88c5\u5b8c LuCI \u6269\u5c55\u540e,\u82e5 LuCI \u4ecd\u663e\u793a&#8221;\u4e0d\u652f\u6301\u7684\u534f\u8bae&#8221;,\u6216\u65b0\u88c5\u7684\u534f\u8bae\u63a5\u53e3 <code>ifup<\/code> \u9759\u9ed8\u5931\u8d25,\u6267\u884c <code>\/etc\/init.d\/network restart<\/code>(\u4e0d\u662f reload)\u91cd\u542f netifd<\/strong>,\u8ba9\u5b83\u91cd\u65b0\u626b\u63cf\u534f\u8bae\u811a\u672c(<code>\/lib\/netifd\/proto\/wireguard.sh<\/code>)\u3002\u8be6\u89c1 \u00a72.7\u3002\n\n<strong>\u5b58\u50a8\u7a7a\u95f4\u63d0\u793a<\/strong>:WireGuard \u76f8\u5173\u5305\u603b\u8ba1\u7ea6 350\u2013500 KB,\u4f46 64MB flash \u8bbe\u5907(\u5982\u65b0\u8def\u75313)\u88c5\u5b8c\u5305\u540e\u52a1\u5fc5\u6e05\u7f13\u5b58:<code>apk cache clean<\/code> \u6216 <code>rm -f \/var\/opkg-lists\/*<\/code>(opkg)\u3002<code>OK: 31.1 MiB in 216 packages<\/code> \u8fd9\u7c7b\u8f93\u51fa\u662f<strong>\u5168\u7cfb\u7edf\u5df2\u88c5\u603b\u91cf<\/strong>,\u4e0d\u662f\u672c\u6b21\u5b89\u88c5\u5927\u5c0f,\u522b\u88ab\u5413\u5230\u3002\u7a7a\u95f4\u7d27\u5f20\u5c31\u6302 extroot\u3002\n<\/blockquote>\n<h3 id=\"22-\u751f\u6210\u670d\u52a1\u7aef\u5bc6\u94a5\u5bf9\"><span class=\"ez-toc-section\" id=\"22_%E7%94%9F%E6%88%90%E6%9C%8D%E5%8A%A1%E7%AB%AF%E5%AF%86%E9%92%A5%E5%AF%B9\"><\/span>2.2 \u751f\u6210\u670d\u52a1\u7aef\u5bc6\u94a5\u5bf9<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre><code class=\"language-sh\">mkdir -p \/etc\/wireguard                       # \u76ee\u5f55\u9ed8\u8ba4\u4e0d\u5b58\u5728,\u5fc5\u987b\u5148\u5efa\nwg genkey | tee \/etc\/wireguard\/server.key | wg pubkey &gt; \/etc\/wireguard\/server.pub\nchmod 600 \/etc\/wireguard\/server.key\ncat \/etc\/wireguard\/server.pub                 # \u8bb0\u4e0b\u516c\u94a5,\u5ba2\u6237\u7aef [Peer] PublicKey \u7528\n<\/code><\/pre>\n<blockquote>\n\u7528<strong>\u7edd\u5bf9\u8def\u5f84<\/strong>\u751f\u6210,\u522b <code>cd \/etc\/wireguard<\/code> \u540e\u518d\u751f\u6210\u2014\u2014\u8be5\u76ee\u5f55\u53ef\u80fd\u4e0d\u5b58\u5728\u5bfc\u81f4 <code>cd<\/code> \u5931\u8d25,\u540e\u7eed\u547d\u4ee4\u5c31\u5728\u9519\u8bef\u76ee\u5f55(<code>\/root<\/code>)\u6267\u884c,\u6587\u4ef6\u4f4d\u7f6e\u5bf9\u4e0d\u4e0a\u3002\n\n\u79c1\u94a5\u968f\u540e\u4f1a\u5199\u5165 <code>\/etc\/config\/network<\/code> \u7684 <code>wg0.private_key<\/code> \u5b57\u6bb5(\u7531 uci \u5b8c\u6210),<code>server.key<\/code> \u6587\u4ef6\u53ea\u662f\u4e2d\u8f6c\u4e0e\u5907\u4efd,\u5220\u6389\u4e0d\u5f71\u54cd\u8fd0\u884c(\u5efa\u8bae\u79bb\u7ebf\u5907\u4efd,\u522b\u4e0a\u4f20\u4e91\u7aef)\u3002\n<\/blockquote>\n<h3 id=\"23-\u914d\u7f6e\u63a5\u53e3-etcconfignetwork\"><span class=\"ez-toc-section\" id=\"23_%E9%85%8D%E7%BD%AE%E6%8E%A5%E5%8F%A3_etcconfignetwork\"><\/span>2.3 \u914d\u7f6e\u63a5\u53e3 <code>\/etc\/config\/network<\/code><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u7528 <code>uci<\/code> \u6216\u76f4\u63a5\u7f16\u8f91\u3002\u4e0b\u9762\u7528 uci \u6279\u91cf\u5199\u5165(\u53ef\u6574\u4f53\u7c98\u8d34):<\/p>\n<pre><code class=\"language-sh\">uci -q delete network.wg0\nuci set network.wg0=&#039;interface&#039;\nuci set network.wg0.proto=&#039;wireguard&#039;\nuci set network.wg0.private_key=&quot;$(cat \/etc\/wireguard\/server.key)&quot;\nuci set network.wg0.listen_port=&#039;51820&#039;\nuci add_list network.wg0.addresses=&#039;10.200.0.1\/24&#039;\nuci add_list network.wg0.addresses=&#039;fd00:cafe:9::1\/64&#039;\nuci commit network\n<\/code><\/pre>\n<blockquote>\n\u26a0\ufe0f <strong>\u5fc5\u987b <code>uci commit<\/code><\/strong>\u3002<code>uci show<\/code> \u770b\u5230\u7684\u662f uci \u5185\u5b58\u72b6\u6001,netifd \u8bfb\u7684\u662f <code>\/etc\/config\/network<\/code> \u6587\u4ef6\u3002\u6f0f commit \u4f1a\u5bfc\u81f4 netifd \u6839\u672c\u4e0d\u77e5\u9053\u6709 wg0,<code>ifup wg0<\/code> \u9759\u9ed8\u5931\u8d25\u3002\u9a8c\u8bc1:<code>grep -A10 &quot;config interface &#039;wg0&#039;&quot; \/etc\/config\/network<\/code> \u80fd\u770b\u5230\u624d\u7b97\u771f\u5199\u8fdb\u53bb\u4e86\u3002\n\n<strong>\u96a7\u9053\u5730\u5740\u4e3a\u4ec0\u4e48\u7528 ULA(<code>fd00:cafe:9::\/64<\/code>)\u800c\u4e0d\u662f\u516c\u7f51 GUA?<\/strong> \u8fd0\u8425\u5546\u4e0b\u53d1\u7684 IPv6 \u524d\u7f00\u662f<strong>\u52a8\u6001\u53d8\u5316<\/strong>\u7684(\u5982 <code>2409:8a62:...<\/code> \u6bcf\u6b21\u62e8\u53f7\u90fd\u53d8)\u3002\u82e5\u96a7\u9053\u5730\u5740\u7528 GUA,\u524d\u7f00\u4e00\u53d8\u6574\u6761\u96a7\u9053\u5730\u5740\u5931\u6548\u3001\u6240\u6709\u5ba2\u6237\u7aef\u914d\u7f6e\u4f5c\u5e9f\u3002ULA \u6c38\u8fdc\u4e0d\u53d8,\u9002\u5408\u505a\u96a7\u9053\u5bfb\u5740\u3002\u4ee3\u4ef7\u662f ULA \u516c\u7f51\u4e0d\u53ef\u8def\u7531 \u2192 WG \u5ba2\u6237\u7aef <strong>IPv6 \u4e0d\u8d70\u5bb6\u91cc\u51fa\u516c\u7f51<\/strong>(v4 \u9760 NAT \u51fa,v6 \u8bbf\u95ee\u5185\u7f51\u8d70 ULA \u4e92\u901a\u5373\u53ef,\u8fd9\u662f\u6709\u610f\u53d6\u820d)\u3002\u8be6\u89c1 \u00a76 \u4e0e \u00a79 \u6392\u9519\u3002\n<\/blockquote>\n<p>\u7b49\u4f1a\u513f\u5728 \u00a72.6 \u52a0 peer(\u5ba2\u6237\u7aef)\u3002\u5148\u505a\u9632\u706b\u5899\u3002<\/p>\n<h3 id=\"24-\u9632\u706b\u5899\u653e\u884c-51820-\u5efa\u7acb-wg-\u533a\u57df\"><span class=\"ez-toc-section\" id=\"24_%E9%98%B2%E7%81%AB%E5%A2%99_%E6%94%BE%E8%A1%8C_51820_%E5%BB%BA%E7%AB%8B_wg_%E5%8C%BA%E5%9F%9F\"><\/span>2.4 \u9632\u706b\u5899:\u653e\u884c 51820 + \u5efa\u7acb wg \u533a\u57df<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<blockquote><strong>\u7aef\u53e3\u53ef\u81ea\u5b9a\u4e49<\/strong>:\u82e5 51820 \u88ab\u8fd0\u8425\u5546\/\u5149\u732b\u5c01\u7981,\u6539\u7528\u5176\u4ed6\u7aef\u53e3(\u5982 10520)\u3002\u6539\u7aef\u53e3\u65f6<strong>\u4e09\u5904\u5fc5\u987b\u540c\u6b65<\/strong>:<code>uci set network.wg0.listen_port=&#039;10520&#039;<\/code> + \u9632\u706b\u5899\u653e\u884c 10520 + \u5ba2\u6237\u7aef Endpoint \u7528 10520\u3002\u6539\u5b8c <code>network restart<\/code>(\u975e reload)\u8ba9\u76d1\u542c\u7aef\u53e3\u751f\u6548\u3002\u4e0b\u65b9\u793a\u4f8b\u7528 51820,\u6309\u9700\u66ff\u6362\u3002\n<\/blockquote>\n<p>\u7f16\u8f91 <code>\/etc\/config\/firewall<\/code>,\u589e\u52a0:<\/p>\n<pre><code class=\"language-sh\"># 1) \u653e\u884c WAN \u4fa7 UDP 51820(\u53cc\u6808,\u4e00\u6761\u89c4\u5219 family=any \u5373\u53ef)\nuci add firewall rule\nuci set firewall.@rule[-1].name=&#039;Allow-WG-51820&#039;\nuci set firewall.@rule[-1].src=&#039;wan&#039;\nuci set firewall.@rule[-1].dest_port=&#039;51820&#039;\nuci set firewall.@rule[-1].proto=&#039;udp&#039;\nuci set firewall.@rule[-1].target=&#039;ACCEPT&#039;\n\n# 2) \u65b0\u5efa wg \u533a\u57df\nuci add firewall zone\nuci set firewall.@zone[-1].name=&#039;wg&#039;\nuci set firewall.@zone[-1].input=&#039;ACCEPT&#039;\nuci set firewall.@zone[-1].output=&#039;ACCEPT&#039;\nuci set firewall.@zone[-1].forward=&#039;ACCEPT&#039;\nuci add_list firewall.@zone[-1].network=&#039;wg0&#039;\n\n# 3) wg &lt;-&gt; lan \u4e92\u901a(\u53cc\u5411\u8bbf\u95ee\u7684\u5173\u952e)\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src=&#039;wg&#039;\nuci set firewall.@forwarding[-1].dest=&#039;lan&#039;\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src=&#039;lan&#039;\nuci set firewall.@forwarding[-1].dest=&#039;wg&#039;\n\n# 4) (\u53ef\u9009)\u8ba9 VPN \u5ba2\u6237\u7aef\u8d70\u5bb6\u91cc\u51fa\u53e3\u4e0a\u7f51(v4)&mdash;&mdash;\u9760 wan \u533a\u57df\u7684 masq,\u4e0d\u8981\u5355\u72ec\u5199 MASQUERADE \u89c4\u5219\nuci add firewall forwarding\nuci set firewall.@forwarding[-1].src=&#039;wg&#039;\nuci set firewall.@forwarding[-1].dest=&#039;wan&#039;\n# \u7ed9 wan \u533a\u57df\u5f00 masq:\u8fd9\u6837\u6240\u6709\u8f6c\u53d1\u5230 wan \u7684 v4 \u6d41\u91cf\u81ea\u52a8 SNAT,WG \u5ba2\u6237\u7aef\u5373\u53ef v4 \u51fa\u516c\u7f51\n#   \u5148\u67e5 wan \u662f\u7b2c\u51e0\u4e2a zone:uci show firewall | grep &quot;name=&#039;wan&#039;&quot;  (\u5047\u8bbe @zone[1])\nuci set firewall.@zone[1].masq=&#039;1&#039;          # \u7d22\u5f15\u6309\u4f60\u5b9e\u9645\u67e5\u5230\u7684\u6539!\u522b\u7167\u6284 [1]\n\nuci commit firewall\n\/etc\/init.d\/firewall restart\n<\/code><\/pre>\n<blockquote>\n\u26a0\ufe0f <strong>\u5343\u4e07\u4e0d\u8981\u5355\u72ec\u5199 <code>target=&#039;MASQUERADE&#039;<\/code> \u7684 rule<\/strong>\u3002MASQUERADE \u76ee\u6807\u4f1a\u8df3\u5230 <code>masquerade_to_wan<\/code> \u94fe,\u800c\u8be5\u94fe<strong>\u53ea\u6709\u5f53 wan zone \u542f\u7528 <code>masq=&#039;1&#039;<\/code> \u65f6\u624d\u751f\u6210<\/strong>\u3002\u82e5 wan \u6ca1\u5f00 masq \u5374\u5199\u4e86 MASQUERADE rule,<code>firewall restart<\/code> \u4f1a\u62a5\u9519:\n<pre><code>Error: No such file or directory; did you mean chain &#039;forward_wan&#039; ...?\n  meta nfproto ipv4 counter jump masquerade_to_wan comment &quot;!fw4: ...&quot;\n  The rendered ruleset contains errors, not doing firewall restart.\n<\/code><\/pre>\n\u6b64\u65f6\u9632\u706b\u5899<strong>\u4e0d\u4f1a\u91cd\u542f\u3001\u4fdd\u6301\u65e7\u89c4\u5219<\/strong>\u3002\u4fee\u590d:\u5220\u6389\u90a3\u6761 MASQUERADE rule(<code>uci delete firewall.@rule[N]<\/code>,N \u7528 <code>uci show firewall | grep MASQ<\/code> \u67e5\u771f\u5b9e\u7d22\u5f15,<strong>\u522b\u7167\u6284\u6587\u6863\u91cc\u7684\u7d22\u5f15<\/strong>),\u6539\u4e3a\u7ed9 wan zone \u5f00 <code>masq=&#039;1&#039;<\/code>\u3002\n\n<strong>\u5220 rule \u65f6\u7d22\u5f15\u5fc5\u987b\u73b0\u67e5<\/strong>:<code>uci show firewall | grep WG-MASQ<\/code> \u4f1a\u663e\u793a\u5982 <code>firewall.@rule[13].name=&#039;WG-MASQ-v4&#039;<\/code>,\u5c31\u7528 13\u3002\u6587\u6863\u91cc\u7684 <code>[1]<\/code>\/<code>[3]<\/code> \u53ea\u662f\u793a\u4f8b,\u6bcf\u53f0\u673a\u5668\u4e0d\u540c\u3002\n\n<strong>masq \u53ea\u7ba1 IPv4<\/strong>\u3002IPv6 \u662f\u771f\u5b9e\u516c\u7f51\u5730\u5740,<strong>\u4e0d\u8981\u5f00 masq6\u3001\u4e0d\u8981\u505a NAT66<\/strong>(\u53cd\u6a21\u5f0f,\u4e14 fw4 \u652f\u6301\u6709\u9650)\u3002WG \u5ba2\u6237\u7aef v6 \u51fa\u516c\u7f51\u7528\u5ba2\u6237\u7aef\u672c\u5730\u7f51\u7edc\u7684 v6,\u4e0d\u7ed5\u56de\u5bb6;v6 \u8bbf\u95ee\u5185\u7f51\u8d70 ULA \u4e92\u901a\u3002\u8be6\u89c1 \u00a76\u3002\n<\/blockquote>\n<h3 id=\"241-\u786e\u4fdd-wan6-\u7eb3\u5165-wan-\u533a\u57df\"><span class=\"ez-toc-section\" id=\"241_%E7%A1%AE%E4%BF%9D_wan6_%E7%BA%B3%E5%85%A5_wan_%E5%8C%BA%E5%9F%9F\"><\/span>2.4.1 \u786e\u4fdd wan6 \u7eb3\u5165 wan \u533a\u57df<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>OpenWrt \u91cc IPv6 \u901a\u5e38\u8d70\u5355\u72ec\u7684 <code>wan6<\/code> \u63a5\u53e3\u3002\u9632\u706b\u5899 <code>wan<\/code> \u533a\u57df\u7684 <code>network<\/code> \u5217\u8868\u5fc5\u987b<strong>\u540c\u65f6\u5305\u542b wan \u548c wan6<\/strong>,\u5426\u5219 v6 \u6d41\u91cf\u7684 zone \u5f52\u5c5e\u4f1a\u9519\u3002<\/p>\n<pre><code class=\"language-sh\">uci show firewall.@zone[1]                   # \u770b network \u5b57\u6bb5\n# \u5e94\u7c7b\u4f3c:firewall.