佩璃的小屋Penry's Homehttps://www.renpengyu.com/yubikey配置:基于resident-key实现在任意设备上安全使用ssh密钥。https://www.renpengyu.com/posts/yubikey-resident-key/https://www.renpengyu.com/posts/yubikey-resident-key/在日常运维中,经常需要在陌生设备上临时登录服务器。由于服务器仅允许 SSH 密钥认证,而陌生设备上通常没有对应私钥,传统方案并不方便;将私钥存放在 U 盘中又存在安全隐患。本文介绍如何利用 YubiKey 驻留密钥(Resident Key)功能,实现安全便捷的跨设备 SSH 登录。Tue, 26 May 2026 00:00:00 GMT<section><h1>前言<a href="#前言"><span>#</span></a></h1><p>YubiKey 是一款由 Yubico 出品的硬件安全密钥,主要用于多因素认证(MFA)、密码管理、数字签名以及 SSH 身份验证等场景。它通过 USB、NFC 或 Lightning 接口与设备连接,可以生成一次性密码(OTP)、支持 FIDO2/WebAuthn、PIV(智能卡)以及 OpenPGP 等多种安全协议。YubiKey 的核心优势在于私钥永不离开硬件设备,即使电脑或网络被攻破,密钥仍然安全。</p><p>驻留密钥(Resident Key, RK)是 YubiKey 和 OpenSSH 中的一项功能,允许将 SSH 私钥直接存储在硬件设备内部,而不是依赖本地文件系统。与传统的 SSH 私钥文件不同,驻留密钥具备以下特点:</p><ul> <li>便携性:密钥随 YubiKey 携带,无需在每台设备上复制私钥。</li> <li>安全性:私钥不会离开硬件设备,即使设备被接入不可信计算机,也无法导出密钥。</li> <li>便捷性:支持在陌生设备上即插即用,通过硬件认证即可完成 SSH 登录,无需额外传输私钥。</li> <li>多密钥管理:同一个 YubiKey 可存储多个 SSH 驻留密钥,并通过用户名或服务器标识选择使用。</li> </ul><div><div><div></div><div>问题背景</div></div><div><p>传统ssh需要在设备上提前配置好ssh密钥,与设备绑定在一起。一旦遇到突发情况,身边没有自己设备,需要在陌生设备上使用ssh密钥就会非常麻烦。</p></div></div><div><div><div></div><div>解决方案</div></div><div><p>通过yubikey驻留密钥将ssh私钥储存在物理密钥中,这样只需要携带有yubikey,可以在任何设备上使用ssh密钥,也可以有效避免对密钥的误操作。</p></div></div></section> <section><h1>准备环境<a href="#准备环境"><span>#</span></a></h1><p>openSSH在8.2后添加了对fido驻留密钥的支持,只需要安装openSSH版本大于8.2,并启用fido库即可使用。</p><section><h2>Windows<a href="#windows"><span>#</span></a></h2><p>Window11自带全部环境,插上即用,无须配置。(win易用性这块还是不错的)</p></section><section><h2>Linux<a href="#linux"><span>#</span></a></h2><p>主流发行版openSSH均支持驻留密钥,只需要安装fido库即可。如果不确定自己的openSSH版本是否支持可以使用<code>ssh -V</code>来检查。</p><p><strong>Debian/Ubuntu</strong></p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>libfido2-1</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>Fedora/RHEL</strong></p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>install</span><span> </span><span>libfido2</span></div></div></code></pre><div><div></div><div></div></div></figure></div></section><section><h2>macOS<a href="#macos"><span>#</span></a></h2><div><div><div></div><div>警告</div></div><div><p>从macOS12开始,默认openSSH已经支持驻留密钥。但不幸的,苹果出于一些原因在编译openSSH时添加了<code>--disable-security-key</code>参数禁用了安全密钥的支持。这使得在macOS12无法使用安全密钥功能,除非重新编译安装openSSH。但已有openSSH和icloud钥匙串存在联系,重新编译会破坏功能。我认为这并不是一个好的解决方案,所以不在考虑。幸运的,社区对苹果禁用安全密钥的问题作出了许多积极的反馈,在macOS Sonoma中安全密钥重新可用,只是不再提供中间件。本文基于此解决方案编写,<strong>仅适用于macOS Sonoma及以上</strong>。</p></div></div><p>基于<a href="https://github.com/Yubico/libfido2/issues/464#issuecomment-1577748167" target="_blank">社区的讨论</a>,在macOS Sonoma之后的openSSH中已经可以使用安全密钥,只需要自己编译 libfido2 来提供自己的 SSH_SK_PROVIDER。 可以使用如下脚本来实现编译安装,脚本来自<a href="https://gist.github.com/BertanT/9d222da115ca2d1274ef34735c4260cf" target="_blank">GitHub</a>。</p><div><div><div><figure><figcaption><span>macskeyinstaller.sh</span><span>展开</span><span>收起</span></figcaption><pre><code><div><div><div>1</div></div><div><span>#!/bin/bash</span></div></div><div><div><div>2</div></div><div> </div></div><div><div><div>3</div></div><div><span>################################################################################################</span></div></div><div><div><div>4</div></div><div><span># Last Updated: January 13, 2025</span></div></div><div><div><div>5</div></div><div><span>#</span></div></div><div><div><div>6</div></div><div><span># macOS OpenSSH Client Patcher for Hardware Security Key Support (ED25519-SK With YubiKey Etc.)</span></div></div><div><div><div>7</div></div><div><span># Check out https://gist.github.com/BertanT/9d222da115ca2d1274ef34735c4260cf for details!</span></div></div><div><div><div>8</div></div><div><span>#</span></div></div><div><div><div>9</div></div><div><span># Copyright 2025 Mehmet Bertan Tarakcioglu (github.com/BertanT), under the MIT License.