WireGuard的管理利器Netmaker安装配置

April 21, 2025Comments

一、基础环境

$ curl cip.cc IP : 35.206.235.142 数据三 : 中国台湾省彰化县 | 谷歌 $ uname -a Linux tw.t4x.org 6.8.0-1017-gcp #19-Ubuntu SMP Tue Oct 15 19:02:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux $ curl cip.cc IP : 35.207.210.15 数据三 : 印度马哈拉施特拉孟买 | 谷歌 $ uname -a Linux mumbai 5.10.0-33-cloud-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux $ curl cip.cc IP : 35.213.179.122 数据三 : 新加坡 | 谷歌 $ uname -a Linux singapore 6.1.0-27-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1 (2024-11-01) x86_64 GNU/Linux

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ curl cip.cc
IP      : 35.206.235.142
数据三  : 中国台湾省彰化县 | 谷歌
$ uname -a
Linux tw.t4x.org 6.8.0-1017-gcp #19-Ubuntu SMP Tue Oct 15 19:02:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

$ curl cip.cc
IP      : 35.207.210.15
数据三  : 印度马哈拉施特拉孟买 | 谷歌
$ uname  -a
Linux mumbai 5.10.0-33-cloud-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux

$ curl cip.cc
IP      : 35.213.179.122
数据三  : 新加坡 | 谷歌
$ uname -a
Linux singapore 6.1.0-27-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1 (2024-11-01) x86_64 GNU/Linux

特别说明 : Netmaker的服务端有时候是用香港的Server,有时候用台湾的Server,安装方法不一样,一个是采用官方的快速安装,另外一个是采用docker-compose部署,但是基本操作方法是一样的.[自定义网段不同官方默认的100.64.0.0/16、docker-compose自定义网段是100.63.0.0/16] 文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/basic/netmaker-manager-wireguard/

二、防火墙配置

2.0 基础配置

apt install firewalld -y
systemctl start firewalld
firewall-cmd --new-zone=personal
firewall-cmd --permanent --new-zone=personal
firewall-cmd --zone=personal --add-interface=netmaker
firewall-cmd --permanent --zone=personal --add-interface=netmaker
firewall-cmd --zone=personal --add-port=22/tcp
firewall-cmd --set-default=personal

apt install firewalld -y

systemctl start firewalld

firewall-cmd --new-zone=personal

firewall-cmd --permanent --new-zone=personal

firewall-cmd --zone=personal --add-interface=netmaker

firewall-cmd --permanent --zone=personal --add-interface=netmaker

firewall-cmd --zone=personal --add-port=22/tcp

firewall-cmd --set-default=personal

2.1 必须配置

firewall-cmd --zone=personal --add-masquerade
firewall-cmd --zone=personal --add-port=51820-51899/udp
firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="10.170.0.0/24" accept"
firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="10.170.0.0/24" masquerade"
firewall-cmd --zone=personal --add-interface=ens4

firewall-cmd --zone=personal --add-masquerade

firewall-cmd --zone=personal --add-port=51820-51899/udp

firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="10.170.0.0/24" accept"

firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="10.170.0.0/24" masquerade"

firewall-cmd --zone=personal --add-interface=ens4

2.2 非必须配置

firewall-cmd --zone=personal --add-port=53/udp
firewall-cmd --zone=personal --add-port=53/tcp
firewall-cmd --zone=personal --add-port=443/tcp
firewall-cmd --zone=personal --add-port=80/tcp 
firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="100.63.0.0/16" accept"
firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="100.63.0.0/16" masquerade"
firewall-cmd --zone=personal --add-forward

firewall-cmd --zone=personal --add-port=53/udp

firewall-cmd --zone=personal --add-port=53/tcp

firewall-cmd --zone=personal --add-port=443/tcp

firewall-cmd --zone=personal --add-port=80/tcp

firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="100.63.0.0/16" accept"

firewall-cmd --zone=personal --add-rich-rule="rule family="ipv4" source address="100.63.0.0/16" masquerade"

firewall-cmd --zone=personal --add-forward

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/basic/netmaker-manager-wireguard/