@zone[1].network=&#039;wan wan6&#039;\n# \u82e5\u6ca1\u6709 wan6,\u8865\u4e0a:\nuci add_list firewall.@zone[1].network=&#039;wan6&#039;   # \u7d22\u5f15\u6309\u5b9e\u9645\nuci commit firewall\n\/etc\/init.d\/firewall restart\n<\/code><\/pre>\n<blockquote>\n\u89e3\u91ca:<code>wg&harr;lan<\/code> \u53cc\u5411 forwarding \u662f&#8221;\u53cc\u5411\u8bbf\u95ee&#8221;\u7684\u9632\u706b\u5899\u57fa\u7840\u3002<code>lan&rarr;wg<\/code> \u8ba9\u5bb6\u91cc\u8bbe\u5907\u80fd\u4e3b\u52a8\u8fde\u5230\u5df2\u62e8\u5165\u7684\u624b\u673a(\u53cd\u5411\u8bbf\u95ee)\u3002\u82e5\u4f60\u4e0d\u60f3\u8981&#8221;v4 \u5168\u6d41\u91cf\u8d70\u5bb6&#8221;,\u7701\u7565\u7b2c 4 \u6b65\u7684 <code>wg&rarr;wan<\/code> forwarding \u5373\u53ef(\u7eaf split tunnel,\u53ea\u8bbf\u95ee\u5185\u7f51)\u3002\n<\/blockquote>\n<h3 id=\"25-\u8ba9-dnsmasq-\u5728-wg-\u63a5\u53e3\u4e0a\u63d0\u4f9b-dns\u8ba9\u5ba2\u6237\u7aef\u89e3\u6790-lan\"><span class=\"ez-toc-section\" id=\"25_%E8%AE%A9_dnsmasq_%E5%9C%A8_wg_%E6%8E%A5%E5%8F%A3%E4%B8%8A%E6%8F%90%E4%BE%9B_DNS%E8%AE%A9%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%A7%A3%E6%9E%90_lan\"><\/span>2.5 \u8ba9 dnsmasq \u5728 wg \u63a5\u53e3\u4e0a\u63d0\u4f9b DNS(\u8ba9\u5ba2\u6237\u7aef\u89e3\u6790 <code>.lan<\/code>)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>VPN \u5ba2\u6237\u7aef\u4f1a\u628a DNS \u6307\u5411\u8def\u7531\u5668\u96a7\u9053\u5730\u5740,\u9700\u8981 dnsmasq \u76d1\u542c wg0\u3002<\/p>\n<blockquote>\n\u26a0\ufe0f <strong>\u8840\u6cea\u5751:\u5343\u4e07\u522b\u8bbe dnsmasq \u7684 <code>interface<\/code> \u5b57\u6bb5!<\/strong> \u65e9\u671f\u7248\u672c\u66fe\u5199 <code>uci add_list dhcp.@dnsmasq[0].interface=&#039;wg0&#039;<\/code>,\u8fd9\u662f<strong>\u9519\u7684<\/strong>\u3002dnsmasq \u7684 <code>interface<\/code>\/<code>interfaces<\/code> \u662f<strong>\u6392\u4ed6\u76d1\u542c\u5217\u8868<\/strong>\u2014\u2014\u4e00\u65e6\u8bbe\u7f6e,dnsmasq <strong>\u53ea\u76d1\u542c\u5217\u8868\u91cc\u7684\u63a5\u53e3<\/strong>,lan\/loopback \u7b49\u5168\u88ab\u6392\u9664 \u2192 LAN \u8bbe\u5907\u65e0\u6cd5\u89e3\u6790 DNS \u2192 \u5168\u5c4b\u65ad\u7f51\u3002<code>add_list<\/code> \u5728\u8fd9\u91cc\u4e0d\u662f&#8221;\u8ffd\u52a0\u76d1\u542c&#8221;,\u800c\u662f&#8221;\u9650\u5b9a\u53ea\u542c\u8fd9\u51e0\u4e2a&#8221;\u3002\n\n<strong>\u6b63\u786e\u505a\u6cd5:\u4e0d\u8bbe <code>interface<\/code> \u5b57\u6bb5\u3002<\/strong> dnsmasq \u9ed8\u8ba4\u76d1\u542c\u6240\u6709\u63a5\u53e3(\u542b wg0\u3001lan\u3001loopback),\u53ea\u9700\u7528 <code>notinterface<\/code> \u6392\u9664 WAN(\u9632\u6b62 DNS \u66b4\u9732\u516c\u7f51)\u5373\u53ef\u3002OpenWrt \u9ed8\u8ba4\u5df2\u6392\u9664 wan,\u901a\u5e38<strong>\u4ec0\u4e48\u90fd\u4e0d\u7528\u914d<\/strong>,wg0 \u81ea\u52a8\u88ab\u76d1\u542c\u3002\n<\/blockquote>\n<pre><code class=\"language-sh\"># 1) \u5982\u679c\u4e4b\u524d\u8bef\u8bbe\u8fc7 interface,\u5fc5\u987b\u6e05\u6389(\u6062\u590d\u76d1\u542c\u5168\u90e8\u63a5\u53e3)\nuci -q del_list dhcp.@dnsmasq[0].interface=&#039;wg0&#039;\nuci -q delete dhcp.@dnsmasq[0].interface          # \u6e05\u7a7a\u6574\u4e2a interface \u5217\u8868\n# \u786e\u8ba4 notinterface \u542b wan(\u9ed8\u8ba4\u6709,\u9632 DNS \u66b4\u9732\u516c\u7f51):\n#   uci show dhcp.@dnsmasq[0] | grep notinterface\n#   \u6ca1\u6709\u5219:uci add_list dhcp.@dnsmasq[0].notinterface=&#039;wan&#039;\n\n# 2) \u7ed9 wg0 \u5efa\u4e00\u4e2a dhcp \u6bb5\u4f46\u7981\u7528 DHCP(\u53ea\u4fdd\u7559 DNS \u89e3\u6790\u80fd\u529b,\u4e0d\u53d1\u5730\u5740\u79df\u7ea6)\nuci set dhcp.wg=&#039;dhcp&#039;\nuci set dhcp.wg.interface=&#039;wg0&#039;\nuci set dhcp.wg.ignore=&#039;1&#039;\n\nuci commit dhcp\n\/etc\/init.d\/dnsmasq restart\n<\/code><\/pre>\n<p>\u9a8c\u8bc1 dnsmasq \u76d1\u542c\u4e86 wg0 \u4e14\u6ca1\u6392\u9664 lan:<\/p>\n<pre><code class=\"language-sh\"># \u770b dnsmasq \u542f\u52a8\u53c2\u6570,\u5e94\u80fd\u770b\u5230\u76d1\u542c wg0 \u548c br-lan,\u4e14 --bind-dynamic \u6216\u76d1\u542c 0.0.0.0\npgrep -a dnsmasq\n# \u6d4b\u8bd5:\u4ece\u8def\u7531\u5668\u81ea\u8eab\u89e3\u6790(\u5e94\u6b63\u5e38)\nnslookup nas.lan 127.0.0.1\n# \u4ece LAN \u8bbe\u5907\u4e5f\u80fd\u89e3\u6790 = \u6ca1\u8bef\u4f24 lan\n<\/code><\/pre>\n<blockquote><strong>\u8bef\u8bbe interface \u540e\u7684\u75c7\u72b6\u4e0e\u4fee\u590d<\/strong>:\u5168\u5c4b\u8bbe\u5907\u65e0\u6cd5\u4e0a\u7f51\u3001<code>nslookup<\/code> \u8d85\u65f6\u3001LuCI \u80fd\u5f00\u4f46\u7f51\u9875\u6253\u4e0d\u5f00\u3002\u4fee\u590d\u5c31\u662f\u4e0a\u9762\u7b2c 1 \u6b65:\u6e05\u7a7a <code>dhcp.@dnsmasq[0].interface<\/code> \u5217\u8868,restart dnsmasq\u3002\u6e05\u7a7a\u540e dnsmasq \u56de\u5230&#8221;\u76d1\u542c\u6240\u6709\u63a5\u53e3(\u9664 notinterface \u91cc\u7684 wan)&#8221;,lan\/wg0 \u90fd\u6b63\u5e38\u3002\n<\/blockquote>\n<p>\u5e76\u5b9a\u4e49\u5185\u7f51\u57df\u540d(\u793a\u4f8b,\u6309\u4f60\u8bbe\u5907\u6539):<\/p>\n<pre><code class=\"language-sh\">uci -q delete dhcp.nas_domain\nuci add dhcp domain\nuci set dhcp.@domain[-1].name=&#039;nas.lan&#039;\nuci set dhcp.@domain[-1].ip=&#039;192.168.1.10&#039;        # \u6216 &#039;fd00:cafe:1::10&#039;\nuci add dhcp domain\nuci set dhcp.@domain[-1].name=&#039;ha.lan&#039;\nuci set dhcp.@domain[-1].ip=&#039;192.168.1.12&#039;\nuci add dhcp domain\nuci set dhcp.@domain[-1].name=&#039;win.lan&#039;\nuci set dhcp.@domain[-1].ip=&#039;192.168.1.20&#039;         # RDP \u76ee\u6807\u673a\nuci commit dhcp\n\/etc\/init.d\/dnsmasq restart\n<\/code><\/pre>\n<h3 id=\"26-\u542f\u52a8\u63a5\u53e3\u5e76\u6dfb\u52a0\u7b2c\u4e00\u4e2a\u5ba2\u6237\u7aef-peer\"><span class=\"ez-toc-section\" id=\"26_%E5%90%AF%E5%8A%A8%E6%8E%A5%E5%8F%A3%E5%B9%B6%E6%B7%BB%E5%8A%A0%E7%AC%AC%E4%B8%80%E4%B8%AA%E5%AE%A2%E6%88%B7%E7%AB%AF_peer\"><\/span>2.6 \u542f\u52a8\u63a5\u53e3\u5e76\u6dfb\u52a0\u7b2c\u4e00\u4e2a\u5ba2\u6237\u7aef peer<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre><code class=\"language-sh\"># \u88c5\u5305\u540e\u7b2c\u4e00\u6b21\u542f\u52a8,\u7528 restart \u800c\u975e reload,\u786e\u4fdd netifd \u91cd\u65b0\u52a0\u8f7d\u534f\u8bae\u811a\u672c\n\/etc\/init.d\/network restart\nsleep 3\nwg show\n<\/code><\/pre>\n<blockquote>\n\u26a0\ufe0f <strong>\u5e38\u89c1\u5751:<code>ifup wg0<\/code> \/ <code>network reload<\/code> \u540e <code>wg0<\/code> \u4e0d\u5b58\u5728<\/strong>\u3002\n<ul>\n<li>\u75c7\u72b6:<code>ip -6 addr show wg0<\/code> \u62a5 <code>Device &quot;wg0&quot; does not exist.<\/code>,<code>wg show<\/code> \u7a7a\u8f93\u51fa,<code>ifup wg0<\/code> \u65e0\u4efb\u4f55\u56de\u663e,\u4e14 netifd \u65e5\u5fd7\u91cc<strong>\u5b8c\u5168\u6ca1\u6709 wg0 \u8bb0\u5f55<\/strong>\u3002<\/li>\n<li>\u6839\u56e0:<code>reload<\/code> \u53ea\u91cd\u8f7d\u5df2\u6ce8\u518c\u63a5\u53e3,<strong>\u4e0d\u91cd\u65b0\u626b\u63cf\u534f\u8bae\u811a\u672c<\/strong>\u3002\u521a\u88c5\u5b8c <code>wireguard-tools<\/code> \u540e\u534f\u8bae\u624d\u6ce8\u518c,netifd \u4ecd\u6301\u6709\u65e7\u7684\u534f\u8bae\u5217\u8868,\u4e0d\u8ba4\u8bc6 <code>wireguard<\/code> \u534f\u8bae\u3002<\/li>\n<li>\u4fee\u590d:<code>\/etc\/init.d\/network restart<\/code>(\u91cd\u542f\u6574\u4e2a netifd,\u91cd\u65b0\u626b\u63cf <code>\/lib\/netifd\/proto\/wireguard.sh<\/code>)\u3002\u9a8c\u8bc1\u8be5\u6587\u4ef6\u5b58\u5728:<code>ls -l \/lib\/netifd\/proto\/wireguard.sh<\/code>\u3002<\/li>\n<li>\u5176\u4ed6\u53ef\u80fd:<code>uci commit network<\/code> \u6f0f\u4e86(\u914d\u7f6e\u6ca1\u5199\u8fdb <code>\/etc\/config\/network<\/code>,netifd \u8bfb\u4e0d\u5230)\u2192 <code>grep -A10 &quot;config interface &#039;wg0&#039;&quot; \/etc\/config\/network<\/code> \u786e\u8ba4\u3002<\/li>\n<li>\u515c\u5e95\u6392\u67e5:<code>logread -e netifd | tail -30<\/code> \u770b netifd \u62a5\u4ec0\u4e48;<code>which wg<\/code> \u786e\u8ba4\u547d\u4ee4\u5728 PATH\u3002<\/li>\n<\/ul>\n<\/blockquote>\n<p>peer \u7684\u6dfb\u52a0\u5728 \u00a73 \u4e3a\u6bcf\u4e2a\u5ba2\u6237\u7aef\u505a(\u56e0\u4e3a\u8981\u5148\u6709\u5ba2\u6237\u7aef\u516c\u94a5)\u3002<\/p>\n<h3 id=\"27-\u9a8c\u8bc1\u670d\u52a1\u7aef\"><span class=\"ez-toc-section\" id=\"27_%E9%AA%8C%E8%AF%81%E6%9C%8D%E5%8A%A1%E7%AB%AF\"><\/span>2.7 \u9a8c\u8bc1\u670d\u52a1\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre><code class=\"language-sh\">wg show              # \u5e94\u770b\u5230 wg0 listening on 51820 + public key(\u6b64\u65f6\u65e0 peer,\u6b63\u5e38)\nip -6 addr show wg0  # \u5e94\u6709 10.200.0.1\/24 \u548c fd00:cafe:9::1\/64\n<\/code><\/pre>\n<blockquote><strong>\u4ee5\u547d\u4ee4\u884c <code>wg show<\/code> \u4e3a\u51c6,\u522b\u8ff7\u4fe1 LuCI<\/strong>\u3002LuCI \u663e\u793a\u53ef\u80fd\u6ede\u540e\u6216\u53d7\u534f\u8bae\u5305\u52a0\u8f7d\u65f6\u673a\u5f71\u54cd;\u53ea\u8981 <code>wg show<\/code> \u6709 <code>listening port: 51820<\/code> \u5c31\u662f\u771f\u6b63\u8d77\u6765\u4e86\u3002\u88c5\u4e86 <code>luci-proto-wireguard<\/code> \u540e\u5f3a\u5237 LuCI(<code>\/etc\/init.d\/rpcd restart<\/code> \u540e\u6d4f\u89c8\u5668 Ctrl+F5)\u5373\u6b63\u5e38\u3002\n<\/blockquote>\n<blockquote><strong>wg0 \u6ca1\u6709 MAC \u5730\u5740\u662f\u6b63\u5e38\u7684,\u4e0d\u662f\u914d\u7f6e\u9519\u3002<\/strong> WireGuard \u662f L3(\u7f51\u7edc\u5c42)\u96a7\u9053\u63a5\u53e3,\u76f4\u63a5\u5c01\u88c5 IP \u5305\u3001\u6ca1\u6709\u4ee5\u592a\u7f51\u5e27\u5934,\u800c MAC \u662f L2(\u6570\u636e\u94fe\u8def\u5c42)\u6982\u5ff5,\u53ea\u6709\u627f\u8f7d\u4ee5\u592a\u7f51\u5e27\u7684\u63a5\u53e3(<code>eth0<\/code>\/<code>br-lan<\/code>\/<code>wlan0<\/code>)\u624d\u6709\u3002\u6240\u4ee5 <code>ip link show wg0<\/code> \u8f93\u51fa\u91cc\u6ca1\u6709 <code>link\/ether<\/code> \u90a3\u4e00\u884c\u662f\u9884\u671f\u884c\u4e3a(\u4e0e <code>lo<\/code>\u3001<code>tun<\/code> \u540c\u7c7b)\u3002\u5224\u65ad wg0 \u662f\u5426\u6b63\u5e38<strong>\u53ea\u770b IP \u5730\u5740\u548c <code>wg show<\/code><\/strong>,\u4e0d\u8981\u7528\u6709\u65e0 MAC \u6765\u5224\u65ad\u3002\n<\/blockquote>\n<h3 id=\"271-\u600e\u4e48\u7b97\u8fde\u63a5\u6210\u529f\u63a5\u53e3\u5c42-vs-\u63e1\u624b\u5c42\"><span class=\"ez-toc-section\" id=\"271_%E6%80%8E%E4%B9%88%E7%AE%97%E2%80%9D%E8%BF%9E%E6%8E%A5%E6%88%90%E5%8A%9F%E2%80%9D%E6%8E%A5%E5%8F%A3%E5%B1%82_vs_%E6%8F%A1%E6%89%8B%E5%B1%82\"><\/span>2.7.1 \u600e\u4e48\u7b97&#8221;\u8fde\u63a5\u6210\u529f&#8221;(\u63a5\u53e3\u5c42 vs \u63e1\u624b\u5c42)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u63a5\u53e3\u8d77\u6765 \u2260 \u96a7\u9053\u6253\u901a\u3002\u5206\u4e24\u5c42\u5224\u5b9a:<\/p>\n<p><strong>\u5c42 1:\u63a5\u53e3\u8d77\u6ca1\u8d77(\u670d\u52a1\u7aef\/\u5ba2\u6237\u7aef\u901a\u7528)<\/strong><\/p>\n<pre><code class=\"language-sh\">ip -6 addr show wg0     # \u6709\u96a7\u9053\u5730\u5740 = \u63a5\u53e3\u5c42 OK\nwg show                 # \u80fd\u5217\u51fa\u63a5\u53e3 + peer = \u63a5\u53e3\u5c42 OK\n<\/code><\/pre>\n<p><strong>\u5c42 2:\u63e1\u624b\u6210\u6ca1\u6210\u529f(\u96a7\u9053\u662f\u5426\u771f\u901a)\u2014\u2014 \u8fd9\u624d\u662f\u786c\u6307\u6807<\/strong><\/p>\n<pre><code class=\"language-sh\">wg show\n<\/code><\/pre>\n<p>\u770b peer \u4e0b\u8fd9\u4e24\u884c:<\/p>\n<ul>\n<li><strong>\u6709 <code>latest handshake: \u51e0\u79d2\/\u51e0\u5341\u79d2\u524d<\/code><\/strong> = \u63e1\u624b\u6210\u529f,\u5bc6\u94a5\u534f\u5546\u5b8c\u6210,\u96a7\u9053\u5efa\u7acb \u2705<\/li>\n<li>\u540c\u65f6 <code>transfer: ... received, ... sent<\/code> \u8ba1\u6570\u5728\u6da8 = \u771f\u7684\u5728\u6536\u53d1\u5305 \u2705<\/li>\n<li>\u82e5<strong>\u6ca1\u6709 <code>latest handshake<\/code> \u8fd9\u884c<\/strong>\u3001<code>transfer: 0 B received<\/code> = \u63e1\u624b\u5931\u8d25,\u6ca1\u771f\u6b63\u8fde\u4e0a(\u67e5\u516c\u94a5\u662f\u5426\u8d34\u53cd\u3001endpoint \u89e3\u6790\u3001\u9632\u706b\u5899\u662f\u5426\u6321 51820\u3001\u5ba2\u6237\u7aef\u662f\u5426\u6b8b\u7559 <code>ListenPort<\/code>,\u89c1 \u00a710)\u3002<\/li>\n<\/ul>\n<p>\u63e1\u624b\u6210\u529f\u540e\u7528\u5b9e\u9645\u6d41\u91cf\u9a8c\u8bc1\u7aef\u5230\u7aef:<\/p>\n<pre><code class=\"language-sh\">ping 10.200.0.1         # \u901a = \u96a7\u9053\u5bf9\u7aef\u53ef\u8fbe\nping nas.lan            # \u901a = DNS \u89e3\u6790 + \u5185\u7f51\u90fd\u901a\nping 192.168.1.10       # \u901a = \u8def\u7531\/forwarding \u90fd\u5bf9\n<\/code><\/pre>\n<table>\n<thead>\n<tr>\n<th>\u72b6\u6001<\/th>\n<th><code>wg show<\/code> \u8868\u73b0<\/th>\n<th>\u7ed3\u8bba<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u63a5\u53e3\u6ca1\u8d77<\/td>\n<td>\u7a7a\u8f93\u51fa \/ <code>Device does not exist<\/code><\/td>\n<td>\u914d\u7f6e\u6216 netifd \u95ee\u9898(\u00a72.6 \u5751)<\/td>\n<\/tr>\n<tr>\n<td>\u63a5\u53e3\u8d77\u4e86\u3001\u6ca1\u63e1\u624b<\/td>\n<td>\u6709 peer,\u4f46\u65e0 <code>latest handshake<\/code>,rx=0<\/td>\n<td>\u63e1\u624b\u5931\u8d25,\u67e5 endpoint\/\u516c\u94a5\/\u9632\u706b\u5899<\/td>\n<\/tr>\n<tr>\n<td><strong>\u63e1\u624b\u6210\u529f<\/strong><\/td>\n<td>\u6709 <code>latest handshake: \u51e0\u79d2\u524d<\/code> + rx\/tx \u5728\u6da8<\/td>\n<td><strong>\u8fde\u63a5\u6210\u529f<\/strong> \u2705<\/td>\n<\/tr>\n<tr>\n<td>\u7aef\u5230\u7aef\u901a<\/td>\n<td>\u4e0a\u9762 + <code>ping 10.200.0.1<\/code> \/ <code>ping nas.lan<\/code> \u901a<\/td>\n<td>\u5168\u94fe\u8def OK \u2705\u2705<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4ece\u516c\u7f51(\u624b\u673a\u8702\u7a9d)\u6d4b\u8bd5 UDP \u53ef\u8fbe:<\/p>\n<pre><code class=\"language-sh\">nc -6 -u -v router.example.com 51820   # \u4e0d\u901a\u4e5f\u6ca1\u54cd\u5e94\u662f\u6b63\u5e38\u7684(WG \u4e0d\u63e1\u624b\u4e0d\u56de\u5305),\u4e3b\u8981\u770b\u9632\u706b\u5899\u6ca1\u88ab drop\n<\/code><\/pre>\n<p>\u66f4\u53ef\u9760\u7684\u9a8c\u8bc1:\u914d\u597d\u5ba2\u6237\u7aef\u540e\u770b <code>wg show<\/code> \u51fa\u73b0\u6700\u65b0\u63e1\u624b\u65f6\u95f4\u3002<\/p>\n<hr>\n<h2 id=\"3-\u5ba2\u6237\u7aef\u914d\u7f6e\u56db\u7c7b-os\"><span class=\"ez-toc-section\" id=\"3_%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E5%9B%9B%E7%B1%BB_OS\"><\/span>3. \u5ba2\u6237\u7aef\u914d\u7f6e(\u56db\u7c7b OS)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u6bcf\u4e2a\u5ba2\u6237\u7aef\u90fd\u9700\u8981:<strong>\u81ea\u5df1\u7684\u5bc6\u94a5\u5bf9<\/strong> + <strong>\u4e00\u4efd .conf<\/strong>\u3002\u4e0b\u9762\u5148\u7ed9\u901a\u7528 <code>.conf<\/code> \u6a21\u677f,\u518d\u8bb2\u5404 OS \u600e\u4e48\u5bfc\u5165\u3002<\/p>\n<h3 id=\"31-\u901a\u7528\u5ba2\u6237\u7aef\u914d\u7f6e\u6a21\u677f\"><span class=\"ez-toc-section\" id=\"31_%E9%80%9A%E7%94%A8%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E6%A8%A1%E6%9D%BF\"><\/span>3.1 \u901a\u7528\u5ba2\u6237\u7aef\u914d\u7f6e\u6a21\u677f<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u628a\u4e0b\u9762\u5b58\u4e3a <code>client.conf<\/code>,\u6309\u6ce8\u91ca\u66ff\u6362:<\/p>\n<pre><code class=\"language-ini\">[Interface]\nPrivateKey = &lt;\u5ba2\u6237\u7aef\u79c1\u94a5&gt;\nAddress = 10.200.0.2\/24, fd00:cafe:9::2\/64\nDNS = 10.200.0.1, fd00:cafe:9::1\nMTU = 1420\n\n[Peer]\nPublicKey = &lt;\u670d\u52a1\u7aef\u516c\u94a5,\u5373 \/etc\/wireguard\/server.pub&gt;\nPresharedKey = &lt;\u53ef\u9009,\u89c1 3.2;\u4e0d\u7528\u5c31\u5220\u6389\u8fd9\u884c&gt;\nEndpoint = router.example.com:51820\n# \u60f3\u8bbf\u95ee\u54ea\u4e9b\u5185\u7f51\u6bb5,\u5c31\u5199\u54ea\u4e9b\u3002\u4e0b\u9762\u662f\u5bb6\u91cc\u5168\u90e8\u5185\u7f51 + \u96a7\u9053\u6bb5:\nAllowedIPs = 192.168.1.0\/24, fd00:cafe:1::\/64, 10.200.0.0\/24, fd00:cafe:9::\/64\n# \u60f3\u8ba9\u5168\u90e8\u6d41\u91cf\u90fd\u8d70\u5bb6\u91cc(\u5168\u96a7\u9053),\u6539\u4e3a:\n# AllowedIPs = 0.0.0.0\/0, ::\/0\nPersistentKeepalive = 25\n<\/code><\/pre>\n<blockquote><strong>AllowedIPs \u7684\u542b\u4e49<\/strong>:\u65e2\u51b3\u5b9a&#8221;\u54ea\u4e9b\u76ee\u6807\u6d41\u91cf\u8fdb\u96a7\u9053&#8221;,\u4e5f\u51b3\u5b9a&#8221;\u670d\u52a1\u7aef\u628a\u54ea\u4e9b\u6e90\u5730\u5740\u8def\u7531\u7ed9\u8fd9\u4e2a peer&#8221;\u3002\u6240\u4ee5\u5b83\u5fc5\u987b<strong>\u7cbe\u786e\u5305\u542b\u8be5\u5ba2\u6237\u7aef\u7684\u96a7\u9053\u5730\u5740<\/strong>\u4e4b\u5916,\u8fd8\u8981\u5305\u542b\u5b83\u8981\u8bbf\u95ee\u7684\u5185\u7f51\u6bb5\u3002\n<\/blockquote>\n<blockquote>\n\u26a0\ufe0f <strong>\u5ba2\u6237\u7aef\u914d\u7f6e\u4e09\u5927\u5751(\u5b9e\u6d4b\u8e29\u8fc7,\u52a1\u5fc5\u907f\u514d):<\/strong>\n<ol>\n<li><strong>\u7edd\u4e0d\u8981\u5728\u5ba2\u6237\u7aef <code>[Interface]<\/code> \u91cc\u5199 <code>ListenPort<\/code><\/strong>\u3002\u8fd9\u662f\u670d\u52a1\u7aef\u7528\u7684\u3002\u5ba2\u6237\u7aef\u8bbe\u4e86 ListenPort \u4f1a\u5f3a\u5236\u7ed1\u5b9a\u672c\u5730\u7aef\u53e3\u76d1\u542c,\u5bfc\u81f4 Android\/iOS \u7684 VpnService \u8def\u7531\u6df7\u4e71\u3001<strong>\u63e1\u624b\u5305\u53d1\u4e0d\u51fa\u53bb<\/strong>(\u8868\u73b0:<code>tcpdump<\/code> \u6293\u4e0d\u5230 WG \u5305,<code>wg show<\/code> \u65e0\u63e1\u624b,\u4f46 ping\/nmap \u80fd\u901a)\u3002\u5ba2\u6237\u7aef\u7528\u968f\u673a\u7aef\u53e3\u4e3b\u52a8\u8fde\u670d\u52a1\u7aef\u5373\u53ef\u3002\n<\/li>\n<li><strong><code>AllowedIPs<\/code> \u683c\u5f0f\u5fc5\u987b\u7528\u534a\u89d2\u9017\u53f7+\u7a7a\u683c<\/strong> <code>,<\/code> \u5206\u9694,<strong>\u7edd\u4e0d\u80fd\u7528\u5168\u89d2\u9017\u53f7 <code>\uff0c<\/code><\/strong>\u3002\u4ece\u4e2d\u6587\u8f93\u5165\u6cd5\u7c98\u8d34\u3001\u6216\u5e26\u4e0d\u53ef\u89c1\u5b57\u7b26,Android App \u4f1a\u62a5 <code>bad address<\/code>\u3002\u6700\u7a33\u7684\u505a\u6cd5\u662f<strong>\u7528\u4e8c\u7ef4\u7801\u5bfc\u5165<\/strong>(\u89c1 \u00a73.5),\u7531 <code>qrencode<\/code> \u4fdd\u8bc1\u683c\u5f0f\u3002\u624b\u52a8\u8f93\u5165\u65f6\u6bcf\u6bb5\u53ef\u5355\u72ec\u6210\u884c\u3002\u9a8c\u8bc1\u914d\u7f6e\u6587\u4ef6\u65e0\u9690\u85cf\u5b57\u7b26:<code>cat -A client.conf<\/code>(\u6b63\u5e38\u884c\u5c3e <code>$<\/code>,\u65e0 <code>^M<\/code>\/<code>M-<\/code> \u4e71\u7801)\u3002\n<\/li>\n<li><strong>\u8def\u7531\u73af:Endpoint \u6240\u5728\u7f51\u6bb5\u4e0d\u80fd\u51fa\u73b0\u5728 AllowedIPs \u91cc(\u5185\u7f51\u6d4b\u8bd5\u65f6)<\/strong>\u3002\u82e5 <code>Endpoint = 192.168.1.1:51820<\/code> \u4e14 <code>AllowedIPs<\/code> \u542b <code>192.168.1.0\/24<\/code>,\u624b\u673a\u4f1a\u628a\u53bb\u5f80 192.168.1.1 \u7684\u63e1\u624b\u5305\u4e5f\u5bfc\u5411\u5c1a\u672a\u5efa\u7acb\u7684\u96a7\u9053 \u2192 \u6b7b\u9501 \u2192 \u4e0d\u53d1\u5305\u3002<strong>\u5185\u7f51\u6d4b\u8bd5\u65f6 AllowedIPs \u53bb\u6389 Endpoint \u7f51\u6bb5<\/strong>,\u53ea\u7559\u96a7\u9053\u6bb5:<code>10.200.0.0\/24, fd00:cafe:9::\/64, fd00:cafe:1::\/64<\/code>\u3002\u516c\u7f51\u6d4b\u8bd5(Endpoint=\u57df\u540d)\u65e0\u6b64\u95ee\u9898,\u56e0\u4e3a\u57df\u540d\u89e3\u6790\u51fa\u7684\u516c\u7f51\u5730\u5740\u4e0d\u5728\u5185\u7f51\u6bb5\u3002<code>0.0.0.0\/0<\/code> \u5168\u6d41\u91cf\u6a21\u5f0f\u4e0b,WG \u4f1a\u81ea\u52a8\u6392\u9664 Endpoint \u8def\u7531,\u516c\u7f51\u573a\u666f\u53ef\u7528;\u4f46\u5185\u7f51 Endpoint + 0.0.0.0\/0 \u4ecd\u53ef\u80fd\u6b7b\u9501,\u6545\u5185\u7f51\u6d4b\u8bd5\u4f18\u5148\u7528\u5177\u4f53\u6bb5\u3002\n<\/li>\n<\/ol><strong>MTU \u9009\u62e9<\/strong>:\u9ed8\u8ba4 1280(IPv6 \u6700\u5c0f\u503c,\u4fdd\u5b88\u4f46\u4f4e\u6548,\u5305\u591a\u901f\u5ea6\u6162)\u3002\u94fe\u8def MTU 1500 \u65f6\u7528 <code>1420<\/code>,PPPoE(1492)\u7528 <code>1412<\/code>\u3002\u8c03\u5927\u53ef\u63d0\u901f,\u4f46\u8fc7\u5927\u4f1a\u4e22\u5305\u3002\u6d4b\u96a7\u9053 MTU:<code>ping -M do -s 1392 10.200.0.1<\/code>,\u4e0d\u901a\u5c31\u51cf,\u6700\u5927\u4e0d\u4e22\u5305\u503c +28 = WG MTU\u3002\n<\/blockquote>\n<h3 id=\"32-\u63a8\u8350\u751f\u6210\u9884\u5171\u4eab\u5bc6\u94a5-psk\u591a\u4e00\u5c42\u5bf9\u79f0\u52a0\u5bc6\"><span class=\"ez-toc-section\" id=\"32_%E6%8E%A8%E8%8D%90%E7%94%9F%E6%88%90%E9%A2%84%E5%85%B1%E4%BA%AB%E5%AF%86%E9%92%A5_PSK%E5%A4%9A%E4%B8%80%E5%B1%82%E5%AF%B9%E7%A7%B0%E5%8A%A0%E5%AF%86\"><\/span>3.2 (\u63a8\u8350)\u751f\u6210\u9884\u5171\u4eab\u5bc6\u94a5 PSK,\u591a\u4e00\u5c42\u5bf9\u79f0\u52a0\u5bc6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u5728\u4efb\u4e00\u673a\u5668\u4e0a:<\/p>\n<pre><code class=\"language-sh\">wg genpsk &gt; psk.txt\n<\/code><\/pre>\n<p>\u628a\u5185\u5bb9\u540c\u65f6\u586b\u5230<strong>\u670d\u52a1\u7aef\u8be5 peer \u7684 <code>preshared_key<\/code><\/strong> \u548c<strong>\u5ba2\u6237\u7aef <code>[Peer]<\/code> \u7684 <code>PresharedKey<\/code><\/strong>\u3002\u5373\u4f7f\u91cf\u5b50\u8ba1\u7b97\u65f6\u4ee3\u4e5f\u80fd\u591a\u6297\u4e00\u5c42\u3002<\/p>\n<h3 id=\"33-\u751f\u6210\u5ba2\u6237\u7aef\u5bc6\u94a5\u5bf9\"><span class=\"ez-toc-section\" id=\"33_%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E5%AF%86%E9%92%A5%E5%AF%B9\"><\/span>3.3 \u751f\u6210\u5ba2\u6237\u7aef\u5bc6\u94a5\u5bf9<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Linux \/ macOS:<\/strong><\/p>\n<pre><code class=\"language-sh\">wg genkey | tee client.key | wg pubkey &gt; client.pub\n<\/code><\/pre>\n<p><strong>Windows(PowerShell,\u88c5\u4e86\u5b98\u65b9 WireGuard \u540e):<\/strong><\/p>\n<pre><code class=\"language-powershell\">&amp; &quot;C:\\Program Files\\WireGuard\\wg.exe&quot; genkey | Out-File -Encoding ascii client.key\n&amp; &quot;C:\\Program Files\\WireGuard\\wg.exe&quot; pubkey &lt; client.key | Out-File -Encoding ascii client.pub\n<\/code><\/pre>\n<p>\u6216\u5728\u5b98\u65b9 GUI \u91cc\u70b9 <strong>&#8220;Generate keypair&#8221;<\/strong>\u3002<\/p>\n<p><strong>iOS \/ Android:<\/strong> \u5728\u5b98\u65b9 WireGuard App \u91cc\u65b0\u5efa\u96a7\u9053\u65f6\u9009&#8221;Create from scratch&#8221;,App \u4f1a\u81ea\u52a8\u751f\u6210\u5bc6\u94a5;\u4f60\u53ea\u9700\u628a\u5b83\u7684 <strong>Public key<\/strong> \u6284\u51fa\u6765\u586b\u5230\u8def\u7531\u5668\u3002<\/p>\n<h3 id=\"34-\u628a\u5ba2\u6237\u7aef\u516c\u94a5\u6ce8\u518c\u5230-openwrt-\u670d\u52a1\u7aef\"><span class=\"ez-toc-section\" id=\"34_%E6%8A%8A%E5%AE%A2%E6%88%B7%E7%AB%AF%E5%85%AC%E9%92%A5%E6%B3%A8%E5%86%8C%E5%88%B0_OpenWrt_%E6%9C%8D%E5%8A%A1%E7%AB%AF\"><\/span>3.4 \u628a\u5ba2\u6237\u7aef\u516c\u94a5\u6ce8\u518c\u5230 OpenWrt \u670d\u52a1\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u5047\u8bbe\u624b\u673a\u5ba2\u6237\u7aef\u516c\u94a5\u662f <code>PHONE_PUB<\/code>,\u96a7\u9053\u5730\u5740 <code>10.200.0.2<\/code> \/ <code>fd00:cafe:9::2<\/code>:<\/p>\n<pre><code class=\"language-sh\">uci add network wireguard_wg0\nuci set network.