</span></div></div><div><div><div>10</div></div><div><span>################################################################################################</span></div></div><div><div><div>11</div></div><div> </div></div><div><div><div>12</div></div><div><span># Exit early if there is an error</span></div></div><div><div><div>13</div></div><div><span>set</span><span> </span><span>-e</span></div></div><div><div><div>14</div></div><div> </div></div><div><div><div>15</div></div><div><span>printf</span><span> </span><span>"\n* Hello! This script compiles and installs the security key provider for the built-in macOS Open SSH client to enable support for hardware security keys (such as a YubiKey)."</span></div></div><div><div><div>16</div></div><div> </div></div><div><div><div>17</div></div><div><span># Check if the script is running as root</span></div></div><div><div><div>18</div></div><div><span>if</span><span> [ </span><span>"$(</span><span>id</span><span> </span><span>-u</span><span>)"</span><span><span> </span><span>-eq</span><span> </span></span><span>0</span><span> ]; </span><span>then</span></div></div><div><div><div>19</div></div><div><span> </span><span>printf</span><span> </span><span>"\n!!! Error: For safety reasons, this script cannot be run as root. If using sudo, please try again without it.\n"</span><span> &gt;&amp;2</span></div></div><div><div><div>20</div></div><div><span> </span><span>exit</span><span> </span><span>1</span></div></div><div><div><div>21</div></div><div><span>fi</span></div></div><div><div><div>22</div></div><div> </div></div><div><div><div>23</div></div><div><span># Function to compare macOS version strings</span></div></div><div><div><div>24</div></div><div><span>version_ge</span><span>() {</span></div></div><div><div><div>25</div></div><div><span><span> </span></span><span>[[ </span><span>"$(</span><span>echo</span><span> </span><span>-e</span><span> "</span><span>$1</span><span>\n</span><span>$2</span><span>" </span><span>|</span><span> </span><span>sort</span><span> </span><span>-V</span><span> </span><span>|</span><span> </span><span>head</span><span> </span><span>-n1</span><span>)"</span><span><span> </span><span>==</span><span> </span></span><span>"</span><span>$2</span><span>"</span><span> ]]</span></div></div><div><div><div>26</div></div><div><span>}</span></div></div><div><div><div>27</div></div><div> </div></div><div><div><div>28</div></div><div><span># function to get the current macOS Version</span></div></div><div><div><div>29</div></div><div><span>macos_version</span><span><span>=</span><span>$(</span></span><span>sw_vers</span><span> </span><span>-productVersion</span><span> | </span><span>cut</span><span> </span><span>-d</span><span> </span><span>'.'</span><span> </span><span>-f1,2</span><span>)</span></div></div><div><div><div>30</div></div><div> </div></div><div><div><div>31</div></div><div><span># Check if running at least macOS Sonoma</span></div></div><div><div><div>32</div></div><div><span>if</span><span> ! </span><span>version_ge</span><span> </span><span>"</span><span>$macos_version</span><span>"</span><span> </span><span>"14.0"</span><span>; </span><span>then</span></div></div><div><div><div>33</div></div><div><span> </span><span>printf</span><span> </span><span>"\n!!! Error: macOS version is </span><span>$macos_version</span><span>. This script requires at least macOS Sonoma (14.0).\n"</span><span> &gt;&amp;2</span></div></div><div><div><div>34</div></div><div><span> </span><span>exit</span><span> </span><span>1</span></div></div><div><div><div>35</div></div><div><span>fi</span></div></div><div><div><div>36</div></div><div><span>printf</span><span> </span><span>"\n* macOS version is supported!"</span></div></div><div><div><div>37</div></div><div> </div></div><div><div><div>38</div></div><div><span># Check if Homebrew is installed</span></div></div><div><div><div>39</div></div><div><span>if</span><span> ! </span><span>which</span><span> </span><span>brew</span><span> &amp;&gt;/dev/null; </span><span>then</span></div></div><div><div><div>40</div></div><div><span> </span><span>printf</span><span> </span><span>"\n!!! Error: This script requires Homebrew to install dependencies! Please install Homebrew and try again\n"</span><span> &gt;&amp;2</span></div></div><div><div><div>41</div></div><div><span> </span><span>exit</span><span> </span><span>1</span></div></div><div><div><div>42</div></div><div><span>fi</span></div></div><div><div><div>43</div></div><div><span>printf</span><span> </span><span>"\n* Homebrew is installed!"