三、服务端部署tw

3.1 基础环境

cat >> /etc/sysctl.conf <<BYRD # WireGuard configure start net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter=2 net.ipv4.conf.all.proxy_arp = 1 # WireGuard configure end BYRD sysctl -p cat /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/conf/all/proxy_arp # sysctl -w net.ipv4.ip_forward=1 # sysctl -w net.ipv4.conf.all.rp_filter=2 # echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp # cat /proc/sys/net/ipv4/conf/all/proxy_arp

0
1
2
3
4
5
6
7
8
9
10
11
12
13

cat >> /etc/sysctl.conf <<BYRD
# WireGuard configure start
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter=2
net.ipv4.conf.all.proxy_arp = 1
# WireGuard configure end
BYRD
sysctl -p
cat /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/conf/all/proxy_arp
# sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv4.conf.all.rp_filter=2
# echo "1" >  /proc/sys/net/ipv4/conf/all/proxy_arp
# cat /proc/sys/net/ipv4/conf/all/proxy_arp

3.2 Centos

sudo dnf -y install dnf-plugins-core sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

0
1
2

sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

3.3 ubuntu、debian

sudo apt-get update -y sudo apt-get install ca-certificates curl -y sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update

0
1
2
3
4
5
6
7
8
9
10
11

sudo apt-get update -y
sudo apt-get install ca-certificates curl -y
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Login

3.4.4 nginx部署

$ wget -O - https://openresty.org/package/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/openresty.gpg $ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list > /dev/null $ sudo apt-get update $ sudo apt-get -y install openresty $ egrep -v "^$|#" /usr/local/openresty/nginx/conf/nginx.conf worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 443 ssl; server_name dashboard.network.t4x.org; ssl_certificate certificate/fullchain.cer; ssl_certificate_key certificate/cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8082; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } server { listen 443 ssl; server_name api.network.t4x.org; ssl_certificate certificate/fullchain.cer; ssl_certificate_key certificate/cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8081; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } server { listen 443 ssl; server_name grpc.network.t4x.org; ssl_certificate certificate/fullchain.cer; ssl_certificate_key certificate/cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8083; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } }

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

$ wget -O - https://openresty.org/package/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/openresty.gpg
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/openresty.gpg] http://openresty.org/package/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/openresty.list > /dev/null
$ sudo apt-get update
$ sudo apt-get -y install openresty
$ egrep -v "^$|#" /usr/local/openresty/nginx/conf/nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    server {
        listen       443 ssl;
        server_name  dashboard.network.t4x.org;
        ssl_certificate      certificate/fullchain.cer;
        ssl_certificate_key  certificate/cert.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:8082;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
        }
    }
    server {
        listen       443 ssl;
        server_name  api.network.t4x.org;
        ssl_certificate      certificate/fullchain.cer;
        ssl_certificate_key  certificate/cert.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
        }
    }
    server {
        listen       443 ssl;
        server_name  grpc.network.t4x.org;
        ssl_certificate      certificate/fullchain.cer;
        ssl_certificate_key  certificate/cert.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:8083;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
        }
    }
}

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/basic/netmaker-manager-wireguard/

四、节点接入mumbai

wget -O netclient https://fileserver.netmaker.io/releases/download/v0.26.0/netclient-linux-amd64 && chmod +x ./netclient && mv netclient /usr/bin/netclient && sudo netclient install netclient join -t eyJzZXJ2ZXIiOiJhcGkucGVyc29uYWwubmV0d29yay52Zy50NHgub3JnIiwidmFsdWUiOiJDQTNUUU5VWFRBR0JVVUVBRDUzNTNHTkhCUENFNlpLTSJ9

0
1

wget -O netclient https://fileserver.netmaker.io/releases/download/v0.26.0/netclient-linux-amd64 && chmod +x ./netclient && mv netclient /usr/bin/netclient && sudo netclient install
netclient join -t eyJzZXJ2ZXIiOiJhcGkucGVyc29uYWwubmV0d29yay52Zy50NHgub3JnIiwidmFsdWUiOiJDQTNUUU5VWFRBR0JVVUVBRDUzNTNHTkhCUENFNlpLTSJ9

