×

wireguard vpn多站点部署

hqy hqy 发表于2025-10-23 20:38:30 浏览3 评论0

抢沙发发表评论

WireGuard + BGP (FRR) 全互联 10G VPN 部署方案



站点 公网域名/IP WireGuard 内网 IP ASN 角色

site1 bj.vpn.gaojinbo.com 10.255.0.1/24 65001 北京总部

site2 sh.vpn.gaojinbo.com 10.255.0.2/24 65002 上海分部

site3 gz.vpn.gaojinbo.com 10.255.0.3/24 65003 广州分部

? 建议在公网 DNS 中添加三条 A 记录:


bj.vpn.gaojinbo.com -> 北京公网IP

sh.vpn.gaojinbo.com -> 上海公网IP

gz.vpn.gaojinbo.com -> 广州公网IP


? 1. WireGuard 配置(Full Mesh)

每台主机需安装 wireguard-tools 与 frr。


? site1 /etc/wireguard/wg0.conf

[Interface]

Address = 10.255.0.1/24

PrivateKey = <SITE1_PRIVATE_KEY>

ListenPort = 51820


[Peer]

# site2

PublicKey = <SITE2_PUBLIC_KEY>

Endpoint = sh.vpn.gaojinbo.com:51820

AllowedIPs = 10.255.0.2/32

PersistentKeepalive = 25


[Peer]

# site3

PublicKey = <SITE3_PUBLIC_KEY>

Endpoint = gz.vpn.gaojinbo.com:51820

AllowedIPs = 10.255.0.3/32

PersistentKeepalive = 25


? site2 /etc/wireguard/wg0.conf

[Interface]

Address = 10.255.0.2/24

PrivateKey = <SITE2_PRIVATE_KEY>

ListenPort = 51820


[Peer]

# site1

PublicKey = <SITE1_PUBLIC_KEY>

Endpoint = bj.vpn.gaojinbo.com:51820

AllowedIPs = 10.255.0.1/32

PersistentKeepalive = 25


[Peer]

# site3

PublicKey = <SITE3_PUBLIC_KEY>

Endpoint = gz.vpn.gaojinbo.com:51820

AllowedIPs = 10.255.0.3/32

PersistentKeepalive = 25


? site3 /etc/wireguard/wg0.conf

[Interface]

Address = 10.255.0.3/24

PrivateKey = <SITE3_PRIVATE_KEY>

ListenPort = 51820


[Peer]

# site1

PublicKey = <SITE1_PUBLIC_KEY>

Endpoint = bj.vpn.gaojinbo.com:51820

AllowedIPs = 10.255.0.1/32

PersistentKeepalive = 25


[Peer]

# site2

PublicKey = <SITE2_PUBLIC_KEY>

Endpoint = sh.vpn.gaojinbo.com:51820

AllowedIPs = 10.255.0.2/32

PersistentKeepalive = 25


? 2. FRR BGP 配置

每个站点运行 FRR (frr.conf) 实现动态路由与 failover。


? site1 /etc/frr/frr.conf

Terminal window

frr version 10.1

frr defaults traditional

log syslog

!

router bgp 65001

 bgp router-id 10.255.0.1

 neighbor 10.255.0.2 remote-as 65002

 neighbor 10.255.0.3 remote-as 65003

 network 10.10.1.0/24

!


? site2 /etc/frr/frr.conf

Terminal window

router bgp 65002

 bgp router-id 10.255.0.2

 neighbor 10.255.0.1 remote-as 65001

 neighbor 10.255.0.3 remote-as 65003

 network 10.10.2.0/24

!


? site3 /etc/frr/frr.conf

Terminal window

router bgp 65003

 bgp router-id 10.255.0.3

 neighbor 10.255.0.1 remote-as 65001

 neighbor 10.255.0.2 remote-as 65002

 network 10.10.3.0/24

!


⚙️ 3. 自动生成 WireGuard 密钥脚本

执行以下脚本可自动生成每站点的私钥、公钥、预共享密钥:


#!/bin/bash

# 生成密钥

mkdir -p ./wgkeys

for SITE in site1 site2 site3; do

  wg genkey | tee ./wgkeys/${SITE}.priv | wg pubkey > ./wgkeys/${SITE}.pub

done


# 可选:生成预共享密钥(更安全)

wg genpsk > ./wgkeys/preshared.key


echo "✅ 所有密钥已生成于 ./wgkeys 目录下"

echo "site1 公钥: $(cat ./wgkeys/site1.pub)"

echo "site2 公钥: $(cat ./wgkeys/site2.pub)"

echo "site3 公钥: $(cat ./wgkeys/site3.pub)"


生成结果示例:


./wgkeys/

├── site1.priv

├── site1.pub

├── site2.priv

├── site2.pub

├── site3.priv

├── site3.pub

└── preshared.key


可直接将 <SITE*_PRIVATE_KEY> 与 <SITE*_PUBLIC_KEY> 替换到对应配置中。


? 4. 性能优化(10Gb 带宽)

在 /etc/sysctl.conf 增加:


Terminal window

net.core.rmem_max = 67108864

net.core.wmem_max = 67108864

net.ipv4.udp_mem = 2097152 4194304 8388608

net.ipv4.tcp_rmem = 4096 87380 67108864

net.ipv4.tcp_wmem = 4096 65536 67108864

net.ipv4.tcp_congestion_control = bbr

net.core.default_qdisc = fq


并关闭 offload:


Terminal window

ethtool -K eth0 gro off gso off tso off


? 5. 域名与 DNS 建议

建议在 DNS 中创建独立的 VPN 子域用于各站点互联:


子域 指向公网 IP 用途

bj.vpn.gaojinbo.com 北京公网 IP site1 Endpoint

sh.vpn.gaojinbo.com 上海公网 IP site2 Endpoint

gz.vpn.gaojinbo.com 广州公网 IP site3 Endpoint

同时可在 DNS 控制台添加 vpn.gaojinbo.com 指向统一访问点(如北京),用于统一客户端连接。


✅ 最终效果:


三站点 WireGuard 全互联。

FRR BGP 动态路由收敛。

10G 链路利用率接近满速。

任意一站断开自动重路由。


打赏

本文链接:https://www.kinber.cn/post/5750.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

 您阅读本篇文章共花了: 

群贤毕至

访客