</span></div></div><div><div><div>44</div></div><div> </div></div><div><div><div>45</div></div><div><span>printf</span><span> </span><span>"\n* Cloning the latest main branch of openssh-portable from GitHub. This may take a while..."</span></div></div><div><div><div>46</div></div><div><span>git</span><span> </span><span>clone</span><span> </span><span>--quiet</span><span> </span><span>https://github.com/openssh/openssh-portable.git</span></div></div><div><div><div>47</div></div><div><span>cd</span><span> </span><span>openssh-portable</span></div></div><div><div><div>48</div></div><div> </div></div><div><div><div>49</div></div><div><span>printf</span><span> </span><span>"\n* Installing dependencies from Homebrew: libfido2, openssl, autoconf, automake, libtool\n"</span></div></div><div><div><div>50</div></div><div><span>brew</span><span> </span><span>install</span><span> </span><span>libfido2</span><span> </span><span>openssl</span><span> </span><span>autoconf</span><span> </span><span>automake</span><span> </span><span>libtool</span><span> </span><span>pkgconf</span></div></div><div><div><div>51</div></div><div> </div></div><div><div><div>52</div></div><div><span>printf</span><span> </span><span>"\n* Generating configuration script."</span></div></div><div><div><div>53</div></div><div><span>autoreconf</span><span> </span><span>-i</span></div></div><div><div><div>54</div></div><div> </div></div><div><div><div>55</div></div><div><span>printf</span><span> </span><span>"\n* Exporting flags."</span></div></div><div><div><div>56</div></div><div> </div></div><div><div><div>57</div></div><div><span># Determine the CPU architecture and set the appropriate Homebrew base path</span></div></div><div><div><div>58</div></div><div><span>if</span><span> [[ </span><span>"$(</span><span>uname</span><span> </span><span>-m</span><span>)"</span><span><span> </span><span>==</span><span> </span></span><span>"arm64"</span><span> ]]; </span><span>then</span></div></div><div><div><div>59</div></div><div><span> </span><span>BREW_PREFIX</span><span>=</span><span>"/opt/homebrew"</span></div></div><div><div><div>60</div></div><div><span>elif</span><span> [[ </span><span>"$(</span><span>uname</span><span> </span><span>-m</span><span>)"</span><span><span> </span><span>==</span><span> </span></span><span>"x86_64"</span><span> ]]; </span><span>then</span></div></div><div><div><div>61</div></div><div><span> </span><span>BREW_PREFIX</span><span>=</span><span>"/usr/local"</span></div></div><div><div><div>62</div></div><div><span>else</span></div></div><div><div><div>63</div></div><div><span> </span><span>echo</span><span> </span><span>"!!! Error: Unknown CPU architecture $(</span><span>uname</span><span> </span><span>-m</span><span>).\n"</span><span> &gt;&amp;2</span></div></div><div><div><div>64</div></div><div><span> </span><span>exit</span><span> </span><span>1</span></div></div><div><div><div>65</div></div><div><span>fi</span></div></div><div><div><div>66</div></div><div> </div></div><div><div><div>67</div></div><div><span># Get the appropriate paths for the Homebrew dependecies as they differ through version</span></div></div><div><div><div>68</div></div><div><span>BREW_OPENSSL_PATH</span><span><span>=</span><span>$(</span></span><span>ls</span><span> </span><span>-d</span><span> </span><span>$BREW_PREFIX</span><span>/Cellar/openssl@3/</span><span>*</span><span>)</span></div></div><div><div><div>69</div></div><div><span>BREW_LIBFIDO2_PATH</span><span><span>=</span><span>$(</span></span><span>ls</span><span> </span><span>-d</span><span> </span><span>$BREW_PREFIX</span><span>/Cellar/libfido2/</span><span>*</span><span>)</span></div></div><div><div><div>70</div></div><div><span>export</span><span> </span><span>CFLAGS</span><span>=</span><span>"-L</span><span>$BREW_OPENSSL_PATH</span><span>/lib -I</span><span>$BREW_OPENSSL_PATH</span><span>/include -L</span><span>$BREW_LIBFIDO2_PATH</span><span>/lib -I</span><span>$BREW_LIBFIDO2_PATH</span><span>/include -Wno-error=implicit-function-declaration"</span></div></div><div><div><div>71</div></div><div><span>export</span><span> </span><span>LDFLAGS</span><span>=</span><span>"-L</span><span>$BREW_OPENSSL_PATH</span><span>/lib -L</span><span>$BREW_LIBFIDO2_PATH</span><span>/lib"</span></div></div><div><div><div>72</div></div><div> </div></div><div><div><div>73</div></div><div><span>printf</span><span> </span><span>"\n* Configuring build. This may take a while..."