文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/basic/netmaker-manager-wireguard/

五、连通验证

5.1 windows客户端[河北]

C:\Windows\System32>netclient join -t eyJzZXJ2ZXIiOiJhcGkucGVyc29uYWwubmV0d29yay52Zy50NHgub3JnIiwidmFsdWUiOiJSRzNZUTVaQVhMRlA0UkdZREk2Uk5QRklON1pSUFJPVCJ9 setting host fields {"time":"2024-11-23T14:19:35.8615368+08:00","level":"ERROR","source":"daemon.go 424}","msg":"unable to connect to broker","server":"wss://broker.nm.35-206-235-142.nip.io","error":"connect timeout"} WARNING: Joining any network on another server will disconnect netclient from the networks of the current server -> nm.35-206-235-142.nip.io registered with server C:\Windows\System32>tracert 100.63.0.1 通过最多 30 个跃点跟踪到 100.63.0.1 的路由 1 51 ms 50 ms 51 ms 100.63.0.1 跟踪完成。 C:\Windows\System32>ping 100.63.0.1 #台湾服务器正在 Ping 100.63.0.1 具有 32 字节的数据: 来自 100.63.0.1 的回复: 字节=32 时间=1143ms TTL=64 来自 100.63.0.1 的回复: 字节=32 时间=54ms TTL=64 来自 100.63.0.1 的回复: 字节=32 时间=52ms TTL=64 来自 100.63.0.1 的回复: 字节=32 时间=51ms TTL=64 C:\Windows\System32>ping 100.63.0.3 #新加坡服务器正在 Ping 100.63.0.3 具有 32 字节的数据: 来自 100.63.0.3 的回复: 字节=32 时间=203ms TTL=64 来自 100.63.0.3 的回复: 字节=32 时间=205ms TTL=64 来自 100.63.0.3 的回复: 字节=32 时间=203ms TTL=64 来自 100.63.0.3 的回复: 字节=32 时间=203ms TTL=64 C:\Windows\System32>wg interface: netmaker public key: fzOHq2WPjzYIBw7pX/rv4OE7GqDE07QOOKMvOOF4u00= private key: (hidden) listening port: 51821 peer: nS5+/qajqCVlsn0euvnKTBks7zLV5MDmbV9t0b0lJiQ= endpoint: 35.213.179.122:51821 allowed ips: 100.63.0.3/32 latest handshake: 3 seconds ago transfer: 124 B received, 476 B sent persistent keepalive: every 20 seconds peer: WIB3JASnLHpxbDXzTAKlNeNbkJ7l0wTqArofcJMQ2hQ= endpoint: 35.206.235.142:51821 allowed ips: 100.63.0.1/32 latest handshake: 9 seconds ago transfer: 508 B received, 712 B sent persistent keepalive: every 20 seconds

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

C:\Windows\System32>netclient join -t eyJzZXJ2ZXIiOiJhcGkucGVyc29uYWwubmV0d29yay52Zy50NHgub3JnIiwidmFsdWUiOiJSRzNZUTVaQVhMRlA0UkdZREk2Uk5QRklON1pSUFJPVCJ9
setting host fields
{"time":"2024-11-23T14:19:35.8615368+08:00","level":"ERROR","source":"daemon.go 424}","msg":"unable to connect to broker","server":"wss://broker.nm.35-206-235-142.nip.io","error":"connect timeout"}
WARNING: Joining any network on another server will disconnect netclient from the networks of the current server -> nm.35-206-235-142.nip.io
registered with server
C:\Windows\System32>tracert 100.63.0.1
通过最多 30 个跃点跟踪到 100.63.0.1 的路由
  1    51 ms    50 ms    51 ms  100.63.0.1
跟踪完成。
C:\Windows\System32>ping 100.63.0.1    #台湾服务器
正在 Ping 100.63.0.1 具有 32 字节的数据:
来自 100.63.0.1 的回复: 字节=32 时间=1143ms TTL=64
来自 100.63.0.1 的回复: 字节=32 时间=54ms TTL=64
来自 100.63.0.1 的回复: 字节=32 时间=52ms TTL=64
来自 100.63.0.1 的回复: 字节=32 时间=51ms TTL=64
C:\Windows\System32>ping 100.63.0.3    #新加坡服务器
正在 Ping 100.63.0.3 具有 32 字节的数据:
来自 100.63.0.3 的回复: 字节=32 时间=203ms TTL=64
来自 100.63.0.3 的回复: 字节=32 时间=205ms TTL=64
来自 100.63.0.3 的回复: 字节=32 时间=203ms TTL=64
来自 100.63.0.3 的回复: 字节=32 时间=203ms TTL=64
C:\Windows\System32>wg
interface: netmaker
  public key: fzOHq2WPjzYIBw7pX/rv4OE7GqDE07QOOKMvOOF4u00=
  private key: (hidden)
  listening port: 51821

