一、准备条件和安装wireguard
1.需要一台有公网IP的机器 公有云也行
2.k8s集群有traefik或者inginx
3.两边都要安装wireguard
4.准备一个域名解析到公有云IP
root@k8s-01:~# dnf install -y wireguard
#dnf install -y wireguard-tools二、创建公钥秘钥
#两个秘钥privatekey(私钥)publickey(公钥)
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey三、配置
root@VM-12-5-ubuntu:~# wg show wg0
interface: wg0
public key: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
private key: (hidden)
listening port: 51820
peer: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
endpoint: 113.108.37.18:2103
allowed ips: 10.88.0.2/32
latest handshake: 44 seconds ago
transfer: 279.00 KiB received, 137.54 KiB sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]# wg show wg0
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 46509
peer: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
latest handshake: 37 seconds ago
transfer: 130.80 KiB received, 259.68 KiB sent
persistent keepalive: every 25 seconds公有云 wg0 的 interface 公钥是 4GSWTJ...,它的 peer 公钥是 dF92nK...
K8s 侧 wg0 的 interface 公钥是 dF92nK...,它的 peer 公钥是 4GSWTJ...
也就是“本机 interface 公钥 == 对端 peer 公钥”,两边互为一对,没问题。#公有云(43.138.186.171)上的 wg0.conf
[Interface]
Address = 10.88.0.1/24
ListenPort = 51820
PrivateKey = (你的云主机私钥)
PostUp = sysctl -w net.ipv4.ip_forward=1 ; iptables -A FORWARD -i wg0 -j ACCEPT ; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT ; iptables -D FORWARD -o wg0 -j ACCEPT
[Interface]:本机(云主机)这个 WireGuard 网卡 wg0 的本地配置。
Address = 10.88.0.1/24:给 wg0 配的“隧道内网 IP”。
10.88.0.1 就是云主机在隧道里的地址。
/24 代表这个隧道网段是 10.88.0.0/24,以后可以再加别的 peer(10.88.0.x)。
ListenPort = 51820:云主机监听的 UDP 端口,等着别的 peer 来连它(常用默认就是 51820/udp)。
PrivateKey:云主机的私钥(保密)。公钥是用它导出的,发给对端使用。
PostUp/PostDown:wg-quick up/down 时要执行的钩子。
sysctl -w net.ipv4.ip_forward=1:开启三层转发(允许这台机子在不同网卡间转发 IP 包)。
两条 iptables FORWARD ACCEPT:允许数据包通过 wg0 转发。
注意这里没有做 SNAT/MASQUERADE,因为你现在只在 10.88 网段里互通,不需要 NAT。如果以后要让云主机访问 K8s 后面的 其它网段(比如 192.168.173.0/24),可能需要再加路由或 SNAT,这个在文末扩展里说。
[Peer]
PublicKey = (k8s-01 的公钥)
AllowedIPs = 10.88.0.2/32
PersistentKeepalive = 25
[Peer]:描述一个对端(这里就是 K8s 节点)的配置。
PublicKey:K8s 节点的公钥(用来验证/加密,不能拿私钥填)。
AllowedIPs = 10.88.0.2/32:两层含义(这是 WireGuard 的“妙处”)
路由:告诉本机“发往 10.88.0.2 的包,从这个 peer 走”。
ACL:只接受对端发来的、源地址是 10.88.0.2 的流量(更安全)。
/32 表示只这一个 IP。如果以后你想通过这个 peer 转更多网段(比如 192.168.173.0/24),就把它们加进 AllowedIPs。
PersistentKeepalive = 25:每 25 秒发一个空包“打洞/保活”。
对 NAT/防火墙后的 peer 很重要,防止 UDP 映射过期。放在云主机这边不是必须,但也无害。#K8s 节点(192.168.173.101)上的 wg0.conf
[Interface]
ListenPort = 46509
Address = 10.88.0.2/24
PrivateKey = (k8s-01 的私钥)
ListenPort = 46509:K8s 节点也在本地开了一个 UDP 监听端口。
实践里 客户端可不必监听(可以省略),只要它主动连云主机就行;但保留也没问题。
Address = 10.88.0.2/24:K8s 在隧道里的地址。
PrivateKey:K8s 的私钥(保密)。
[Peer]
PublicKey = (云主机的公钥)
Endpoint = 43.138.186.171:51820
AllowedIPs = 10.88.0.1/32
PersistentKeepalive = 25
PublicKey:云主机的公钥。
Endpoint = 43.138.186.171:51820:要去连接的对端外网地址+端口(云主机的公网IP+ListenPort)。
客户端必须写 Endpoint 才知道从哪拨号。
服务器端(云主机)通常不写 Endpoint,它会从对端第一个包学到真实来源地址。
AllowedIPs = 10.88.0.1/32:
路由:发往 10.88.0.1 的包走这个 peer;
ACL:只接受源地址是 10.88.0.1 的流量。
PersistentKeepalive = 25:这个放在客户端非常关键(多数客户端在 NAT 后)。这两份配置整体在做什么?