</span></div></div><div><div><div>74</div></div><div><span>./configure</span><span> </span><span>--quiet</span><span> </span><span>--with-security-key-standalone</span></div></div><div><div><div>75</div></div><div> </div></div><div><div><div>76</div></div><div><span>printf</span><span> </span><span>"\n* Cleaning previous build for good measure."</span></div></div><div><div><div>77</div></div><div><span>make</span><span> </span><span>--quiet</span><span> </span><span>clean</span></div></div><div><div><div>78</div></div><div> </div></div><div><div><div>79</div></div><div><span>printf</span><span> </span><span>"\n* Building OpenSSH Portable."</span></div></div><div><div><div>80</div></div><div><span>make</span><span> </span><span>--quiet</span></div></div><div><div><div>81</div></div><div> </div></div><div><div><div>82</div></div><div><span>printf</span><span> </span><span>"\n* Copying the Security Key Provider library to /usr/local/lib."</span></div></div><div><div><div>83</div></div><div><span>printf</span><span> </span><span>"\n We need root privileges to modify system files.\n"</span></div></div><div><div><div>84</div></div><div><span>sudo</span><span> </span><span>mkdir</span><span> </span><span>-p</span><span> </span><span>/usr/local/lib</span></div></div><div><div><div>85</div></div><div><span>sudo</span><span> </span><span>mv</span><span> </span><span>sk-libfido2.dylib</span><span> </span><span>/usr/local/lib/</span></div></div><div><div><div>86</div></div><div> </div></div><div><div><div>87</div></div><div><span># Check if the script is running in ZSH. If not, give the user instructions.</span></div></div><div><div><div>88</div></div><div><span># Otherwise, modify .zshenv to set the environment variable if not already present.</span></div></div><div><div><div>89</div></div><div><span>if</span><span> [[ </span><span>"</span><span>$SHELL</span><span>"</span><span><span> </span><span>==</span><span> *zsh* ]]; </span></span><span>then</span></div></div><div><div><div>90</div></div><div><span> </span><span>printf</span><span> </span><span>"\n* Configuring the ~/.zshenv for the System SSH use the Security Key Provider we just built"</span></div></div><div><div><div>91</div></div><div><span> </span><span>if</span><span> ! </span><span>grep</span><span> </span><span>-q</span><span> </span><span>"export SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib"</span><span> </span><span>"</span><span>$HOME</span><span>/.zshenv"</span><span> &amp;&gt;/dev/null; </span><span>then</span></div></div><div><div><div>92</div></div><div><span> </span><span>echo</span><span> </span><span>"export SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib"</span><span> &gt;&gt; </span><span>"</span><span>$HOME</span><span>/.zshenv"</span></div></div><div><div><div>93</div></div><div><span> </span><span>printf</span><span> </span><span>"\n* Added SSH_SK_PROVIDER to ~/.zshenv."</span></div></div><div><div><div>94</div></div><div><span> </span><span>else</span></div></div><div><div><div>95</div></div><div><span> </span><span>printf</span><span> </span><span>"\n* SSH_SK_PROVIDER is already configured in ~/.zshenv."</span></div></div><div><div><div>96</div></div><div><span> </span><span>fi</span></div></div><div><div><div>97</div></div><div><span>else</span></div></div><div><div><div>98</div></div><div><span> </span><span>printf</span><span> </span><span>"*\n Since you are not on ZSH, you will need to manually configure your shell profile to tell the System SSH client to use the Security Key Provider we just built."