@wireguard_wg0[-1].description=&#039;phone&#039;\nuci set network.@wireguard_wg0[-1].public_key=&#039;PHONE_PUB&#039;\nuci set network.@wireguard_wg0[-1].preshared_key=&quot;$(cat \/etc\/wireguard\/psk.txt)&quot;   # \u53ef\u9009\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;10.200.0.2\/32&#039;\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;fd00:cafe:9::2\/128&#039;\nuci commit network\nifdown wg0 &amp;&amp; ifup wg0\n<\/code><\/pre>\n<blockquote>\n\u670d\u52a1\u7aef peer \u7684 <code>allowed_ips<\/code> <strong>\u53ea\u586b\u8be5\u5ba2\u6237\u7aef\u7684\u96a7\u9053\u5730\u5740<\/strong>(\u5b83\u8981\u8bbf\u95ee\u7684\u5185\u7f51\u6bb5\u4e0d\u5199\u5728\u8fd9\u91cc)\u3002\u8981&#8221;\u53cd\u5411&#8221;\u8ba9\u5bb6\u91cc\u8bbf\u95ee\u624b\u673a\u4e0a\u7684\u670d\u52a1,\u9760\u7684\u5c31\u662f\u8fd9\u4e2a\u96a7\u9053\u5730\u5740\u2014\u2014\u5bb6\u91cc\u8bbe\u5907\u8fde <code>10.200.0.2:\u7aef\u53e3<\/code> \u5373\u53ef(\u89c1 \u00a74.3)\u3002\n<\/blockquote>\n<h3 id=\"35-\u5404-os-\u5bfc\u5165\u4e0e\u542f\u7528\"><span class=\"ez-toc-section\" id=\"35_%E5%90%84_OS_%E5%AF%BC%E5%85%A5%E4%B8%8E%E5%90%AF%E7%94%A8\"><\/span>3.5 \u5404 OS \u5bfc\u5165\u4e0e\u542f\u7528<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4 id=\"windows\"><span class=\"ez-toc-section\" id=\"Windows\"><\/span>Windows<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ol>\n<li>\u88c5 <a href=\"https:\/\/www.wireguard.com\/install\/\">WireGuard for Windows<\/a>\u3002<\/li>\n<li>\u6253\u5f00 \u2192 &#8220;Import tunnel(s) from file&#8221; \u2192 \u9009 <code>client.conf<\/code>\u3002<\/li>\n<li>\u53cc\u51fb\u96a7\u9053 \u2192 \u8fde\u63a5\u3002<\/li>\n<li>\u6d4b\u8bd5:<code>ping 10.200.0.1<\/code>\u3001<code>ping nas.lan<\/code>\u3001<code>ping 192.168.1.10<\/code>\u3002<\/li>\n<\/ol>\n<h4 id=\"macos\"><span class=\"ez-toc-section\" id=\"macOS\"><\/span>macOS<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ol>\n<li>App Store \u88c5 &#8220;WireGuard&#8221; \u6216 <code>brew install wireguard-tools<\/code>\u3002<\/li>\n<li>App:&#8221;Import from file&#8221; \u2192 <code>client.conf<\/code>;\u6216\u547d\u4ee4\u884c:<pre><code class=\"language-sh\">sudo wg-quick up client   # \u914d\u7f6e\u653e \/usr\/local\/etc\/wireguard\/client.conf\n<\/code><\/pre>\n<\/li>\n<li>\u6d4b\u8bd5\u540c\u4e0a\u3002<\/li>\n<\/ol>\n<h4 id=\"linux\u4ee5-wg-quick-systemd-\u4e3a\u4f8b\"><span class=\"ez-toc-section\" id=\"Linux%E4%BB%A5_wg-quick_systemd_%E4%B8%BA%E4%BE%8B\"><\/span>Linux(\u4ee5 wg-quick + systemd \u4e3a\u4f8b)<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<pre><code class=\"language-sh\">sudo apt install wireguard                 # Debian\/Ubuntu\n# \u6216 sudo dnf install wireguard-tools      # Fedora\nsudo install -d -m 700 \/etc\/wireguard\nsudo cp client.conf \/etc\/wireguard\/wg-home.conf\nsudo wg-quick up wg-home                   # \u4e34\u65f6\u542f\u7528\nsudo systemctl enable --now wg-quick@wg-home   # \u5f00\u673a\u81ea\u542f\n<\/code><\/pre>\n<p>NetworkManager \u65b9\u5f0f(GUI \u53d1\u884c\u7248):<\/p>\n<pre><code class=\"language-sh\">nmcli connection import type wireguard file wg-home.conf\nnmcli connection up wg-home\n<\/code><\/pre>\n<h4 id=\"ios-android\"><span class=\"ez-toc-section\" id=\"iOS_Android\"><\/span>iOS \/ Android<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ol>\n<li>\u88c5\u5b98\u65b9 WireGuard App\u3002<\/li>\n<li>\u4e24\u79cd\u5bfc\u5165:\n<ul>\n<li><strong>\u4e8c\u7ef4\u7801<\/strong>:\u5728\u8def\u7531\u5668\u4e0a\u5bf9\u914d\u7f6e\u751f\u6210\u7801,\u624b\u673a\u626b\u7801\u2014\u2014<pre><code class=\"language-sh\"># \u628a\u4e0a\u9762 client.conf \u5185\u5bb9\u751f\u6210\u4e8c\u7ef4\u7801(\u8def\u7531\u5668\u88c5\u4e86 qrencode)\nqrencode -t ansiutf8 &lt; client.conf\n# \u624b\u673a App &rarr; &quot;+&quot; &rarr; &quot;Scan from QR code&quot;\n<\/code><\/pre>\n<\/li>\n<li><strong>\u6587\u4ef6<\/strong>:\u628a <code>client.conf<\/code> \u4f20\u5230\u624b\u673a \u2192 App \u2192 &#8220;+&#8221; \u2192 &#8220;Import from file&#8221;\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u8fde\u63a5\u540e\u7528 Safari\/Chrome \u8bbf\u95ee <code>http:\/\/nas.lan<\/code> \u9a8c\u8bc1\u3002<\/li>\n<\/ol>\n<blockquote>\n\u7ed9\u624b\u673a\u914d IP \u65f6,\u5efa\u8bae<strong>\u7528\u56fa\u5b9a\u96a7\u9053\u5730\u5740<\/strong>(\u5982\u624b\u673a\u56fa\u5b9a <code>10.200.0.2<\/code>),\u65b9\u4fbf\u5bb6\u91cc\u53cd\u5411\u8fde\u5b83\u3002\u6bcf\u591a\u4e00\u53f0\u8bbe\u5907,\u9012\u589e\u4e00\u4e2a\u5730\u5740\u5e76\u5728\u670d\u52a1\u7aef\u52a0 peer\u3002\n<\/blockquote>\n<hr>\n<h2 id=\"4-\u53cc\u5411\u8bbf\u95ee\u5b9e\u73b0\u56db\u79cd\u573a\u666f\u5168\u90e8\u6253\u901a\"><span class=\"ez-toc-section\" id=\"4_%E5%8F%8C%E5%90%91%E8%AE%BF%E9%97%AE%E5%AE%9E%E7%8E%B0%E5%9B%9B%E7%A7%8D%E5%9C%BA%E6%99%AF%E5%85%A8%E9%83%A8%E6%89%93%E9%80%9A\"><\/span>4. \u53cc\u5411\u8bbf\u95ee\u5b9e\u73b0(\u56db\u79cd\u573a\u666f\u5168\u90e8\u6253\u901a)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 id=\"41-\u573a\u666f\u4e00\u5916\u90e8\u8bbf\u95ee\u5185\u7f51-web-\u670d\u52a1\"><span class=\"ez-toc-section\" id=\"41_%E5%9C%BA%E6%99%AF%E4%B8%80_%E5%A4%96%E9%83%A8%E8%AE%BF%E9%97%AE%E5%86%85%E7%BD%91_Web_%E6%9C%8D%E5%8A%A1\"><\/span>4.1 \u573a\u666f\u4e00:\u5916\u90e8\u8bbf\u95ee\u5185\u7f51 Web \u670d\u52a1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u62e8\u5165 VPN \u540e,\u5ba2\u6237\u7aef\u7684 <code>AllowedIPs<\/code> \u542b <code>192.168.1.0\/24<\/code>,DNS \u6307\u5411\u8def\u7531\u5668 \u2192 \u76f4\u63a5:<\/p>\n<pre><code class=\"language-sh\">http:\/\/nas.lan:5000        # NAS \u7ba1\u7406\u53f0\nhttp:\/\/ha.lan:8123         # HomeAssistant\nhttp:\/\/jellyfin.lan:8096\n<\/code><\/pre>\n<p>\u65e0\u9700\u4efb\u4f55\u516c\u7f51\u66b4\u9732\u3002\u82e5\u60f3\u7528 HTTPS,\u5728 NAS\/\u670d\u52a1\u672c\u673a\u7528\u81ea\u7b7e\u8bc1\u4e66\u6216\u5185\u7f51 CA \u5373\u53ef(\u56e0\u4e3a\u53ea\u8d70\u96a7\u9053,\u8bc1\u4e66\u53ef\u4fe1\u5ea6\u7531\u4f60\u81ea\u5df1\u7684\u5ba2\u6237\u7aef\u51b3\u5b9a,\u89c1 \u00a76.4)\u3002<\/p>\n<h3 id=\"42-\u573a\u666f\u4e8c\u5916\u90e8\u7ba1\u7406\u5185\u7f51\u8bbe\u5907ssh-rdp\"><span class=\"ez-toc-section\" id=\"42_%E5%9C%BA%E6%99%AF%E4%BA%8C_%E5%A4%96%E9%83%A8%E7%AE%A1%E7%90%86%E5%86%85%E7%BD%91%E8%AE%BE%E5%A4%87SSH_RDP\"><\/span>4.2 \u573a\u666f\u4e8c:\u5916\u90e8\u7ba1\u7406\u5185\u7f51\u8bbe\u5907(SSH \/ RDP)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u62e8\u5165 VPN \u540e\u76f4\u8fde\u5185\u7f51 IP:<\/p>\n<pre><code class=\"language-sh\"># SSH \u5230 Linux \u673a\u5668\nssh user@192.168.1.10\nssh user@nas.lan\n\n# RDP \u5230 Windows \u673a\u5668(\u5148\u5728\u76ee\u6807\u673a\u5f00\u542f\u8fdc\u7a0b\u684c\u9762)\n# Windows: \u8bbe\u7f6e &rarr; \u8fdc\u7a0b\u684c\u9762 &rarr; \u542f\u7528;\u5e76\u786e\u4fdd\u9632\u706b\u5899\u653e\u884c 3389(\u5185\u7f51\u5373\u53ef)\n# \u4ece\u5ba2\u6237\u7aef:\nxfreerdp \/v:192.168.1.20 \/u:username      # Linux\/macOS\n# \u6216 Windows \u81ea\u5e26&quot;\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5&quot; &rarr; 192.168.1.20\n<\/code><\/pre>\n<blockquote>\n\u76ee\u6807\u673a\u53ea\u9700\u5728<strong>\u5185\u7f51<\/strong>\u653e\u884c\u5bf9\u5e94\u7aef\u53e3(SSH 22 \/ RDP 3389 \u7ed9 <code>192.168.1.0\/24<\/code> \u6216\u7ed9\u8def\u7531\u5668),\u65e0\u9700\u5bf9\u516c\u7f51\u5f00\u653e\u3002\n<\/blockquote>\n<h3 id=\"43-\u573a\u666f\u4e09\u5185\u7f51\u8bbe\u5907\u4e3b\u52a8\u8fde\u5916\u53cd\u5411\u5bb6\u91cc\u8bbf\u95ee\u624b\u673a\u4e0a\u7684\u670d\u52a1\"><span class=\"ez-toc-section\" id=\"43_%E5%9C%BA%E6%99%AF%E4%B8%89_%E5%86%85%E7%BD%91%E8%AE%BE%E5%A4%87%E4%B8%BB%E5%8A%A8%E8%BF%9E%E5%A4%96%E5%8F%8D%E5%90%91%E5%AE%B6%E9%87%8C%E8%AE%BF%E9%97%AE%E6%89%8B%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%9C%8D%E5%8A%A1\"><\/span>4.3 \u573a\u666f\u4e09:\u5185\u7f51\u8bbe\u5907\u4e3b\u52a8\u8fde\u5916(\u53cd\u5411,\u5bb6\u91cc\u8bbf\u95ee\u624b\u673a\u4e0a\u7684\u670d\u52a1)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>WireGuard \u662f\u70b9\u5bf9\u70b9\u96a7\u9053,<strong>\u4e00\u65e6\u624b\u673a\u62e8\u5165,\u96a7\u9053\u53cc\u5411\u53ef\u8fbe<\/strong>\u3002\u5bb6\u91cc\u8bbe\u5907\u8981\u8bbf\u95ee\u624b\u673a\u4e0a\u8dd1\u7684\u670d\u52a1(\u5982\u624b\u673a\u4e0a\u7684 Termux SSH\u3001AirDroid\u3001\u8c03\u8bd5\u670d\u52a1):<\/p>\n<ol>\n<li>\u624b\u673a\u5ba2\u6237\u7aef\u96a7\u9053\u5730\u5740\u56fa\u5b9a\u4e3a <code>10.200.0.2<\/code>(\u00a73.4 \u5df2\u6ce8\u518c)\u3002<\/li>\n<li>\u9632\u706b\u5899 \u00a72.4 \u5df2\u5f00 <code>lan&rarr;wg<\/code> forwarding\u3002<\/li>\n<li>\u624b\u673a\u4e0a\u7684\u670d\u52a1\u76d1\u542c <code>0.0.0.0<\/code> \u6216\u96a7\u9053\u5730\u5740 <code>10.200.0.2<\/code>\u3002<\/li>\n<li>\u5bb6\u91cc\u4efb\u610f\u8bbe\u5907:<pre><code class=\"language-sh\">ssh termux@10.200.0.2 -p 8022      # \u8fde\u624b\u673a Termux SSH\ncurl http:\/\/10.200.0.2:8080         # \u8fde\u624b\u673a\u4e0a\u7684\u670d\u52a1\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<blockquote>\n\u5173\u952e:\u670d\u52a1\u7aef peer \u7684 <code>allowed_ips<\/code> \u5fc5\u987b\u5305\u542b <code>10.200.0.2\/32<\/code>(\u00a73.4 \u5df2\u505a),\u5426\u5219\u5bb6\u91cc\u53d1\u5f80 <code>10.200.0.2<\/code> \u7684\u5305\u4e0d\u77e5\u9053\u8def\u7531\u7ed9\u54ea\u4e2a peer\u3002\n<\/blockquote>\n<h3 id=\"44-\u573a\u666f\u56db\u591a\u7ad9\u70b9\u4e92\u8054\u5bb6-\u7236\u6bcd\u5bb6-\u89c1-5\"><span class=\"ez-toc-section\" id=\"44_%E5%9C%BA%E6%99%AF%E5%9B%9B_%E5%A4%9A%E7%AB%99%E7%82%B9%E4%BA%92%E8%81%94%E5%AE%B6_%E2%86%94_%E7%88%B6%E6%AF%8D%E5%AE%B6%E2%86%92_%E8%A7%81_%C2%A75\"><\/span>4.4 \u573a\u666f\u56db:\u591a\u7ad9\u70b9\u4e92\u8054(\u5bb6 \u2194 \u7236\u6bcd\u5bb6)\u2192 \u89c1 \u00a75<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<hr>\n<h2 id=\"5-\u591a\u7ad9\u70b9\u4e92\u8054\u7ad9\u70b9\u5bf9\u7ad9\u70b9-wireguard\"><span class=\"ez-toc-section\" id=\"5_%E5%A4%9A%E7%AB%99%E7%82%B9%E4%BA%92%E8%81%94%E7%AB%99%E7%82%B9%E5%AF%B9%E7%AB%99%E7%82%B9_WireGuard\"><\/span>5. \u591a\u7ad9\u70b9\u4e92\u8054(\u7ad9\u70b9\u5bf9\u7ad9\u70b9 WireGuard)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u4e24\u53f0 OpenWrt:\u7ad9\u70b9 A(\u5bb6,<code>router.example.com<\/code>)\u3001\u7ad9\u70b9 B(\u7236\u6bcd\u5bb6,<code>router-b.example.com<\/code>)\u3002\u8ba9 A \u7ad9\u7684\u8bbe\u5907\u80fd\u76f4\u63a5\u8bbf\u95ee B \u7ad9\u7684\u8bbe\u5907,\u53cd\u4e4b\u4ea6\u7136\u3002<\/p>\n<h3 id=\"51-\u524d\u63d0\"><span class=\"ez-toc-section\" id=\"51_%E5%89%8D%E6%8F%90\"><\/span>5.1 \u524d\u63d0<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>\u4e24\u7ad9 LAN \u6bb5<strong>\u4e0d\u91cd\u53e0<\/strong>(\u672c\u4f8b A=<code>192.168.1.0\/24<\/code>,B=<code>192.168.2.0\/24<\/code>)\u3002<\/li>\n<li>\u4e24\u7ad9 DDNS \u90fd\u914d\u597d(AAA \u8bb0\u5f55\u6307\u5411\u5404\u81ea\u8def\u7531\u5668 GUA)\u3002<\/li>\n<li>\u4e24\u7ad9\u90fd\u6309 \u00a72 \u88c5\u597d WireGuard \u5e76\u6709 wg0 \u63a5\u53e3\u3002\u5efa\u8bae\u4e24\u7ad9 wg0 \u7528<strong>\u540c\u4e00\u96a7\u9053\u7f51\u6bb5<\/strong>\u4e0d\u540c\u5730\u5740:A=<code>10.200.0.1<\/code>,B=<code>10.200.0.2<\/code>\u3002<\/li>\n<\/ul>\n<blockquote>\n\u82e5 A \u7684 wg0 \u5df2\u662f <code>10.200.0.1<\/code> \u5e76\u670d\u52a1\u7740\u624b\u673a\u5ba2\u6237\u7aef,\u53ea\u9700\u628a B \u4e5f\u63a5\u8fdb\u8fd9\u4e2a wg0(\u4f5c\u4e3a\u53e6\u4e00\u4e2a peer)\u5373\u53ef\u3002\u4e0b\u9762\u5047\u8bbe\u8fd9\u79cd&#8221;\u4e00\u53f0\u8def\u7531\u5668 wg0 \u65e2\u662f\u63a5\u5165\u670d\u52a1\u7aef\u53c8\u662f\u7ad9\u70b9 peer&#8221;\u7684\u5e38\u89c1\u7ed3\u6784\u3002\n<\/blockquote>\n<h3 id=\"52-\u7ad9\u70b9-a\u5bb6\u914d\u7f6e-b-\u4e3a-peer\"><span class=\"ez-toc-section\" id=\"52_%E7%AB%99%E7%82%B9_A%E5%AE%B6%E9%85%8D%E7%BD%AE_B_%E4%B8%BA_peer\"><\/span>5.2 \u7ad9\u70b9 A(\u5bb6)\u914d\u7f6e B \u4e3a peer<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre><code class=\"language-sh\">uci add network wireguard_wg0\nuci set network.@wireguard_wg0[-1].description=&#039;site-B&#039;\nuci set network.@wireguard_wg0[-1].public_key=&#039;&lt;B\u7684\u516c\u94a5&gt;&#039;\nuci set network.@wireguard_wg0[-1].preshared_key=&quot;$(cat \/etc\/wireguard\/pskAB.txt)&quot;\n# \u5173\u952e:\u628a B \u7ad9\u7684 LAN \u6bb5\u548c B \u7684\u96a7\u9053\u5730\u5740\u90fd\u653e\u8fdb allowed_ips\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;10.200.0.2\/32&#039;\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;192.168.2.0\/24&#039;\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;fd00:cafe:2::\/64&#039;\n# \u7ad9\u70b9 B \u6ca1\u6709\u516c\u7f51 v4 \u65f6,\u7ed9 endpoint \u7528\u5b83\u7684 DDNS \u57df\u540d + keepalive \u7ef4\u6301\nuci set network.@wireguard_wg0[-1].endpoint_host=&#039;router-b.example.com&#039;\nuci set network.@wireguard_wg0[-1].endpoint_port=&#039;51820&#039;\nuci set network.@wireguard_wg0[-1].persistent_keepalive=&#039;25&#039;\nuci commit network\nifdown wg0 &amp;&amp; ifup wg0\n<\/code><\/pre>\n<h3 id=\"53-\u7ad9\u70b9-b-\u914d\u7f6e-a-\u4e3a-peer\u5bf9\u79f0\"><span class=\"ez-toc-section\" id=\"53_%E7%AB%99%E7%82%B9_B_%E9%85%8D%E7%BD%AE_A_%E4%B8%BA_peer%E5%AF%B9%E7%A7%B0\"><\/span>5.3 \u7ad9\u70b9 B \u914d\u7f6e A \u4e3a peer(\u5bf9\u79f0)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u5728\u7ad9\u70b9 B \u7684 OpenWrt \u4e0a(\u5047\u8bbe\u5b83\u7684 wg0 \u5730\u5740\u662f <code>10.200.0.2<\/code>):<\/p>\n<pre><code class=\"language-sh\">uci add network wireguard_wg0\nuci set network.@wireguard_wg0[-1].description=&#039;site-A&#039;\nuci set network.@wireguard_wg0[-1].public_key=&#039;&lt;A\u7684\u516c\u94a5&gt;&#039;\nuci set network.@wireguard_wg0[-1].preshared_key=&quot;$(cat \/etc\/wireguard\/pskAB.txt)&quot;\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;10.200.0.1\/32&#039;\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;192.168.1.0\/24&#039;\nuci add_list network.@wireguard_wg0[-1].allowed_ips=&#039;fd00:cafe:1::\/64&#039;\nuci set network.@wireguard_wg0[-1].endpoint_host=&#039;router.example.com&#039;\nuci set network.@wireguard_wg0[-1].endpoint_port=&#039;51820&#039;\nuci set network.@wireguard_wg0[-1].persistent_keepalive=&#039;25&#039;\nuci commit network\nifdown wg0 &amp;&amp; ifup wg0\n<\/code><\/pre>\n<h3 id=\"54-\u4e24\u7ad9\u9632\u706b\u5899\u5141\u8bb8-wglan\"><span class=\"ez-toc-section\" id=\"54_%E4%B8%A4%E7%AB%99%E9%98%B2%E7%81%AB%E5%A2%99_%E5%85%81%E8%AE%B8_wg%E2%86%94lan\"><\/span>5.4 \u4e24\u7ad9\u9632\u706b\u5899:\u5141\u8bb8 wg\u2194lan<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u4e24\u7ad9\u90fd\u6267\u884c(\u4e0e \u00a72.4 \u7684 wg\u2194lan forwarding \u76f8\u540c,\u82e5\u5df2\u5efa wg \u533a\u57df\u5219\u5df2\u6709):<\/p>\n<pre><code class=\"language-sh\"># \u82e5\u8fd8\u6ca1\u5efa wg \u533a\u57df,\u53c2\u8003 &sect;2.4\u3002\u5df2\u6709\u5219\u53ea\u9700\u786e\u4fdd forwarding \u5b58\u5728:\nuci add firewall forwarding; uci set firewall.@forwarding[-1].src=&#039;wg&#039;; uci set firewall.@forwarding[-1].dest=&#039;lan&#039;\nuci add firewall forwarding; uci set firewall.@forwarding[-1].src=&#039;lan&#039;; uci set firewall.@forwarding[-1].dest=&#039;wg&#039;\nuci commit firewall; \/etc\/init.d\/firewall restart\n<\/code><\/pre>\n<h3 id=\"55-\u5173\u952e\u5173\u95ed\u4e24\u7ad9\u4e4b\u95f4\u7684-icmp\u8def\u7531\u9650\u5236-\u5141\u8bb8\u8f6c\u53d1\"><span class=\"ez-toc-section\" id=\"55_%E5%85%B3%E9%94%AE%E5%85%B3%E9%97%AD%E4%B8%A4%E7%AB%99%E4%B9%8B%E9%97%B4%E7%9A%84_ICMP%E8%B7%AF%E7%94%B1%E9%99%90%E5%88%B6_%E5%85%81%E8%AE%B8%E8%BD%AC%E5%8F%91\"><\/span>5.5 (\u5173\u952e)\u5173\u95ed\u4e24\u7ad9\u4e4b\u95f4\u7684 ICMP\/\u8def\u7531\u9650\u5236 + \u5141\u8bb8\u8f6c\u53d1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u786e\u4fdd\u5185\u6838\u8f6c\u53d1\u5f00\u542f(OpenWrt \u9ed8\u8ba4\u5f00):<\/p>\n<pre><code class=\"language-sh\">cat \/proc\/sys\/net\/ipv4\/ip_forward          # \u5e94\u4e3a 1\ncat \/proc\/sys\/net\/ipv6\/conf\/all\/forwarding # \u5e94\u4e3a 1\n<\/code><\/pre>\n<h3 id=\"56-\u9a8c\u8bc1\"><span class=\"ez-toc-section\" id=\"56_%E9%AA%8C%E8%AF%81\"><\/span>5.6 \u9a8c\u8bc1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre><code class=\"language-sh\"># \u5728 A \u7ad9\u8def\u7531\u5668\u4e0a\nwg show                       # \u770b\u5230 site-B peer \u6709\u6700\u65b0\u63e1\u624b + rx\/tx \u8ba1\u6570\nping 192.168.2.1              # ping \u901a B \u7ad9\u8def\u7531\u5668\n# \u5728 A \u7ad9\u67d0\u53f0 LAN \u8bbe\u5907\u4e0a\nping 192.168.2.x              # ping \u901a B \u7ad9\u5185\u7f51\u8bbe\u5907\nssh user@192.168.2.x          # \u76f4\u63a5 SSH \u5230\u7236\u6bcd\u5bb6\u8bbe\u5907\n<\/code><\/pre>\n<blockquote>\n\u4e09\u7ad9\u53ca\u4ee5\u4e0a\u540c\u7406:\u6bcf\u4e24\u7ad9\u4e92\u6307 peer,<code>allowed_ips<\/code> \u5199\u5bf9\u65b9\u6240\u6709\u5185\u7f51\u6bb5\u3002\u6ce8\u610f<strong>\u522b\u6210\u73af<\/strong>,\u5fc5\u8981\u65f6\u7528\u66f4\u7cbe\u786e\u7684\u8def\u7531 \/ \u8c03\u6574 allowed_ips\u3002\n<\/blockquote>\n<hr>\n<h2 id=\"6-\u5b89\u5168\u52a0\u56fa\u5168-vpn-\u67b6\u6784\u4e0b\u7684\u7eb5\u6df1\u9632\u5fa1\"><span class=\"ez-toc-section\" id=\"6_%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA%E5%85%A8_VPN_%E6%9E%B6%E6%9E%84%E4%B8%8B%E7%9A%84%E7%BA%B5%E6%B7%B1%E9%98%B2%E5%BE%A1\"><\/span>6. \u5b89\u5168\u52a0\u56fa(\u5168 VPN \u67b6\u6784\u4e0b\u7684\u7eb5\u6df1\u9632\u5fa1)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<blockquote>\n\u5373\u4f7f&#8221;\u53ea\u66b4\u9732\u4e00\u4e2a WG \u7aef\u53e3&#8221;,\u4e5f\u8981\u6309&#8221;\u8fd9\u4e2a\u7aef\u53e3\u8fdf\u65e9\u4f1a\u88ab\u53d1\u73b0&#8221;\u6765\u8bbe\u9632\u3002\n<\/blockquote>\n<h3 id=\"61-wireguard-\u81ea\u8eab\"><span class=\"ez-toc-section\" id=\"61_WireGuard_%E8%87%AA%E8%BA%AB\"><\/span>6.1 WireGuard \u81ea\u8eab<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>PSK \u5fc5\u52a0<\/strong>(\u00a73.2),\u6297\u672a\u6765\u91cf\u5b50\u6cc4\u9732\u3002<\/li>\n<li><strong>\u79c1\u94a5\u6743\u9650<\/strong> <code>chmod 600<\/code>,<strong>\u4e0d\u4e0a\u4f20\u516c\u7f51\u4ed3\u5e93\/\u4e91\u7b14\u8bb0<\/strong>\u3002\u5efa\u8bae\u79bb\u7ebf\u4fdd\u7ba1(\u5982\u52a0\u5bc6 U \u76d8)\u3002<\/li>\n<li><strong>\u7aef\u53e3\u53ef\u6539\u975e 51820<\/strong>(\u964d\u4f4e\u626b\u63cf\u566a\u58f0):\u6539 <code>listen_port<\/code> \u4e0e\u9632\u706b\u5899\u653e\u884c\u7aef\u53e3\u5373\u53ef\u3002<\/li>\n<li><strong>peer \u5217\u8868\u6700\u5c0f\u5316<\/strong>:\u79bb\u804c\/\u5356\u6389\u7684\u8bbe\u5907\u7acb\u523b\u5220 peer(<code>uci delete network.@wireguard_wg0[N]<\/code>)\u3002<\/li>\n<li><strong>\u5ba2\u6237\u7aef <code>AllowedIPs<\/code> \u7528\u6700\u5c0f\u96c6<\/strong>:\u53ea\u653e\u9700\u8981\u8bbf\u95ee\u7684\u5185\u7f51\u6bb5,\u522b\u56fe\u7701\u4e8b\u5168 <code>0.0.0.0\/0<\/code>(\u9664\u975e\u4f60\u771f\u8981\u5168\u6d41\u91cf\u8d70\u5bb6)\u3002<\/li>\n<\/ul>\n<h3 id=\"62-\u8fb9\u754c\u9632\u706b\u5899\"><span class=\"ez-toc-section\" id=\"62_%E8%BE%B9%E7%95%8C%E9%98%B2%E7%81%AB%E5%A2%99\"><\/span>6.2 \u8fb9\u754c\u9632\u706b\u5899<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><code>wan<\/code> \u533a\u57df <code>INPUT<\/code>\/<code>FORWARD<\/code> \u9ed8\u8ba4 <strong>DROP<\/strong>,\u4ec5\u653e\u884c <code>51820\/udp<\/code>(\u00a72.4)\u3002<\/li>\n<li><strong>\u5173\u95ed UPnP \/ NAT-PMP<\/strong>:<code>\/etc\/config\/upnpd<\/code> \u5220\u9664\u6216\u7981\u7528\u670d\u52a1,\u9632\u6b62\u5185\u7f51\u7a0b\u5e8f\u81ea\u884c\u5f00\u6d1e\u3002<pre><code class=\"language-sh\">\/etc\/init.d\/miniupnpd disable &amp;&amp; \/etc\/init.d\/miniupnpd stop\n<\/code><\/pre>\n<\/li>\n<li><strong>ICMPv6 \u5fc5\u9700\u7c7b\u578b\u653e\u884c<\/strong>(ND\/PMtuD:\u7c7b\u578b 1\/2\/3\/4\/128\/129\/133-137),\u5426\u5219 IPv6 \u5f02\u5e38;echo-reply \u53ef\u9009\u5173\u95ed\u9632\u626b\u63cf\u3002<\/li>\n<li><strong>LuCI \/ SSH \u7edd\u4e0d\u76d1\u542c WAN<\/strong>:<code>\/etc\/config\/uhttpd<\/code> \u76d1\u542c\u5730\u5740\u53ea\u7ed1\u5185\u7f51;<code>dropbear<\/code> \u540c\u7406\u3002<\/li>\n<\/ul>\n<h3 id=\"63-\u8def\u7531\u5668\u52a0\u56fa\"><span class=\"ez-toc-section\" id=\"63_%E8%B7%AF%E7%94%B1%E5%99%A8%E5%8A%A0%E5%9B%BA\"><\/span>6.3 \u8def\u7531\u5668\u52a0\u56fa<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre><code class=\"language-sh\"># \u6539\u5f3a root \u5bc6\u7801\npasswd\n\n# \u7528 SSH key \u767b\u5f55,\u7981\u5bc6\u7801(\/etc\/config\/dropbear)\nuci set dropbear.@dropbear[0].PasswordAuth=&#039;off&#039;\nuci set dropbear.@dropbear[0].RootPasswordAuth=&#039;off&#039;\nuci commit dropbear; \/etc\/init.d\/dropbear restart\n# \u5148\u653e\u597d authorized_keys \u518d\u7981\u5bc6\u7801!