建立了一个点对点的三层隧道:
云主机(10.88.0.1) ↔ K8s 节点(10.88.0.2)
两边 AllowedIPs 互指对方的 /32 地址,因此:
发往 10.88.0.1 的流量从 K8s → 隧道走;
发往 10.88.0.2 的流量从云主机 → 隧道走;
因为 Interface Address 都是 /24,你将来可以很自然地再加更多 peer(10.88.0.3、10.88.0.4…),形成一个小型“星型/网状” VPN。常见问题 / 最佳实践
1./24 vs /32 有啥区别?
Address 的 /24 只是本机网卡的掩码(影响本机“直连子网”的认知),不直接决定能不能通谁。真正决定“隧道里允许/路由哪些网段”的是 各个 peer 的 AllowedIPs。
你现在 AllowedIPs 都是 /32,所以只有两个 IP 会走这条隧道,干净且安全。
2.为什么服务器端不需要写 Endpoint?
因为它“被拨号”,从首包能自动学到对端外网地址(NAT 环境下也能工作)。
3.防火墙要开啥?
云主机:放行 UDP 51820(外网入站)。
两端:放行 wg0 的 FORWARD(你已加),如果还要访问 K8s 的 NodePort,记得在 K8s 节点上放行对应端口来自 wg0 的入站(例如 iptables -I INPUT -i wg0 -p tcp --dport 32150 -j ACCEPT)。
4.密钥怎么生成?
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
本机 PrivateKey 用在 [Interface];对端的 PublicKey 用在本机的 [Peer]。
5.开机自启
systemctl enable --now wg-quick@wg0
如果出现下面这种报错大概率是wg0已经存在了 可能手动 wg-quick up wg0 过,结果现在 systemctl enable --now 在“启用的同时再次启动”,启动阶段发现 wg0 已经在运行,于是报错。
root@k8s-01:~# systemctl enable --now wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.
Job for wg-quick@wg0.service failed because the control process exited with error code.
See "systemctl status wg-quick@wg0.service" and "journalctl -xeu wg-quick@wg0.service" for details.
root@k8s-01:~# systemctl status wg-quick@wg0.service
× wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2025-08-28 03:01:09 UTC; 58s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 66728 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
Main PID: 66728 (code=exited, status=1/FAILURE)
CPU: 11ms
Aug 28 03:01:09 k8s-01 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Aug 28 03:01:09 k8s-01 wg-quick[66728]: wg-quick: `wg0' already exists
Aug 28 03:01:09 k8s-01 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE
Aug 28 03:01:09 k8s-01 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Aug 28 03:01:09 k8s-01 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
# 1) 看看当前是否已 up(可选)
wg show
ip a show dev wg0
# 2) 先优雅下线(会执行 PostDown,清理 iptables)
wg-quick down wg0 || true
重载秘钥
wg set wg0 private-key /etc/wireguard/privatekey
# 3) 重新用 systemd 启动(让开机自启 + 由 systemd 接管)
systemctl start wg-quick@wg0
systemctl enable wg-quick@wg0
# 4) 确认状态与连通性
systemctl status wg-quick@wg0 --no-pager
wg show
ping -c 3 10.88.0.1 # 在 k8s-01 上测试到云主机
6.排错检查
wg show
ip a show wg0
ip r | grep 10.88.
ping 10.88.0.1 # 从 k8s
ping 10.88.0.2 # 从云主机
加载秘钥命令
root@VM-12-5-ubuntu:~# wg set wg0 private-key /etc/wireguard/privatekey四、连接测试
root@VM-12-5-ubuntu:~# wg show wg0
interface: wg0
public key: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
private key: (hidden)
listening port: 51820
peer: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
endpoint: 113.108.37.18:2103
allowed ips: 10.88.0.2/32
latest handshake: 44 seconds ago
transfer: 279.00 KiB received, 137.54 KiB sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]# wg show wg0
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 46509
peer: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
latest handshake: 37 seconds ago
transfer: 130.80 KiB received, 259.68 KiB sent
persistent keepalive: every 25 seconds
握手正常
两边都显示 latest handshake 为几十秒前,且 transfer 有收发字节在增加——说明隧道已联通。
Endpoint 显示解释
公有云上看到的对端 endpoint: 113.108.37.18:2103 是 K8s 侧出网的公网/NAT 地址与端口(被动学习到的)。
K8s 侧配置中的 Endpoint = 43.138.186.171:51820 是 主动连向公有云的固定地址。这种一主一从(NAT 穿透)是正常现象。互ping测试
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
64 bytes from 10.88.0.2: icmp_seq=1 ttl=64 time=913 ms
64 bytes from 10.88.0.2: icmp_seq=2 ttl=64 time=1112 ms
64 bytes from 10.88.0.2: icmp_seq=3 ttl=64 time=1083 ms
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 913.232/1036.088/1112.054/87.679 ms, pipe 2
root@k8s-01:~# ping -c 3 10.88.0.1
PING 10.88.0.1 (10.88.0.1) 56(84) bytes of data.