</span></div></div><div><div><div>99</div></div><div><span> </span><span>printf</span><span> </span><span>"\n The shell profile should export the environment variable as follows:"</span></div></div><div><div><div>100</div></div><div><span> </span><span>printf</span><span> </span><span>"\n export SSH_SK_PROVIDER=/usr/local/lib/sk-libfido2.dylib"</span></div></div><div><div><div>101</div></div><div><span>fi</span></div></div><div><div><div>102</div></div><div> </div></div><div><div><div>103</div></div><div><span>printf</span><span> </span><span>"\n* Exiting the directory and deleting the repository we cloned. We don't need it anymore"</span></div></div><div><div><div>104</div></div><div><span>cd</span><span> </span><span>..</span></div></div><div><div><div>105</div></div><div><span>rm</span><span> </span><span>-rf</span><span> </span><span>openssh-portable</span></div></div><div><div><div>106</div></div><div> </div></div><div><div><div>107</div></div><div><span>printf</span><span> </span><span>"\n\n* That's it! After restarting your terminal session, you can plug in your hardware security key and test the installation using:"</span></div></div><div><div><div>108</div></div><div><span>printf</span><span> </span><span>"\n ssh-keygen -t ed25519-sk -O resident -O verify-required -C </span><span>\"</span><span>Your Comment</span><span>\"</span><span>"</span></div></div><div><div><div>109</div></div><div><span>printf</span><span> </span><span>"\n\nHave a nice day! :)\n\n"</span></div></div></code></pre><div><div></div><div></div></div></figure><div></div></div><span>展开</span><span>收起</span></div></div></section></section> <section><h1>yubikey配置<a href="#yubikey配置"><span>#</span></a></h1><section><h2>生成驻留密钥<a href="#生成驻留密钥"><span>#</span></a></h2><p>创建 SSH 驻留密钥(Resident Key)非常简单,只需要在生成密钥时添加 -O resident 选项。</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>ssh-keygen</span><span> </span><span>\</span></div></div><div><div><div>2</div></div><div><span> </span><span>-t</span><span> </span><span>ed25519-sk</span><span> </span><span>\</span></div></div><div><div><div>3</div></div><div><span> </span><span>-O</span><span> </span><span>resident</span><span> </span><span>\</span></div></div><div><div><div>4</div></div><div><span> </span><span>-O</span><span> </span><span>verify-required</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>参数说明</strong></p><ul> <li>-t ed25519-sk:指定证书类型为Ed25519</li> <li>-O resident:将私钥存储在 YubiKey 内部(驻留密钥)</li> <li>-O verify-required:每次使用时需要验证pin码</li> </ul><p>之后安装提示输入PIN码并触碰金属触点即可完成配置。</p></section><section><h2>从yubikey导出驻留密钥公钥<a href="#从yubikey导出驻留密钥公钥"><span>#</span></a></h2><p>在新设备上使用驻留密钥也很简单,只需要使用使用</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>ssh-keygen</span><span> </span><span>-K</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>即可从yubikey中导出所有驻留密钥的公钥。 之后把导出的文件移动到~/.ssh文件夹下,并重命名为id_ed25519_sk即可被ssh-agent自动加载。</p><p>到此配置完成,是不是非常简单。从此走向忘记密码的道路,enjoy it!</p></section></section> <section><h1>参考资料<a href="#参考资料"><span>#</span></a></h1><ul> <li><a href="https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html" target="_blank">Securing SSH Authentication with FIDO2 Security Keys</a></li> <li><a href="https://developer.apple.com/forums/thread/698683" target="_blank">macOS bundled OpenSSH 8.6p1 seems don’t support FIDO keys</a></li> <li><a href="https://github.com/Yubico/libfido2/issues/464#issuecomment-1577748167" target="_blank">Bundled version of OpenSSH with macOS Monterey doesn’t support FIDO2 yubikeys</a></li> </ul></section>零信任内网远程访问:基于WireGuard部署私有网络远程接入,并实现远程访问内网设备https://www.renpengyu.com/posts/homelab-wireguard/https://www.renpengyu.com/posts/homelab-wireguard/本文讲述如何使用 WireGuard 搭建轻量化远程接入 VPN,实现对家庭局域网私有地址段的安全访问,并完成内外网络互通。可在外网环境下安全访问内网服务器、NAS 与自托管服务。Sun, 24 May 2026 00:00:00 GMT<section><h1>前言<a href="#前言"><span>#</span></a></h1><p>WireGuard是一种实现加密虚拟专用网络(VPN) 的通信协议和免费开源软件,其设计目标是易于使用、高速性能和低攻击面。它旨在比IPsec和OpenVPN这两种常见的隧道协议具有更好的性能和更强大的功能。</p><div><div><div></div><div>问题背景</div></div><div><p>家中服务器已经获取公网IPv6地址,并配置DDNS动态域名解析。