\u5426\u5219\u4f1a\u9501\u6b7b\nmkdir -p \/etc\/dropbear\ncp your_pubkey \/etc\/dropbear\/authorized_keys\n<\/code><\/pre>\n<ul>\n<li>\u5173\u95ed\u4e0d\u7528\u7684\u670d\u52a1:telnet\u3001tftp\u3001\u65e7 uhttpd \u7aef\u53e3\u3002<\/li>\n<li>\u53ca\u65f6\u66f4\u65b0:<code>apk update &amp;&amp; apk upgrade<\/code>(apk,25.x)\u6216 <code>opkg update &amp;&amp; opkg upgrade<\/code>(opkg,\u65e7\u7248),\u5173\u6ce8 OpenWrt \u5b89\u5168\u7248\u672c\u3002<\/li>\n<li>\u5907\u4efd\u542b\u5bc6\u94a5:<code>sysupgrade -b<\/code> \u5bfc\u51fa\u7684 tar \u91cc\u6709\u79c1\u94a5,\u79bb\u7ebf\u4fdd\u7ba1\u3002<\/li>\n<\/ul>\n<h3 id=\"64-\u670d\u52a1\u4fa7\u5373\u4f7f\u53ea\u5728\u5185\u7f51\"><span class=\"ez-toc-section\" id=\"64_%E6%9C%8D%E5%8A%A1%E4%BE%A7%E5%8D%B3%E4%BD%BF%E5%8F%AA%E5%9C%A8%E5%86%85%E7%BD%91\"><\/span>6.4 \u670d\u52a1\u4fa7(\u5373\u4f7f\u53ea\u5728\u5185\u7f51)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>NAS\/HA\/Jellyfin \u4ecd\u8981<strong>\u5f3a\u5bc6\u7801 + 2FA<\/strong>,\u56e0\u4e3a VPN \u5185\u7684\u8bbe\u5907\u4e5f\u53ef\u80fd\u88ab compromise(\u5982\u624b\u673a\u4e22\u4e86)\u3002<\/li>\n<li>\u654f\u611f\u670d\u52a1\u8d70 HTTPS(\u81ea\u7b7e\u8bc1\u4e66\u6216\u81ea\u5efa CA),\u9632 VPN \u5185\u55c5\u63a2\u3002<\/li>\n<li><strong>IoT \u9694\u79bb<\/strong>:\u6444\u50cf\u5934\/\u626b\u5730\u673a\u653e\u72ec\u7acb VLAN(\u89c1 \u00a77),\u7981\u6b62\u5176\u8bbf\u95ee <code>lan<\/code>\/<code>wg<\/code>,\u4ec5\u5141\u8bb8 <code>iot&rarr;wan<\/code>\u3002<\/li>\n<\/ul>\n<h3 id=\"65-dnspod-ddns-\u51ed\u8bc1\u6700\u5c0f\u6743\u9650\"><span class=\"ez-toc-section\" id=\"65_DNSPod_DDNS_%E5%87%AD%E8%AF%81%E6%9C%80%E5%B0%8F%E6%9D%83%E9%99%90\"><\/span>6.5 DNSPod DDNS \u51ed\u8bc1\u6700\u5c0f\u6743\u9650<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>\u817e\u8baf\u4e91 \u2192 \u8bbf\u95ee\u7ba1\u7406 CAM \u2192 \u65b0\u5efa\u5b50\u7528\u6237 \u2192 \u53ea\u6388\u4e88 <strong><code>QcloudDNSPodFullAccess<\/code><\/strong> \u6216\u66f4\u7cbe\u7ec6\u7684&#8221;\u4ec5\u6307\u5b9a\u57df\u7684\u8bb0\u5f55\u7f16\u8f91&#8221;\u81ea\u5b9a\u4e49\u7b56\u7565\u3002<\/li>\n<li><strong>\u4e0d\u8981\u7528\u4e3b\u8d26\u53f7 API \u5bc6\u94a5<\/strong>\u3002<\/li>\n<li>SecretId\/SecretKey \u5b58\u8def\u7531\u5668\u811a\u672c\u91cc <code>chmod 600<\/code>,\u4e14<strong>\u4e0d\u8981\u6253\u5370\u5230\u65e5\u5fd7\/\u5907\u4efd<\/strong>\u3002<\/li>\n<li>\u5b9a\u671f\u8f6e\u6362;\u76d1\u63a7\u66f4\u65b0\u5931\u8d25(\u524d\u7f00\u53d8\u4e86\u4f46\u66f4\u65b0\u5931\u8d25 \u2192 \u57df\u540d\u6307\u5411\u65e7\u5730\u5740 \u2192 VPN \u65ad)\u3002<\/li>\n<\/ul>\n<h3 id=\"66-\u5ba2\u6237\u7aef\u5b89\u5168\"><span class=\"ez-toc-section\" id=\"66_%E5%AE%A2%E6%88%B7%E7%AB%AF%E5%AE%89%E5%85%A8\"><\/span>6.6 \u5ba2\u6237\u7aef\u5b89\u5168<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>\u624b\u673a\/\u7535\u8111\u7cfb\u7edf\u5168\u76d8\u52a0\u5bc6\u3001\u9501\u5c4f\u5bc6\u7801\u3002<\/li>\n<li>WireGuard \u914d\u7f6e\u6587\u4ef6\u542b\u79c1\u94a5,\u4f20\u8f93\u7528\u52a0\u5bc6\u6e20\u9053,\u7528\u5b8c\u5373\u5220\u3002<\/li>\n<li>\u516c\u53f8\u8bbe\u5907\u522b\u957f\u671f\u6302\u7740\u5bb6 VPN,\u907f\u514d\u5bb6\u5185\u7f51\u88ab\u516c\u53f8 MDM \u98ce\u9669\u6ce2\u53ca\u3002<\/li>\n<\/ul>\n<hr>\n<h2 id=\"7-\u6027\u80fd\u74f6\u9888\u4e0e\u786c\u4ef6\u9009\u578b\u91cd\u8981\u5148\u770b\u518d\u6392\u67e5\u901f\u5ea6\"><span class=\"ez-toc-section\" id=\"7_%E6%80%A7%E8%83%BD%E7%93%B6%E9%A2%88%E4%B8%8E%E7%A1%AC%E4%BB%B6%E9%80%89%E5%9E%8B%E9%87%8D%E8%A6%81_%E5%85%88%E7%9C%8B%E5%86%8D%E6%8E%92%E6%9F%A5%E9%80%9F%E5%BA%A6\"><\/span>7. \u6027\u80fd\u74f6\u9888\u4e0e\u786c\u4ef6\u9009\u578b(\u91cd\u8981:\u5148\u770b\u518d\u6392\u67e5\u901f\u5ea6)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<blockquote><strong>\u5b9e\u6d4b\u6848\u4f8b:\u5c0f\u7c73\u8def\u7531\u5668 4C(MT7628N \u5355\u6838 580MHz\u300164MB \u5185\u5b58\u300116MB flash)\u8dd1 WireGuard,\u901f\u5ea6\u4ec5 15-25 Mbps,CPU 100% \u6ee1\u8f7d\u3002<\/strong> \u8fd9\u662f\u786c\u4ef6\u6781\u9650,\u4efb\u4f55\u914d\u7f6e\u8c03\u6574\u90fd\u65e0\u6cd5\u7a81\u7834\u3002\u672c\u8282\u5e2e\u4f60\u5224\u65ad\u81ea\u5df1\u662f\u5426\u649e\u5230\u786c\u4ef6\u5899\u3002\n<\/blockquote>\n<h3 id=\"71-\u600e\u4e48\u5224\u65ad\u662f\u4e0d\u662f\u786c\u4ef6\u74f6\u9888\"><span class=\"ez-toc-section\" id=\"71_%E6%80%8E%E4%B9%88%E5%88%A4%E6%96%AD%E6%98%AF%E4%B8%8D%E6%98%AF%E7%A1%AC%E4%BB%B6%E7%93%B6%E9%A2%88\"><\/span>7.1 \u600e\u4e48\u5224\u65ad\u662f\u4e0d\u662f\u786c\u4ef6\u74f6\u9888<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u8dd1 WG \u4f20\u5927\u6587\u4ef6\u65f6,\u5728\u8def\u7531\u5668\u4e0a\u770b CPU:<\/p>\n<pre><code class=\"language-sh\">top -d 2 -n 3\n<\/code><\/pre>\n<p>\u82e5\u770b\u5230(\u5178\u578b\u786c\u4ef6\u74f6\u9888\u7279\u5f81):<\/p>\n<pre><code>CPU: 0% usr  60% sys  0% idle  40% sirq        &larr; idle 0%,\u6ee1\u8f7d\n[kworker\/0:2+wg-]  36%                          &larr; WG \u52a0\u5bc6\u5185\u6838\u7ebf\u7a0b\u5360\u5927\u5934\n[kworker\/0:1+wg-]  29%\n[ksoftirqd\/0]      11%\nLoad average: 4.36                              &larr; \u5355\u6838\u8d1f\u8f7d 4 \u500d,\u4e25\u91cd\u8fc7\u8f7d\nnetifd  D \u72b6\u6001                                   &larr; D=\u4e0d\u53ef\u4e2d\u65ad,CPU \u592a\u5fd9\u8fde netifd \u90fd\u5361\n<\/code><\/pre>\n<p><code>wg-<\/code> \u5185\u6838 worker \u5360\u6ee1 CPU + <code>idle 0%<\/code> = <strong>CPU \u52a0\u5bc6\u5230\u9876,\u7eaf\u786c\u4ef6\u74f6\u9888<\/strong>\u3002\u914d\u7f6e\u5c42\u9762\u65e0\u89e3\u3002<\/p>\n<h3 id=\"72-\u5404\u7ea7\u786c\u4ef6\u7684-wireguard-\u901f\u5ea6\u5929\u82b1\u677f\"><span class=\"ez-toc-section\" id=\"72_%E5%90%84%E7%BA%A7%E7%A1%AC%E4%BB%B6%E7%9A%84_WireGuard_%E9%80%9F%E5%BA%A6%E5%A4%A9%E8%8A%B1%E6%9D%BF\"><\/span>7.2 \u5404\u7ea7\u786c\u4ef6\u7684 WireGuard \u901f\u5ea6\u5929\u82b1\u677f<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th>\u786c\u4ef6<\/th>\n<th>\u5178\u578b\u673a\u578b<\/th>\n<th>WG \u901f\u5ea6<\/th>\n<th>\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>MT7628N \u5355\u6838<\/td>\n<td>\u5c0f\u7c734C\u3001NW702 \u7b49<\/td>\n<td>15-25 Mbps<\/td>\n<td>\u5165\u95e8\u7ea7,\u8dd1 WG \u52c9\u5f3a,\u53ea\u591f\u8f7b\u91cf\u7ba1\u7406<\/td>\n<\/tr>\n<tr>\n<td>MT7621AT \u53cc\u6838<\/td>\n<td>\u7ea2\u7c73 AC2100\u3001Newifi3\u3001K2P<\/td>\n<td>150-250 Mbps<\/td>\n<td>\u6027\u4ef7\u6bd4\u4e4b\u9009,\u65e5\u5e38\u591f\u7528<\/td>\n<\/tr>\n<tr>\n<td>MT7621 + \u786c\u4ef6\u52a0\u5bc6<\/td>\n<td>\u90e8\u5206\u578b\u53f7<\/td>\n<td>\u7565\u63d0\u5347<\/td>\n<td>WG \u7528 ChaCha20,\u591a\u6570\u786c\u4ef6\u52a0\u5bc6\u5f15\u64ce\u53ea\u652f\u6301 AES,\u5e2e\u4e0d\u4e0a<\/td>\n<\/tr>\n<tr>\n<td>MT7981\/7986<\/td>\n<td>\u7ea2\u7c73 AX6000\u3001GL.iNet Flint2<\/td>\n<td>300-500 Mbps<\/td>\n<td>\u73b0\u4ee3 WiFi6,\u4e3b\u6d41\u63a8\u8350<\/td>\n<\/tr>\n<tr>\n<td>IPQ8074<\/td>\n<td>\u5c0f\u7c73 AX9000<\/td>\n<td>500-700 Mbps<\/td>\n<td>\u9ad8\u7aef<\/td>\n<\/tr>\n<tr>\n<td>x86 N100\/J4125<\/td>\n<td>\u8f6f\u8def\u7531<\/td>\n<td>~1 Gbps<\/td>\n<td>\u8dd1\u6ee1\u5343\u5146<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<blockquote><strong>\u6ce8\u610f:WireGuard \u7528 ChaCha20-Poly1305<\/strong>,\u591a\u6570\u8def\u7531\u5668\u7684\u786c\u4ef6\u52a0\u5bc6\u5f15\u64ce\u53ea\u52a0\u901f AES(\u7ed9 IPSec\/OpenVPN \u7528),<strong>\u5bf9 WG \u5e2e\u4e0d\u4e0a<\/strong>\u3002\u6240\u4ee5 WG \u901f\u5ea6\u4e3b\u8981\u770b CPU \u6838\u6570\u548c\u4e3b\u9891,\u4e0d\u80fd\u53ea\u770b&#8221;\u6709\u786c\u4ef6\u52a0\u5bc6&#8221;\u3002\n<\/blockquote>\n<h3 id=\"73-\u8f6f\u4f18\u5316\u649e\u5899\u524d\u7684\u8c03\u4f18\u6709\u9650\u63d0\u5347\"><span class=\"ez-toc-section\" id=\"73_%E8%BD%AF%E4%BC%98%E5%8C%96%E6%92%9E%E5%A2%99%E5%89%8D%E7%9A%84%E8%B0%83%E4%BC%98%E6%9C%89%E9%99%90%E6%8F%90%E5%8D%87\"><\/span>7.3 \u8f6f\u4f18\u5316(\u649e\u5899\u524d\u7684\u8c03\u4f18,\u6709\u9650\u63d0\u5347)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li><strong>\u6539 split tunnel(\u6700\u6709\u6548)<\/strong>:\u5ba2\u6237\u7aef <code>AllowedIPs<\/code> \u7528\u5177\u4f53\u5185\u7f51\u6bb5,\u800c\u975e <code>0.0.0.0\/0<\/code>\u3002\u8fd9\u6837\u4e0a\u7f51\u6d41\u91cf\u4e0d\u8d70 VPN\u3001\u4e0d\u7ecf\u8def\u7531\u5668\u52a0\u5bc6,CPU \u53ea\u5904\u7406\u5185\u7f51\u8bbf\u95ee\u6d41\u91cf\u3002<code>0.0.0.0\/0<\/code> \u5168\u6d41\u91cf\u6a21\u5f0f\u8ba9 CPU \u540c\u65f6\u5e72\u52a0\u5bc6+NAT,\u96ea\u4e0a\u52a0\u971c\u3002<\/li>\n<li><strong>\u8c03\u5927 MTU<\/strong>:<code>MTU = 1420<\/code>(\u94fe\u8def 1500)\u6216 <code>1412<\/code>(PPPoE 1492)\u3002<code>1280<\/code> \u5305\u591a\u4e2d\u65ad\u591a\u3001CPU \u5fd9\u3002\u6d4b MTU:<code>ping -M do -s 1392 10.200.0.1<\/code>\u3002<\/li>\n<li><strong>\u5173\u6389\u4e0d\u7528\u7684\u670d\u52a1\u817e CPU\/\u5185\u5b58<\/strong>:\u5982\u540c\u65f6\u8dd1 ZeroTier(\u548c WG \u529f\u80fd\u91cd\u53e0)\u3001UPnP \u7b49\u3002<code>top<\/code> \u770b\u8c01\u5360\u8d44\u6e90,\u4e0d\u7528\u5c31 <code>disable<\/code>\u3002<\/li>\n<li><strong>IPv6 \u4e0d\u8d70 VPN \u51fa\u53e3<\/strong>:\u96a7\u9053\u5730\u5740\u7528 ULA(\u516c\u7f51\u4e0d\u53ef\u8def\u7531),WG \u5ba2\u6237\u7aef v6 \u51fa\u516c\u7f51\u7528\u5ba2\u6237\u7aef\u672c\u5730 v6,\u4e0d\u505a NAT66\u3002\u8fd9\u907f\u514d\u4e86 NAT66 \u7684 CPU \u5f00\u9500\u548c\u53cd\u6a21\u5f0f\u5751\u3002<\/li>\n<\/ol>\n<h3 id=\"74-\u786c\u7a81\u7834\u628a-wg-\u670d\u52a1\u7aef\u632a\u5230\u5f3a\u8bbe\u5907\"><span class=\"ez-toc-section\" id=\"74_%E7%A1%AC%E7%AA%81%E7%A0%B4_%E6%8A%8A_WG_%E6%9C%8D%E5%8A%A1%E7%AB%AF%E6%8C%AA%E5%88%B0%E5%BC%BA%E8%AE%BE%E5%A4%87\"><\/span>7.4 \u786c\u7a81\u7834:\u628a WG \u670d\u52a1\u7aef\u632a\u5230\u5f3a\u8bbe\u5907<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u8def\u7531\u5668 CPU \u5f31\u4f46\u5bb6\u91cc\u6709\u5f3a\u8bbe\u5907(NAS\u3001\u5c0f\u4e3b\u673a\u3001\u6811\u8393\u6d3e4\u3001\u5e38\u5f00\u7535\u8111)\u65f6,<strong>WG \u670d\u52a1\u7aef\u8dd1\u5728\u5f3a\u8bbe\u5907\u4e0a,\u8def\u7531\u5668\u53ea\u505a\u7aef\u53e3\u8f6c\u53d1<\/strong>,\u52a0\u5bc6\u8d1f\u62c5\u8f6c\u79fb:<\/p>\n<ul>\n<li>\u5f3a\u8bbe\u5907(\u5982 NAS)\u88c5 WireGuard,\u76d1\u542c 10520<\/li>\n<li>\u8def\u7531\u5668\u628a\u516c\u7f51 10520\/udp \u8f6c\u53d1\u5230\u5f3a\u8bbe\u5907\u5185\u7f51 IP<\/li>\n<li>\u624b\u673a\u62e8\u8def\u7531\u5668\u516c\u7f51\u5730\u5740:10520 \u2192 \u8def\u7531\u5668\u8f6c\u53d1 \u2192 \u5f3a\u8bbe\u5907\u52a0\u5bc6<\/li>\n<li>\u901f\u5ea6\u7531\u5f3a\u8bbe\u5907\u51b3\u5b9a,\u901a\u5e38\u80fd\u8dd1\u6ee1\u767e\u5146\u751a\u81f3\u5343\u5146<\/li>\n<\/ul>\n<pre><code># OpenWrt \u7aef\u53e3\u8f6c\u53d1(v4;v6 \u573a\u666f\u8ba9\u5f3a\u8bbe\u5907\u76f4\u63a5\u62ff GUA \u76d1\u542c\u66f4\u4f18)\nconfig redirect\n    option name &#039;WG-to-NAS&#039;\n    option src &#039;wan&#039;\n    option src_dport &#039;10520&#039;\n    option dest &#039;lan&#039;\n    option dest_ip &#039;192.168.1.50&#039;      # \u5f3a\u8bbe\u5907\u5185\u7f51 IP\n    option dest_port &#039;10520&#039;\n    option proto &#039;udp&#039;\n<\/code><\/pre>\n<h3 id=\"75-\u8fc1\u79fb\u6848\u4f8b\u5c0f\u7c734c-\u7ea2\u7c73-ac2100\"><span class=\"ez-toc-section\" id=\"75_%E8%BF%81%E7%A7%BB%E6%A1%88%E4%BE%8B_%E5%B0%8F%E7%B1%B34C_%E2%86%92_%E7%BA%A2%E7%B1%B3_AC2100\"><\/span>7.5 \u8fc1\u79fb\u6848\u4f8b:\u5c0f\u7c734C \u2192 \u7ea2\u7c73 