centos7(k8s跨云网络) wireguard加密流量

虚拟机IPwireguard IP172.18.1.9419.11.11.1172.18.1.9519.11.11.3172.18.1.6419.11.11.6所有节点安装yum install epel-release elrepo-releaseyum install yum-plugin-elrepoyum install kmod-wireguard wireguard-toolscd /

野猪佩挤

700人浏览 · 2022-05-30 15:08:16

野猪佩挤 · 2022-05-30 15:08:16 发布

虚拟机IP	wireguard IP
172.18.1.94	19.11.11.1
172.18.1.95	19.11.11.3
172.18.1.64	19.11.11.6

所有节点安装

yum install epel-release elrepo-release
yum install yum-plugin-elrepo
yum install kmod-wireguard wireguard-tools
cd /etc/wireguard/
#生成公密钥
wg genkey | tee privatekey | wg pubkey > publickey

# cat privatekey 
UPil4oDLUNLgqKATvJDZe4jYTYY8gAs/oZPG6gLBIlI=

vim /etc/wireguard/wg0.conf 所有节点编辑以下

[Interface]
Address = 19.11.11.1/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = 51820
#自己的私钥
PrivateKey = UPil4oDLUNLgqKATvJDZe4jYTYY8gAs/oZPG6gLBIlI=

开机启动

systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

在这里插入图片描述

各节点相互添加

节点 1

# cat /etc/wireguard/wg0.conf 
[Interface]
Address = 19.11.11.1/32
DNS = 172.18.0.1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = 51820
PrivateKey = CHQtPBl3pSwjlXgbxu6Zwg7XWQ23agWoc/bA7DCi2nY=

[Peer]
PublicKey = cQsJXdvj9N+AYhoezPiekhbJysy+cT7USTe4Sz3hs1Q=
AllowedIPs = 19.11.11.3/32
EndPoint = 172.18.1.95:51820
[Peer]
PublicKey = w9R9iSDZdDIxojn+nDfPW5Z3FdjpCTL2SErbADh++z4=
AllowedIPs = 19.11.11.6/32
EndPoint = 172.18.1.64:51820

节点 2

# cat wg0.conf 
[Interface]
Address = 19.11.11.3/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = 51820
PrivateKey = UPil4oDLUNLgqKATvJDZe4jYTYY8gAs/oZPG6gLBIlI=

[Peer]
PublicKey = +uNCw+YuLTgJLkb8onDxQfow5ta7zgz2v8oeq8FmWkc=
AllowedIPs = 19.11.11.1/32
EndPoint = 172.18.1.94:51820

[Peer]
PublicKey = w9R9iSDZdDIxojn+nDfPW5Z3FdjpCTL2SErbADh++z4=
AllowedIPs = 19.11.11.6/32
EndPoint = 172.18.1.64:51820

节点 3

[root@node64 ~]# cat /etc/wireguard/wg0.conf 
[Interface]
Address = 19.11.11.6/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = 51820
PrivateKey = IFjO8/EFgQQ1JrAp+n2VljmHSfSJyZ5xmdZl/g4uNFA=

[Peer]
PublicKey = +uNCw+YuLTgJLkb8onDxQfow5ta7zgz2v8oeq8FmWkc=
AllowedIPs = 19.11.11.1/32
EndPoint = 172.18.1.94:51820

[Peer]
PublicKey = cQsJXdvj9N+AYhoezPiekhbJysy+cT7USTe4Sz3hs1Q=
AllowedIPs = 19.11.11.3/32
EndPoint = 172.18.1.95:51820

在这里插入图片描述
命令命令方式

#虚拟机1
umask 077
wg genkey > privatekey
ip link add dev wg0 type wireguard
ip address add dev wg0 19.11.11.1/24 dev wg0 <<<<-----注意IP
wg set wg0 private-key ./privatekey  listen-port 50000
ip link set wg0 up

#虚拟机2
umask 077
wg genkey > privatekey
ip link add dev wg0 type wireguard
ip address add dev wg0 19.11.11.3/24 dev wg0 <<<<-----注意IP
wg set wg0 private-key ./privatekey  listen-port 50000
ip link set wg0 up

#虚拟机3
umask 077
wg genkey > privatekey
ip link add dev wg0 type wireguard
ip address add dev wg0 19.11.11.6/24 dev wg0 <<<<-----注意IP
wg set wg0 private-key ./privatekey  listen-port 50000
ip link set wg0 up

启动后相互查看公钥各种节点加入

# wg

interface: wg0
  public key: +uNCw+YuLTgJLkb8onDxQfow5ta7zgz2v8oeq8FmWkc=
  private key: (hidden)
  listening port: 51820

wg set wg0 peer cQsJXdvj9N+AYhoezPiekhbJysy+cT7USTe4Sz3hs1Q= allowed-ips 19.11.11.3/32 endpoint 172.18.1.95:50000

wg set wg0 peer +uNCw+YuLTgJLkb8onDxQfow5ta7zgz2v8oeq8FmWkc= allowed-ips 19.11.11.1/32 endpoint 172.18.1.94:50000

wg set wg0 peer w9R9iSDZdDIxojn+nDfPW5Z3FdjpCTL2SErbADh++z4= allowed-ips 19.11.11.6/32 endpoint 172.18.1.64:50000

在这里插入图片描述

K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 | 韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号前言台湾作家林清玄在接受记者采访的时候，如此评价自己 30 多年写作生涯：“第一个十年我才华横溢，‘贼光闪现’，令周边黯然失色；第二个十年，我终于‘宝光现形’，不再去抢风头，反而与身边的美丽相得益彰；进入第三个十年，繁华落尽见真醇，我进入了‘醇光初现’的阶段，真正体味到了境界之美”。长夜有穷，真水无香。领略过了 K8s“身在江

K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台？

作者 | 孙健波（天元）导读：当前云原生 DevOps 体系现状如何？面临哪些挑战？如何通过 OAM 解决云原生 DevOps 场景下的诸多问题？云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答，并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps？为什么基于 Kub