受限于IPv6不兼容IPv4,导致部分服务无法远程访问。并且家庭内网直接暴露在公网环境上过于不安全。</p></div></div><div><div><div></div><div>解决方案</div></div><div><p>通过已经配置DDNS的域名连接WireGuard服务,建立VPN连接,在VPN内通过IPv4来访问服务。这样既解决了IPv6不兼容的问题,也避免了将家庭设备直接暴露到公网的危险。</p></div></div></section> <section><h1>服务器配置<a href="#服务器配置"><span>#</span></a></h1><section><h2>安装 WireGuard<a href="#安装-wireguard"><span>#</span></a></h2><p>WireGuard是一个开源项目,在主流Linux系统上都可以通过包管理器进行安装</p><div><div><div></div><div>提示</div></div><div><p>目前WireGuard代码已经进入Linux主线内核(Linux 5.6+),所以部分主流Linux发行版只需要安装WireGuard-tool工具即可</p></div></div><p><strong>Fedora/RHEL</strong></p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>dnf</span><span> </span><span>install</span><span> </span><span>wireguard-tools</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>Debian/Ubuntu</strong></p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>apt</span><span> </span><span>install</span><span> </span><span>wireguard</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>其他发行版</strong> 可以参考<a href="https://www.wireguard.com/install/" target="_blank">官方指南</a></p></section><section><h2>编写配置文件<a href="#编写配置文件"><span>#</span></a></h2><p>在开始配置前,需要先完成公私钥的准备和服务器网段的规划</p><section><h3>生成公私钥<a href="#生成公私钥"><span>#</span></a></h3><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>wg</span><span> </span><span>genkey</span><span> | </span><span>tee</span><span> </span><span>privatekey</span><span> | </span><span>wg</span><span> </span><span>pubkey</span><span> &gt; </span><span>publickey</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>这将在当前目录下生成存有公钥和私钥的publickey和privatekey文件,可以通过cat来查看。</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>cat</span><span> </span><span>privatekey</span><span> &amp;&amp; </span><span>cat</span><span> </span><span>privatekey</span></div></div></code></pre><div><div></div><div></div></div></figure></div></section><section><h3>规划网段<a href="#规划网段"><span>#</span></a></h3><p>出于避免冲突和兼容性的考虑,VPN应当选择IPv4内网网段来配置。</p><p>为了避免和家庭网络中的ip冲突,故放弃使用192.168.0.0/16网段,选择使用10.10.0.0/24网段。</p><p>所以设置家庭服务器VPN内IP为10.10.0.1/32, 笔记本VPN内IP为10.10.0.2/32。</p></section><section><h3>将规划写入配置文件<a href="#将规划写入配置文件"><span>#</span></a></h3><p>在<code>/etc/wireguard/wg0.conf</code>下创建配置文件</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>vim</span><span> </span><span>/etc/wireguard/wg0.conf</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>示例配置文件如下所示:</p><div><figure><figcaption></figcaption><pre><code><div><div><div>1</div></div><div><span>[Interface]</span></div></div><div><div><div>2</div></div><div><span>Address</span><span><span> </span><span>=</span><span> 10.10.0.1/24</span></span></div></div><div><div><div>3</div></div><div><span>ListenPort</span><span><span> </span><span>=</span><span> 51820</span></span></div></div><div><div><div>4</div></div><div><span>PrivateKey</span><span><span> </span><span>=</span><span> XXX(填入刚刚生成的私钥)</span></span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>参数说明</strong></p><ul> <li><strong>[Interface]</strong> 下为本机 WireGuard 网卡配置 <ul> <li>Address: WireGuard 虚拟网卡的 IP 地址</li> <li>ListenPort: 服务器监听端口</li> <li>PrivateKey:当前机器自己的私钥(填入刚刚生成的私钥)</li> </ul> </li> </ul></section></section><section><h2>运行服务<a href="#运行服务"><span>#</span></a></h2><p>使用 wg-quick 服务配置 WireGuard 服务器</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>systemctl</span><span> </span><span>enable</span><span> </span><span>--now</span><span> </span><span>wg-quick@wg0</span></div></div></code></pre><div><div></div><div></div></div></figure></div></section><section><h2>验证<a href="#验证"><span>#</span></a></h2><p>使用wg查看服务状态来确认是否成功运行</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>wg</span></div></div></code></pre><div><div></div><div></div></div></figure></div></section><section><h2>配置防火墙<a href="#配置防火墙"><span>#</span></a></h2><p>在服务器放行WireGuard的udp端口</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-port=51820/udp</span><span> </span><span>--zone=public</span></div></div></code></pre><div><div></div><div></div></div></figure></div><div><div><div></div><div>拓展</div></div><div><p>可以将WireGuard网络加入trust区域,以此来实现在vpn内不受限制访问服务器所有端口。