AC2100<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u82e5\u624b\u5934\u6709\u66f4\u5f3a\u8def\u7531\u5668(\u5982\u7ea2\u7c73 AC2100,MT7621 \u53cc\u6838),<strong>\u76f4\u63a5\u8ba9\u5b83\u5f53\u4e3b\u8def\u7531\u8dd1 WG<\/strong>,4C \u9000\u4e8c\u7ebf\u3002\u901f\u5ea6\u4ece 20M \u63d0\u5230 150-250M(7-10 \u500d),CPU \u4e0d\u518d\u6ee1\u8f7d,\u5185\u5b58 128M \u5bbd\u88d5\u3002<\/p>\n<p>\u8fc1\u79fb\u8981\u70b9:<\/p>\n<ol>\n<li>AC2100 \u5237 OpenWrt\/ImmortalWrt(\u539f\u5382\u4e0d\u652f\u6301 WG)\u3002<\/li>\n<li>AC2100 \u63a5\u5149\u732b\/\u4e0a\u7ea7\u7f51\u7edc,\u91cd\u505a \u00a72 \u5168\u90e8\u914d\u7f6e\u3002<\/li>\n<li><strong>\u5bc6\u94a5\u53ef\u590d\u7528<\/strong>:\u5728 4C \u5bfc\u51fa <code>uci show network.wg0<\/code>\u3001<code>server.key<\/code>\u3001<code>psk.txt<\/code>,\u5728 AC2100 \u7528\u76f8\u540c\u503c\u914d\u7f6e \u2192 <strong>\u624b\u673a\u5ba2\u6237\u7aef\u914d\u7f6e\u96f6\u6539\u52a8<\/strong>(\u53ea\u8981 DDNS \u57df\u540d\u4ecd\u6307\u5411\u65b0\u8def\u7531\u5668\u7684 GUA)\u3002<\/li>\n<li>DDNS \u5728 AC2100 \u4e0a\u8dd1,\u57df\u540d\u66f4\u65b0\u6307\u5411 AC2100 \u7684 GUA\u3002<\/li>\n<li>IPv6 \u573a\u666f\u4e0b AC2100 \u76f4\u63a5\u5f53\u4e3b\u8def\u7531\u6700\u987a(\u907f\u514d 4C \u505a v6 \u8f6c\u53d1\u7684\u590d\u6742\u62d3\u6251)\u3002<\/li>\n<\/ol>\n<blockquote><strong>\u7ed3\u8bba:\u5728\u5f31\u8def\u7531\u5668(4C\/MT7628N \u7ea7)\u4e0a\u53cd\u590d\u8c03 WG \u901f\u5ea6\u662f\u6d6a\u8d39\u65f6\u95f4\u2014\u2014\u914d\u7f6e\u8c03\u4e0d\u51fa\u786c\u4ef6\u6ca1\u6709\u7684\u901f\u5ea6\u3002<\/strong> \u5148\u786e\u8ba4 CPU \u662f\u5426\u6ee1\u8f7d(\u00a77.1),\u662f\u5219\u6309 \u00a77.4 \u632a\u8d70 WG \u6216 \u00a77.5 \u6362\u8def\u7531\u5668\u3002split tunnel(\u00a77.3)\u53ea\u8ba9&#8221;\u4e0a\u7f51\u4e0d\u53d7 VPN \u9650\u901f&#8221;,\u5185\u7f51\u8bbf\u95ee\u901f\u5ea6\u4ecd\u53d7\u786c\u4ef6\u5929\u82b1\u677f\u9650\u5236\u3002\n<\/blockquote>\n<h3 id=\"76-\u5f31\u8def\u7531\u5668\u7684\u5185\u5b58\u4e0e\u95ea\u5b58\u7eaa\u5f8b\"><span class=\"ez-toc-section\" id=\"76_%E5%BC%B1%E8%B7%AF%E7%94%B1%E5%99%A8%E7%9A%84%E5%86%85%E5%AD%98%E4%B8%8E%E9%97%AA%E5%AD%98%E7%BA%AA%E5%BE%8B\"><\/span>7.6 \u5f31\u8def\u7531\u5668\u7684\u5185\u5b58\u4e0e\u95ea\u5b58\u7eaa\u5f8b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u4ee5\u5c0f\u7c734C(64MB \u5185\u5b58 \/ 16MB flash)\u4e3a\u4f8b,\u8d44\u6e90\u6781\u7d27\u5f20,\u52a1\u5fc5:<\/p>\n<ul>\n<li>\u670d\u52a1\u6700\u5c0f\u96c6,\u4e0d\u5806\u63d2\u4ef6(\u53cd\u4ee3\u3001\u76d1\u63a7\u7b49\u522b\u5f80\u4e0a\u52a0)\u3002<\/li>\n<li><code>apk cache clean<\/code> \/ <code>rm -f \/var\/opkg-lists\/*<\/code> \u6e05\u7f13\u5b58;<code>df -h \/<\/code> \u4fdd\u6301\u51e0 MB \u4f59\u91cf\u3002<\/li>\n<li>16MB flash \u65e0 USB \u53e3\u65e0\u6cd5 extroot,\u53ea\u80fd\u7701\u7740\u7528\u3002<\/li>\n<li>\u5185\u5b58\u7d27\u4f1a OOM\/\u670d\u52a1\u5d29\u6e83,<code>top<\/code> \u5b9a\u671f\u770b <code>Mem<\/code>\u3002<\/li>\n<\/ul>\n<hr>\n<h2 id=\"8-\u8fdb\u9636ipv6-\u5b50\u7f51\u5212\u5206\u4e0e-vlan-\u9694\u79bb\u53ef\u9009\"><span class=\"ez-toc-section\" id=\"8_%E8%BF%9B%E9%98%B6_IPv6_%E5%AD%90%E7%BD%91%E5%88%92%E5%88%86%E4%B8%8E_VLAN_%E9%9A%94%E7%A6%BB%E5%8F%AF%E9%80%89\"><\/span>8. \u8fdb\u9636:IPv6 \u5b50\u7f51\u5212\u5206\u4e0e VLAN \u9694\u79bb(\u53ef\u9009)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u8fd0\u8425\u5546\u4e0b\u53d1 \/60 \u6216 \/56 \u65f6,\u53ef\u7ed9\u4e0d\u540c VLAN \u5206\u914d\u4e0d\u540c \/64 \u516c\u7f51\u524d\u7f00,\u540c\u65f6\u6bcf VLAN \u914d ULA(\u65ad\u7f51\u4e5f\u80fd\u5185\u8054)\u3002<\/p>\n<pre><code>WAN \u4e0b\u53d1 2408:aaaa:bbbb:cc00::\/60\n\u251c\u2500 lan    2408:aaaa:bbbb:cc10::\/64   fd00:cafe:1::\/64   \u4fe1\u4efb\u8bbe\u5907\n\u251c\u2500 iot    2408:aaaa:bbbb:cc20::\/64   fd00:cafe:3::\/64   IoT \u9694\u79bb\n\u2514\u2500 guest  2408:aaaa:bbbb:cc30::\/64   fd00:cafe:4::\/64   \u8bbf\u5ba2\n<\/code><\/pre>\n<p>OpenWrt \u793a\u4f8b(IoT \u63a5\u53e3):<\/p>\n<pre><code class=\"language-sh\"># \u7f51\u7edc\nuci set network.iot=interface\nuci set network.iot.proto=&#039;static&#039;\nuci set network.iot.ipaddr=&#039;192.168.3.1\/24&#039;\nuci add_list network.iot.ip6addr=&#039;fd00:cafe:3::1\/64&#039;\nuci set network.iot.device=&#039;br-iot&#039;\n# DHCPv6\/RA \u5206\u53d1\u516c\u7f51\u524d\u7f00\nuci set dhcp.iot=dhcp\nuci set dhcp.iot.interface=&#039;iot&#039;\nuci set dhcp.iot.ra=&#039;server&#039;\nuci set dhcp.iot.dhcpv6=&#039;server&#039;\nuci set dhcp.iot.ra_management=&#039;1&#039;\n# \u9632\u706b\u5899:iot \u72ec\u7acb\u533a\u57df,\u4ec5 iot&rarr;wan,\u7981\u6b62 iot&harr;lan \/ iot&harr;wg\nuci add firewall zone; uci set firewall.@zone[-1].name=&#039;iot&#039;\nuci set firewall.@zone[-1].input=&#039;REJECT&#039;; uci set firewall.@zone[-1].output=&#039;ACCEPT&#039;\nuci set firewall.@zone[-1].forward=&#039;REJECT&#039;; uci add_list firewall.@zone[-1].network=&#039;iot&#039;\nuci add firewall forwarding; uci set firewall.@forwarding[-1].src=&#039;iot&#039;; uci set firewall.@forwarding[-1].dest=&#039;wan&#039;\nuci commit; \/etc\/init.d\/network restart; \/etc\/init.d\/firewall restart; \/etc\/init.d\/dnsmasq restart\n<\/code><\/pre>\n<blockquote>\nIoT \u533a\u57df <code>forward=REJECT<\/code> \u5929\u7136\u963b\u6b62\u5176\u8bbf\u95ee <code>lan<\/code>\/<code>wg<\/code>,\u5373\u4fbf\u67d0\u6444\u50cf\u5934\u88ab\u653b\u7834\u4e5f\u65e0\u6cd5\u6a2a\u5411\u5230 NAS\u3002\u82e5 HomeAssistant \u5728 lan \u9700\u63a7\u5236 iot,\u518d\u52a0\u4e00\u6761 <code>lan&rarr;iot<\/code> \u7684\u7cbe\u786e\u7aef\u53e3\u653e\u884c\u3002\n<\/blockquote>\n<hr>\n<h2 id=\"9-\u7eaf-v4-\u73af\u5883\u515c\u5e95vps-\u4e2d\u7ee7\u53ef\u9009\"><span class=\"ez-toc-section\" id=\"9_%E7%BA%AF_v4_%E7%8E%AF%E5%A2%83%E5%85%9C%E5%BA%95_VPS_%E4%B8%AD%E7%BB%A7%E5%8F%AF%E9%80%89\"><\/span>9. \u7eaf v4 \u73af\u5883\u515c\u5e95:VPS \u4e2d\u7ee7(\u53ef\u9009)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u82e5\u5ba2\u6237\u7aef\u5e38\u5728\u65e0 IPv6 \u7684\u7f51\u7edc,\u53ef\u5728\u53cc\u6808 VPS \u4e0a\u505a\u4e2d\u7ee7:\u5ba2\u6237\u7aef \u2192 VPS(wg0)\u2192 \u5bb6(wg1)\u3002VPS \u7684 <code>wg1<\/code> peer \u6307\u5411 <code>router.example.com:51820<\/code>(\u5bb6\u91cc),\u5bb6\u91cc peer \u7684 endpoint \u6307\u5411 VPS\u3002VPS \u5185\u5f00\u542f <code>ip_forward<\/code> \u5e76\u5728\u4e24\u4e2a wg \u63a5\u53e3\u95f4\u653e\u884c\u8f6c\u53d1\u3002\u8fd9\u6837\u5ba2\u6237\u7aef\u53ea\u9700\u80fd\u8fde\u5230 VPS \u7684 v4\/v6,\u5bb6\u91cc\u65e0\u9700\u516c\u7f51 v4\u3002<\/p>\n<p>\u8981\u70b9(VPS \u4e0a):<\/p>\n<pre><code class=\"language-sh\">sysctl -w net.ipv4.ip_forward=1\nsysctl -w net.ipv6.conf.all.forwarding=1\n# wg0(\u9762\u5411\u5ba2\u6237\u7aef)\u4e0e wg1(\u9762\u5411\u5bb6)\u5404\u81ea\u914d\u7f6e peer,\n# AllowedIPs \u4e92\u6307\u5bf9\u7aef\u5185\u7f51\u6bb5,\u9632\u706b\u5899\u653e\u884c wg0&harr;wg1 \u8f6c\u53d1\u3002\n<\/code><\/pre>\n<hr>\n<h2 id=\"10-\u6392\u9519\u901f\u67e5\"><span class=\"ez-toc-section\" id=\"10_%E6%8E%92%E9%94%99%E9%80%9F%E6%9F%A5\"><\/span>10. \u6392\u9519\u901f\u67e5<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th>\u73b0\u8c61<\/th>\n<th>\u6392\u67e5<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>wg0 \u6ca1\u6709 MAC \u5730\u5740<\/strong><\/td>\n<td><strong>\u6b63\u5e38\u73b0\u8c61,\u4e0d\u662f\u6545\u969c<\/strong>\u3002WireGuard \u662f L3 \u96a7\u9053\u63a5\u53e3,\u6ca1\u6709\u4ee5\u592a\u7f51\u5e27\u5934,MAC \u662f L2 \u6982\u5ff5\u53ea\u6709 <code>eth0<\/code>\/<code>br-lan<\/code>\/<code>wlan0<\/code> \u624d\u6709\u3002\u5224\u65ad wg0 \u72b6\u6001\u770b IP \u5730\u5740\u548c <code>wg show<\/code>,\u4e0d\u770b MAC(\u89c1 \u00a72.7)\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u4e0d\u786e\u5b9a\u662f\u5426\u8fde\u63a5\u6210\u529f<\/td>\n<td>\u63a5\u53e3\u5c42:<code>ip addr show wg0<\/code> \u6709\u5730\u5740 + <code>wg show<\/code> \u80fd\u5217\u51fa peer\u3002\u63e1\u624b\u5c42(\u786c\u6307\u6807):<code>wg show<\/code> \u91cc peer \u6709 <code>latest handshake: \u51e0\u79d2\u524d<\/code> \u4e14 <code>transfer<\/code> \u8ba1\u6570\u5728\u6da8 = \u8fde\u63a5\u6210\u529f;\u65e0 <code>latest handshake<\/code>\u3001rx=0 = \u63e1\u624b\u5931\u8d25(\u67e5\u516c\u94a5\/endpoint\/\u9632\u706b\u5899,\u89c1 \u00a72.7.1)\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u624b\u673a\u62a5 <code>bad address<\/code><\/td>\n<td>\u5ba2\u6237\u7aef <code>AllowedIPs<\/code> \u683c\u5f0f\u9519:\u7528\u4e86\u5168\u89d2\u9017\u53f7 <code>\uff0c<\/code> \u6216\u5e26\u4e0d\u53ef\u89c1\u5b57\u7b26\u3002\u7528\u534a\u89d2 <code>,<\/code> \u5206\u9694,\u6216\u7528\u4e8c\u7ef4\u7801\u5bfc\u5165(\u00a73.5)\u3002\u68c0\u67e5 <code>cat -A client.conf<\/code>\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u624b\u673a\u80fd ping6 \u8def\u7531\u5668\u3001\u4f46 <code>wg show<\/code> \u65e0\u63e1\u624b\u3001<code>tcpdump<\/code> \u6293\u4e0d\u5230 WG \u5305<\/td>\n<td>\u5ba2\u6237\u7aef\u914d\u7f6e\u91cc<strong>\u6b8b\u7559 <code>ListenPort<\/code><\/strong>(\u5fc5\u987b\u5220),\u6216<strong>\u8def\u7531\u73af<\/strong>(Endpoint \u7f51\u6bb5\u5728 AllowedIPs \u5185,\u89c1 \u00a73.1 \u57512\/3)\u3002\u5220 ListenPort + \u5185\u7f51\u6d4b\u8bd5\u53bb\u6389 Endpoint \u7f51\u6bb5\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u63e1\u624b\u6210\u529f\u4f46 ping \u4e0d\u901a\u5185\u7f51<\/td>\n<td>\u5ba2\u6237\u7aef <code>AllowedIPs<\/code> \u662f\u5426\u542b\u76ee\u6807\u6bb5;\u670d\u52a1\u7aef peer <code>allowed_ips<\/code> \u662f\u5426\u542b\u5ba2\u6237\u7aef\u96a7\u9053\u5730\u5740;<code>wg&harr;lan<\/code> forwarding \u662f\u5426\u5b58\u5728\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u80fd ping IP \u4f46\u57df\u540d\u4e0d\u901a<\/td>\n<td>\u5ba2\u6237\u7aef DNS \u662f\u5426\u6307\u5411 <code>10.200.0.1<\/code>;\u8def\u7531\u5668 dnsmasq \u662f\u5426\u76d1\u542c wg0(\u00a72.5);<code>.lan<\/code> \u8bb0\u5f55\u662f\u5426\u5b9a\u4e49\u3002<\/td>\n<\/tr>\n<tr>\n<td><strong>\u5168\u5c4b\u8bbe\u5907\u7a81\u7136\u65e0\u6cd5\u4e0a\u7f51\/DNS \u89e3\u6790\u5168\u8d85\u65f6<\/strong><\/td>\n<td><strong>dnsmasq \u7684 <code>interface<\/code> \u5b57\u6bb5\u88ab\u8bbe\u6210 wg0,\u5bfc\u81f4\u53ea\u76d1\u542c wg0\u3001\u6392\u9664\u4e86 lan\u3002<\/strong> \u4fee\u590d:<code>uci delete dhcp.