peer: nS5+/qajqCVlsn0euvnKTBks7zLV5MDmbV9t0b0lJiQ=
  endpoint: 35.213.179.122:51821
  allowed ips: 100.63.0.3/32
  latest handshake: 3 seconds ago
  transfer: 124 B received, 476 B sent
  persistent keepalive: every 20 seconds

peer: WIB3JASnLHpxbDXzTAKlNeNbkJ7l0wTqArofcJMQ2hQ=
  endpoint: 35.206.235.142:51821
  allowed ips: 100.63.0.1/32
  latest handshake: 9 seconds ago
  transfer: 508 B received, 712 B sent
  persistent keepalive: every 20 seconds

5.2 ubuntu客户端[新加坡]

$ netclient join -t eyJzZXJ2ZXIiOiJhcGkucGVyc29uYWwubmV0d29yay52Zy50NHgub3JnIiwidmFsdWUiOiJSRzNZUTVaQVhMRlA0UkdZREk2Uk5QRklON1pSUFJPVCJ9 setting host fields WARNING: Joining any network on another server will disconnect netclient from the networks of the current server -> nm.35-206-235-142.nip.io registered with server $ wg interface: netmaker public key: nS5+/qajqCVlsn0euvnKTBks7zLV5MDmbV9t0b0lJiQ= private key: (hidden) listening port: 51821 peer: WIB3JASnLHpxbDXzTAKlNeNbkJ7l0wTqArofcJMQ2hQ= endpoint: 10.140.0.3:51821 allowed ips: 100.63.0.1/32 latest handshake: 29 seconds ago transfer: 956 B received, 1020 B sent persistent keepalive: every 20 seconds peer: fzOHq2WPjzYIBw7pX/rv4OE7GqDE07QOOKMvOOF4u00= endpoint: x.x.x.x:22628 allowed ips: 100.63.0.2/32 latest handshake: 35 seconds ago transfer: 212 B received, 272 B sent persistent keepalive: every 20 seconds

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

$ netclient join -t eyJzZXJ2ZXIiOiJhcGkucGVyc29uYWwubmV0d29yay52Zy50NHgub3JnIiwidmFsdWUiOiJSRzNZUTVaQVhMRlA0UkdZREk2Uk5QRklON1pSUFJPVCJ9
setting host fields
WARNING: Joining any network on another server will disconnect netclient from the networks of the current server -> nm.35-206-235-142.nip.io
registered with server
$ wg
interface: netmaker
  public key: nS5+/qajqCVlsn0euvnKTBks7zLV5MDmbV9t0b0lJiQ=
  private key: (hidden)
  listening port: 51821

peer: WIB3JASnLHpxbDXzTAKlNeNbkJ7l0wTqArofcJMQ2hQ=
  endpoint: 10.140.0.3:51821
  allowed ips: 100.63.0.1/32
  latest handshake: 29 seconds ago
  transfer: 956 B received, 1020 B sent
  persistent keepalive: every 20 seconds

peer: fzOHq2WPjzYIBw7pX/rv4OE7GqDE07QOOKMvOOF4u00=
  endpoint: x.x.x.x:22628
  allowed ips: 100.63.0.2/32
  latest handshake: 35 seconds ago
  transfer: 212 B received, 272 B sent
  persistent keepalive: every 20 seconds

5.3 netmaker服务端[台湾]
[crayon-6917a4bf2bbc0578708544/] 文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/basic/netmaker-manager-wireguard/