添加指令如下: sudo firewall-cmd —permanent —zone=trusted —add-interface=wg0</p></div></div><div><div><div></div><div>提示</div></div><div><p>到此WireGuard已经正常运行,如果没有远程访问内网其他设备的需求,可以直接跳转到<a href="#%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE">客户端配置</a>。</p></div></div></section><section><h2>配置远程内网访问<a href="#配置远程内网访问"><span>#</span></a></h2><p>目前WireGuard只是做到可以访问在vpn内的设备,但如果我们想访问家庭网络内(192.168.xxx.xxx)中的其他设备,是无法建立连接的。 这时我们就需要以家庭服务器为跳板,来帮我们转发发向192.168.xxx.xxx网段的网络包</p><section><h3>开启内核转发并持久化<a href="#开启内核转发并持久化"><span>#</span></a></h3><p>首先要开启内核相关的配置</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>sysctl</span><span> </span><span>-w</span><span> </span><span>net.ipv4.ip_forward=</span><span>1</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>但上面的指令在重启后失效,我们需要进行持久化配置。</p><p>linux系统会按照文件名加载<code>/etc/sysctl.d/</code>目下的文件作为内核参数,所以要持久化内核参数需要在该目录下建立配置文件</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>vim</span><span> </span><span>/etc/sysctl.d/99-wireguard.conf</span></div></div></code></pre><div><div></div><div></div></div></figure></div><div><div><div></div><div>关于文件名加载顺序</div></div><div><p>sysctl会按文件名前数字,从小到大进行加载。后加载的会覆盖先加载的参数,所以越靠后优先级越高,最大为99</p></div></div><p>在<code>99-wireguard.conf</code>文件里面填写如下内容来持久化开启内核转发</p><div><figure><figcaption></figcaption><pre><code><div><div><div>1</div></div><div><span>net.ipv4.ip_forward</span><span><span>=</span><span>1</span></span></div></div></code></pre><div><div></div><div></div></div></figure></div></section><section><h3>开启地址伪装<a href="#开启地址伪装"><span>#</span></a></h3><p>在开启内核转发后,我们发向内网网段的数据包已经可以被服务器中转到192.168.xxx.xxx网段了。但由于我们是从VPN内发的数据包,经家庭服务器转发到达内网。所以数据包的发送地址为我们在VPN内的地址。但我们VPN的IP在内网中是不能被除了家庭服务器外的设备访问到的,所以因为内网的设备无法回包导致无法访问。</p><div><div><div>sequenceDiagram participant Client as VPN客户端&lt;br/&gt;10.10.0.2 participant Gateway as 家庭服务器&lt;br/&gt;10.10.0.1 participant NAS as 内网设备&lt;br/&gt;192.168.1.100 Client-&gt;&gt;Gateway: 访问内网设备 Note over Client,Gateway: 源IP: 10.10.0.2 Gateway-&gt;&gt;NAS: 转发请求 Note over Gateway,NAS: 源IP仍然是 10.10.0.2 NAS--xClient: 尝试直接回复 10.10.0.2 Note over NAS: 不在同一网段,无法回复。</div></div></div><p>而解决方法也很简单,让家庭服务器在转发数据包时把数据包源IP也一起修改,由自己进行路由。</p><div><div><div>sequenceDiagram participant Client as VPN客户端&lt;br/&gt;10.10.0.2 participant Gateway as 家庭服务器&lt;br/&gt;10.10.0.1&lt;br/&gt;192.168.1.10 participant NAS as 内网设备&lt;br/&gt;192.168.1.100 Client-&gt;&gt;Gateway: 访问 NAS Note over Client,Gateway: 源IP: 10.10.0.2 Gateway-&gt;&gt;NAS: SNAT / Masquerade Note over Gateway,NAS: 源IP伪装为 192.168.1.10 NAS-&gt;&gt;Gateway: 回复 192.168.1.10 Gateway-&gt;&gt;Client: 反向转换后返回 Note over Gateway,Client: 目标恢复为 10.10.0.2</div></div></div><p>而开启伪装的方法也很简单,只需要一行指令</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>iptables</span><span> </span><span>-t</span><span> </span><span>nat</span><span> </span><span>-A</span><span> </span><span>POSTROUTING</span><span> </span><span>-j</span><span> </span><span>MASQUERADE</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>但这里更推荐使用firewall来开启,可以更精确伪装的范围,并且持久化。</p><div><figure><figcaption><span></span><span>Terminal window</span></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo</span><span> </span><span>firewall-cmd</span><span> </span><span>--permanent</span><span> </span><span>--add-masquerade</span></div></div></code></pre><div><div></div><div></div></div></figure></div></section></section></section> <section><h1>客户端配置<a href="#客户端配置"><span>#</span></a></h1><section><h2>下载客户端<a href="#下载客户端"><span>#</span></a></h2><p>建议使用带有gui的客户端,便于使用。</p><p>Windows可以<a href="https://download.wireguard.com/windows-client/" target="_blank">点击此处</a>下载。</p><p>macOS上需要从App Store上下载,可自行注册美区账号后下载。</p><div><div><div></div><div>提示</div></div><div><p>Windows上exe格式安装程序会自动下载目前最新版本安装,如果上网环境不好建议下载msi格式。</p></div></div></section><section><h2>添加客户端隧道配置<a href="#添加客户端隧道配置"><span>#</span></a></h2><p>打开WireGuard的GUI客户端,点击右下角加号选择新建空隧道。 