@dnsmasq[0].interface; uci commit dhcp; \/etc\/init.d\/dnsmasq restart<\/code>(\u89c1 \u00a72.5 \u8b66\u544a)\u3002dnsmasq \u9ed8\u8ba4\u76d1\u542c\u6240\u6709\u63a5\u53e3,\u4e0d\u8981\u8bbe interface,\u7528 notinterface \u6392\u9664 wan \u5373\u53ef\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u53cd\u5411(\u5bb6\u2192\u624b\u673a)\u4e0d\u901a<\/td>\n<td>\u670d\u52a1\u7aef peer <code>allowed_ips<\/code> \u662f\u5426\u542b <code>10.200.0.2\/32<\/code>;<code>lan&rarr;wg<\/code> forwarding \u662f\u5426\u5b58\u5728;\u624b\u673a\u670d\u52a1\u662f\u5426\u76d1\u542c <code>0.0.0.0<\/code>\/\u96a7\u9053\u5730\u5740\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u591a\u7ad9\u70b9\u67d0\u65b9\u5411\u4e0d\u901a<\/td>\n<td>\u5bf9\u7aef <code>allowed_ips<\/code> \u662f\u5426\u542b\u672c\u7ad9 LAN \u6bb5;\u4e24\u7ad9 LAN \u6bb5\u662f\u5426\u91cd\u53e0;<code>persistent_keepalive<\/code> \u662f\u5426\u8bbe\u4e86\u3002<\/td>\n<\/tr>\n<tr>\n<td>DDNS \u66f4\u65b0\u540e\u4ecd\u8fde\u4e0d\u4e0a<\/td>\n<td><code>dig AAAA<\/code> \u770b\u662f\u5426\u771f\u66f4\u65b0;WG endpoint \u4f1a\u7f13\u5b58\u89e3\u6790,\u91cd\u542f\u96a7\u9053 <code>ifdown wg0 &amp;&amp; ifup wg0<\/code> \u8ba9\u5b83\u91cd\u89e3\u6790\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u516c\u7f51\u62e8\u5165 <code>packets 0<\/code>(\u6362\u7aef\u53e3\u4e5f\u4e0d\u6da8)\u3001\u5185\u7f51\u5374\u6b63\u5e38<\/td>\n<td>\u5149\u732b\u62e8\u53f7\u6a21\u5f0f\u4e0b\u5149\u732b\u6321\u4e86\u5165\u7ad9 IPv6 UDP\u3002\u8fdb\u5149\u732b\u7ba1\u7406\u754c\u9762\u5173 IPv6 \u9632\u706b\u5899\/\u653e\u884c,\u6216\u5149\u732b\u6539\u6865\u63a5\u8ba9 OpenWrt \u76f4\u63a5\u62e8\u53f7\u62ff\u516c\u7f51 v6\u3002\u89c1 \u00a79 VPS \u4e2d\u7ee7\u4e3a\u515c\u5e95\u3002<\/td>\n<\/tr>\n<tr>\n<td>IPv6 \u62ff\u4e0d\u5230(wan6 up:false)<\/td>\n<td><code>logread -e odhcp6c<\/code> \u770b\u63e1\u624b;<code>\/lib\/netifd\/dhcpv6.script<\/code> \u662f\u5426\u62a5 <code>Command failed: Not found<\/code>(\u7f3a\u4f9d\u8d56\u5de5\u5177,\u91cd\u88c5 odhcp6c);<code>uci commit network<\/code> \u662f\u5426\u6f0f\u4e86;\u88c5\u534f\u8bae\u5305\u540e\u7528 <code>network restart<\/code> \u800c\u975e <code>reload<\/code>(\u89c1 \u00a72.6)\u3002<\/td>\n<\/tr>\n<tr>\n<td>IPv6 \u5f02\u5e38\/\u65f6\u65ad\u65f6\u7eed<\/td>\n<td>ICMPv6 \u5fc5\u9700\u7c7b\u578b\u662f\u5426\u88ab\u9632\u706b\u5899\u8bef\u6740;\u524d\u7f00\u53d8\u66f4\u540e wg0 \u7684 GUA endpoint \u662f\u5426\u8fc7\u65f6\u3002<\/td>\n<\/tr>\n<tr>\n<td>WG \u901f\u5ea6\u6162\u3001\u8dd1\u4e0d\u6ee1\u5bbd\u5e26<\/td>\n<td>\u5148 <code>top<\/code> \u770b CPU:\u82e5 <code>wg-<\/code> \u5185\u6838 worker \u5360\u6ee1\u3001<code>idle 0%<\/code> = \u786c\u4ef6\u52a0\u5bc6\u74f6\u9888(\u89c1 \u00a77)\u3002\u5f31\u8def\u7531\u5668(MT7628N \u7b49)\u65e0\u89e3,\u6539 split tunnel + \u8c03 MTU \u7f13\u89e3,\u6216\u632a\u8d70 WG\/\u6362\u8def\u7531\u5668\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5e38\u7528\u547d\u4ee4:<\/p>\n<pre><code class=\"language-sh\">wg show                    # \u63e1\u624b\/\u6d41\u91cf\nwg show wg0 latest-handshakes\nnft list ruleset | grep 51820   # \u7aef\u53e3\u8ba1\u6570\u5668(packets \u6da8=\u5305\u5230\u4e86)\ntcpdump -i any -n &#039;udp port 51820&#039;   # \u6293 WG \u63e1\u624b\u5305(\u533a\u5206\u5305\u5230\u6ca1\u5230)\ntop -d 2                   # \u770b CPU \u662f\u5426\u88ab wg \u52a0\u5bc6\u5360\u6ee1(&sect;7)\nip -6 route                # v6 \u8def\u7531\nlogread -e netifd          # \u63a5\u53e3\u8d77\u4e0d\u6765\u5fc5\u770b\nlogread -e odhcp6c         # DHCPv6\/\u524d\u7f00\u59d4\u6d3e\ndig AAAA router.example.com\n<\/code><\/pre>\n<hr>\n<h2 id=\"11-\u4e0a\u7ebf\u81ea\u68c0-checklist\"><span class=\"ez-toc-section\" id=\"11_%E4%B8%8A%E7%BA%BF%E8%87%AA%E6%A3%80_checklist\"><\/span>11. \u4e0a\u7ebf\u81ea\u68c0 checklist<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>[ ] <code>dig AAAA router.example.com<\/code> \u4e0e\u8def\u7531\u5668 WAN GUA \u4e00\u81f4<\/li>\n<li>[ ] <code>wan<\/code> INPUT\/FORWARD \u9ed8\u8ba4 DROP,\u4ec5\u653e\u884c <code>51820\/udp<\/code><\/li>\n<li>[ ] wg0 \u63a5\u53e3\u5df2\u8d77,<code>wg show<\/code> \u6709 listen \u7aef\u53e3<\/li>\n<li>[ ] <code>wg&harr;lan<\/code> \u53cc\u5411 forwarding \u5b58\u5728<\/li>\n<li>[ ] dnsmasq \u76d1\u542c wg0,<code>.lan<\/code> \u57df\u540d\u5df2\u5b9a\u4e49<\/li>\n<li>[ ] \u6bcf\u4e2a\u5ba2\u6237\u7aef peer \u90fd\u52a0\u4e86 PSK<\/li>\n<li>[ ] \u5404 OS \u5ba2\u6237\u7aef\u80fd\u62e8\u5165\u4e14 <code>ping nas.lan<\/code> \u901a<\/li>\n<li>[ ] \u53cd\u5411:\u5bb6\u91cc\u80fd ping \u901a\u624b\u673a\u96a7\u9053\u5730\u5740<\/li>\n<li>[ ] \u591a\u7ad9\u70b9:\u4e24\u7ad9\u4e92 ping \u5bf9\u65b9 LAN \u8bbe\u5907\u901a<\/li>\n<li>[ ] UPnP \u5df2\u5173;LuCI\/SSH \u4e0d\u76d1\u542c WAN<\/li>\n<li>[ ] root \u5f3a\u5bc6\u7801 + SSH key \u767b\u5f55<\/li>\n<li>[ ] DNSPod \u7528\u5b50\u8d26\u53f7\u6700\u5c0f\u6743\u9650,\u51ed\u8bc1 <code>chmod 600<\/code><\/li>\n<li>[ ] IoT \u5728\u72ec\u7acb VLAN \u4e14 <code>forward=REJECT<\/code><\/li>\n<li>[ ] \u914d\u7f6e\u5df2 <code>sysupgrade -b<\/code> \u5907\u4efd\u5e76\u79bb\u7ebf\u4fdd\u7ba1<\/li>\n<\/ul>\n<hr>\n<h2 id=\"\u9644\u5f55-a\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6\u5b8c\u6574\u793a\u4f8b\u624b\u673a\"><span class=\"ez-toc-section\" id=\"%E9%99%84%E5%BD%95_A_%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E5%AE%8C%E6%95%B4%E7%A4%BA%E4%BE%8B%E6%89%8B%E6%9C%BA\"><\/span>\u9644\u5f55 A:\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6\u5b8c\u6574\u793a\u4f8b(\u624b\u673a)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre><code class=\"language-ini\">[Interface]\nPrivateKey = &lt;\u624b\u673a\u79c1\u94a5&gt;\nAddress = 10.200.0.2\/24, fd00:cafe:9::2\/64\nDNS = 10.200.0.1, fd00:cafe:9::1\nMTU = 1420\n\n[Peer]\nPublicKey = &lt;\u670d\u52a1\u7aef \/etc\/wireguard\/server.pub&gt;\nPresharedKey = &lt;psk.txt \u5185\u5bb9&gt;\nEndpoint = router.example.com:51820\nAllowedIPs = 192.168.1.0\/24, fd00:cafe:1::\/64, 10.200.0.0\/24, fd00:cafe:9::\/64\nPersistentKeepalive = 25\n<\/code><\/pre>\n<blockquote>\n\u6ce8\u610f:<strong>\u4e0d\u8981\u5199 <code>ListenPort<\/code><\/strong>(\u5ba2\u6237\u7aef\u7981\u5fcc,\u89c1 \u00a73.1 \u57511)\u3002<code>AllowedIPs<\/code> \u7528\u534a\u89d2\u9017\u53f7+\u7a7a\u683c\u5206\u9694(\u89c1 \u00a73.1 \u57512)\u3002\u5185\u7f51\u6d4b\u8bd5(Endpoint=\u5185\u7f51IP)\u65f6\u53bb\u6389 Endpoint \u6240\u5728\u7f51\u6bb5\u907f\u514d\u8def\u7531\u73af(\u89c1 \u00a73.1 \u57513)\u3002\n<\/blockquote>\n<h2 id=\"\u9644\u5f55-bwindows-rdp-\u76ee\u6807\u673a\u5f00\u542f\u6b65\u9aa4\"><span class=\"ez-toc-section\" id=\"%E9%99%84%E5%BD%95_B_Windows_RDP_%E7%9B%AE%E6%A0%87%E6%9C%BA%E5%BC%80%E5%90%AF%E6%AD%A5%E9%AA%A4\"><\/span>\u9644\u5f55 B:Windows RDP \u76ee\u6807\u673a\u5f00\u542f\u6b65\u9aa4<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ol>\n<li>\u8bbe\u7f6e \u2192 \u7cfb\u7edf \u2192 \u8fdc\u7a0b\u684c\u9762 \u2192 \u542f\u7528\u3002<\/li>\n<li>Windows \u9632\u706b\u5899:\u5141\u8bb8&#8221;\u8fdc\u7a0b\u684c\u9762&#8221;\u5165\u7ad9,<strong>\u8303\u56f4\u9650\u5236\u4e3a <code>192.168.1.0\/24<\/code><\/strong>(\u5185\u7f51\/VPN)\u3002<\/li>\n<li>\u8bbe\u5f3a\u5bc6\u7801\u8d26\u6237,\u6216\u7981\u7528\u5bc6\u7801\u6539\u7528\u66f4\u5b89\u5168\u65b9\u5f0f\u3002<\/li>\n<li>\u5ba2\u6237\u7aef\u62e8 VPN \u540e <code>mstsc \/v:192.168.1.20<\/code>\u3002<\/li>\n<\/ol>\n<h2 id=\"\u9644\u5f55-cdnspod-ipv6-ddns-\u66f4\u65b0\u811a\u672c\u8def\u7531\u5668\u53c2\u8003\u6838\u5bf9\u7528\"><span class=\"ez-toc-section\" id=\"%E9%99%84%E5%BD%95_C_DNSPod_IPv6_DDNS_%E6%9B%B4%E6%96%B0%E8%84%9A%E6%9C%AC%E8%B7%AF%E7%94%B1%E5%99%A8%E5%8F%82%E8%80%83%E6%A0%B8%E5%AF%B9%E7%94%A8\"><\/span>\u9644\u5f55 C:DNSPod IPv6 DDNS \u66f4\u65b0\u811a\u672c(\u8def\u7531\u5668,\u53c2\u8003\/\u6838\u5bf9\u7528)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<blockquote>\n\u4f60\u7684 DDNS \u5df2\u914d\u597d\u5219\u65e0\u9700\u91cd\u505a,\u6b64\u811a\u672c\u7528\u4e8e\u6838\u5bf9\u903b\u8f91\u6216\u8fc1\u79fb\u3002\u7528 CAM \u5b50\u8d26\u53f7\u7684 SecretId\/SecretKey\u3002\n<\/blockquote>\n<pre><code class=\"language-sh\">#!\/bin\/sh\n# \/etc\/wireguard\/ddns_dnspod.sh\nset -e\nSECRET_ID=&#039;your_id&#039;\nSECRET_KEY=&#039;your_key&#039;\nDOMAIN=&#039;router.example.com&#039;      # \u5b8c\u6574\u4e3b\u673a\u540d\nRECORD_TYPE=&#039;AAAA&#039;\n\n# \u53d6\u8def\u7531\u5668 WAN \u4fa7\u7b2c\u4e00\u4e2a\u975e\u4e34\u65f6 GUA\nIP=$(ip -6 addr show pppoe-wan 2&gt;\/dev\/null | grep -v temporary \\\n     | awk &#039;{print $2}&#039; | cut -d\/ -f1 | head -n1)\n[ -z &quot;$IP&quot; ] &amp;&amp; { echo &quot;no GUA&quot;; exit 1; }\n\n# \u8c03\u7528 DNSPod v3 API(\u7b7e\u540d\u8f83\u7e41\u7410,\u63a8\u8350\u7528\u73b0\u6210\u7684 ddns-scripts)\n# OpenWrt \u63a8\u8350\u505a\u6cd5(apk,25.x;\u65e7\u7248\u7528 opkg):\napk add ddns-scripts_dnspod\n# \u5728 \/etc\/config\/ddns \u914d\u7f6e dnspod \u670d\u52a1,service_name \u9009 dnspod\n<\/code><\/pre>\n<p>OpenWrt \u63a8\u8350\u7528\u5b98\u65b9 <code>ddns-scripts_dnspod<\/code> \u5305,\u5728 <code>\/etc\/config\/ddns<\/code> \u91cc:<\/p>\n<pre><code>config service &#039;myddns&#039;\n    option service_name &#039;dnspod&#039;\n    option domain &#039;router.example.com&#039;\n    option username &#039;&lt;SecretId&gt;&#039;\n    option password &#039;&lt;SecretKey&gt;&#039;\n    option ip_source &#039;network&#039;\n    option ip_network &#039;wan6&#039;\n    option check_interval &#039;5&#039;\n    option check_unit &#039;minutes&#039;\n    option force_interval &#039;60&#039;\n    option force_unit &#039;minutes&#039;\n    option use_ipv6 &#039;1&#039;\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\/etc\/init.d\/ddns enable &amp;&amp; \/etc\/init.d\/ddns start\nlogread -e ddns    # \u67e5\u770b\u66f4\u65b0\u7ed3\u679c\n<\/code><\/pre>\n<blockquote>\nDDNS \u66f4\u65b0\u5931\u8d25\u65f6\u8981\u80fd\u544a\u8b66(\u524d\u7f00\u53d8\u4e86\u4f46\u6ca1\u66f4\u65b0 \u2192 VPN endpoint \u5931\u6548)\u3002\u53ef\u5728\u811a\u672c\u91cc\u52a0 webhook \u901a\u77e5\u3002\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>OPENWRT + IPV6 DDNS + WIREGURAD \u5168 VPN \u7ec4\u7f51\u843d\u5730\u624b\u518c\nWIREGUARD \u4e3a\u6838\u5fc3 \u00b7 \u516c\u7f51\u96f6\u670d\u52a1\u66b4\u9732 \u00b7 \u591a OS \u5ba2\u6237\u7aef \u00b7 \u53cc\u5411\u8bbf\u95ee \u00b7 \u591a\u7ad9\u70b9\u4e92\u8054<\/p>\n<blockquote>\n<p>\u73af\u5883\u524d<\/p>\n<\/blockquote>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7,12],"tags":[13],"class_list":["post-710","post","type-post","status-publish","format-standard","hentry","category-studyrecords","category-12","tag-tag1"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/posts\/710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/comments?post=710"}],"version-history":[{"count":1,"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/posts\/710\/revisions"}],"predecessor-version":[{"id":711,"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/posts\/710\/revisions\/711"}],"wp:attachment":[{"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/media?parent=710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/categories?post=710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dreamc.top\/index.php\/wp-json\/wp\/v2\/tags?post=710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}