之后会自动生成公钥和私钥,并显示如下配置文件内容:</p><div><figure><figcaption></figcaption><pre><code><div><div><div>1</div></div><div><span>[Interface]</span></div></div><div><div><div>2</div></div><div><span>PrivateKey</span><span><span> </span><span>=</span><span> xxxxx</span></span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>之后根据之前的规划将配置文件补全</p><div><figure><figcaption></figcaption><pre><code><div><div><div>1</div></div><div><span>[Interface]</span></div></div><div><div><div>2</div></div><div><span>PrivateKey</span><span><span> </span><span>=</span><span> xxxxx</span></span></div></div><div><div><div>3</div></div><div><span>Address</span><span><span> </span><span>=</span><span> 10.0.0.2/32</span></span></div></div><div><div><div>4</div></div><div><span>MTU</span><span><span> </span><span>=</span><span> 1420</span></span></div></div><div><div><div>5</div></div><div> </div></div><div><div><div>6</div></div><div><span>[Peer]</span></div></div><div><div><div>7</div></div><div><span>PublicKey</span><span><span> </span><span>=</span><span> xxx</span></span></div></div><div><div><div>8</div></div><div><span>AllowedIPs</span><span><span> </span><span>=</span><span> 10.0.0.0/24, 192.168.1.0/24</span></span></div></div><div><div><div>9</div></div><div><span>Endpoint</span><span><span> </span><span>=</span><span> 服务器IP:端口</span></span></div></div><div><div><div>10</div></div><div><span>PersistentKeepalive</span><span><span> </span><span>=</span><span> 25</span></span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>参数说明</strong></p><ul> <li> <p><strong>[Interface]</strong> 下为本机 WireGuard 网卡配置</p> <ul> <li>PrivateKey:当前机器自己的私钥(使用自动生成的,不需要改动)</li> <li>Address: 客户端VPN内的 IP 地址</li> <li>MTU:<a href="https://zh.wikipedia.org/wiki/%E6%9C%80%E5%A4%A7%E4%BC%A0%E8%BE%93%E5%8D%95%E5%85%83" target="_blank">最大传输单元</a></li> </ul> </li> <li> <p><strong>[Peer]</strong> 下为对端节点配置</p> <ul> <li>PublicKey: 对端节点的公钥(填入服务器公钥)</li> <li>AllowedIPs: 需要通过VPN访问的IP(填入的IP再被访问时会自动转发到VPN上)</li> <li>Endpoint: 接入点,填入之前配置的服务器地址和端口</li> <li>PersistentKeepalive: 发送心跳包的时间,用于在多层NAT环境下保活隧道连接</li> </ul> </li> </ul></section><section><h2>将客户端信息写入服务器配置文件<a href="#将客户端信息写入服务器配置文件"><span>#</span></a></h2><p>在服务器WireGuard配置文件<code>/etc/wireguard/wg0.conf</code>中添加客户端信息</p><div><figure><figcaption></figcaption><pre><code><div><div><div>1</div></div><div><span>[Interface]</span></div></div><div><div><div>2</div></div><div><span>Address</span><span><span> </span><span>=</span><span> 10.10.0.1/24</span></span></div></div><div><div><div>3</div></div><div><span>ListenPort</span><span><span> </span><span>=</span><span> 51820</span></span></div></div><div><div><div>4</div></div><div><span>PrivateKey</span><span><span> </span><span>=</span><span> XXX</span></span></div></div><div><div><div>5</div></div><div> </div></div><div><div><div>6</div></div><div><span>#添加下面内容</span></div></div><div><div><div>7</div></div><div><span>[Peer]</span></div></div><div><div><div>8</div></div><div><span>PublicKey</span><span><span> </span><span>=</span><span> XXX </span></span><span>#填写刚刚客户端生成的公钥</span></div></div><div><div><div>9</div></div><div><span>AllowedIPs</span><span><span> </span><span>=</span><span> 10.10.0.2/32 </span></span><span>#填写为客户端规划的IP</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p>保存后重启WireGuard服务</p><div><figure><figcaption></figcaption><pre><code><div><div><div>1</div></div><div><span>sudo wg-quick down wg0</span></div></div><div><div><div>2</div></div><div><span>sudo wg-quick up wg0</span></div></div></code></pre><div><div></div><div></div></div></figure></div><p><strong>到此大功告成,点击客户端点击连接即可接入VPN</strong></p></section></section> <section><h1>参考资料<a href="#参考资料"><span>#</span></a></h1><ul> <li><a href="https://docs.redhat.com/zh-cn/documentation/red_hat_enterprise_linux/9/html/configuring_and_managing_networking/proc_configuring-a-wireguard-server-by-using-the-wg-quick-service_assembly_setting-up-a-wireguard-vpn" target="_blank">使用 wg-quick 服务配置 WireGuard 服务器</a></li> <li><a href="https://www.reddit.com/r/linuxadmin/comments/7iom6e/what_does_firewallcmd_addmasquerade_do" target="_blank">What does ‘firewall-cmd —add-masquerade’ do?</a></li> </ul></section>