64 bytes from 10.88.0.1: icmp_seq=1 ttl=64 time=1090 ms
64 bytes from 10.88.0.1: icmp_seq=2 ttl=64 time=1110 ms
64 bytes from 10.88.0.1: icmp_seq=3 ttl=64 time=1094 ms
--- 10.88.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2016ms
rtt min/avg/max/mdev = 1089.897/1098.075/1110.163/8.722 ms, pipe 2如果你要从公有云访问 K8s 集群内部
把 公有云侧指向 K8s 侧的 [Peer] 的 AllowedIPs 扩到需要的网段,例如:
AllowedIPs = 10.88.0.2/32, 10.244.0.0/16, 10.96.0.0/12, 192.168.30.0/24
并在 K8s 出口网关(运行 wireguard 的那台) 开启转发和 SNAT(若需要):
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 10.244.0.0/16 -o <外网网卡> -j MASQUERADE
# 视需要把 10.96.0.0/12、192.168.30.0/24 也做 MASQUERADE
注:如果你在 K8s 里用了 CNI 的内置 MASQ 或有专用出口网关,按实际网络结构调整。五、域名测试
5.1 方案 A(简单入门):在公有云 Nginx 终止 TLS,回源走 HTTP 到 Traefik(NodePort 32150)
5.1.1 K8s 侧:放一个测试应用 + Ingress
#用 Traefik 当 IngressClass,域名就用 zhuanfa.axzys.cn(跟外网一致,方便验证“相同”)。
# demo-whoami.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: demo
spec:
replicas: 1
selector:
matchLabels: { app: whoami }
template:
metadata:
labels: { app: whoami }
spec:
containers:
- name: whoami
image: traefik/whoami:v1.10
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: demo
spec:
selector: { app: whoami }
ports:
- port: 80
targetPort: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
namespace: demo
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: zhuanfa.axzys.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
kubectl create ns demo
kubectl apply -f demo-whoami.yaml
kubectl -n demo get ingressroot@k8s-01:~# kubectl get svc -n traefik
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik NodePort 10.100.109.7 <none> 80:30080/TCP,443:30443/TCP 27d
小检查:从公有云主机上(10.88.0.1)直连 Traefik 的 NodePort 看看有没有返回:
root@VM-12-5-ubuntu:~# curl -H 'Host: zhuanfa.axzys.cn' http://10.88.0.2:30080
Hostname: whoami-678b958ccd-mqx5f
IP: 127.0.0.1
IP: ::1
IP: 10.244.2.74
IP: fe80::f097:a9ff:fe0e:b981
RemoteAddr: 10.244.2.25:35632
GET / HTTP/1.1
Host: zhuanfa.axzys.cn
User-Agent: curl/7.81.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.244.0.0
X-Forwarded-Host: zhuanfa.axzys.cn
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-release-589c7ff647-2668z
X-Real-Ip: 10.244.0.0
#能看到 whoami 的 JSON/文本就 OK。如果服务器有防火墙,请在 K8s 节点上放行来自 wg0 的 NodePort:
iptables -I INPUT -i wg0 -p tcp --dport 30080 -j ACCEPT
# (如开启 https 回源,再放 30080)5.1.2 公有云 Nginx:终止 TLS,并通过 WireGuard 走 HTTP 回源
HTTP 先通(测试用)
/etc/nginx/sites-available/zhuanfa.axzys.cnupstream traefik_via_wg_http {
server 10.88.0.2:30080; # Traefik web (NodePort)
keepalive 32;
}
server {
listen 80;
server_name zhuanfa.axzys.cn;
# 如需把所有 80 跳 443,等签好证书后再加:
# return 301 https://$host$request_uri;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_pass http://traefik_via_wg_http;
}
}
#启用站点并重载
ln -s /etc/nginx/sites-available/zhuanfa.axzys.cn /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginxhttp://zhuanfa.axzys.cn/#再加 HTTPS(证书放在公有云) 最方便的是用 certbot 自动签:
apt-get update && apt-get install -y certbot python3-certbot-nginx
certbot --nginx -d zhuanfa.axzys.cnroot@VM-12-5-ubuntu:~# apt-get install -y certbot python3-certbot-nginx
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
python3-acme python3-certbot python3-certifi python3-configargparse python3-icu python3-josepy python3-parsedatetime python3-requests python3-requests-toolbelt python3-rfc3339 python3-tz python3-urllib3 python3-zope.component
python3-zope.event python3-zope.hookable
Suggested packages:
python-certbot-doc python3-certbot-apache python-acme-doc python-certbot-nginx-doc python3-socks python-requests-doc
The following NEW packages will be installed:
certbot python3-acme python3-certbot python3-certbot-nginx python3-certifi python3-configargparse python3-icu python3-josepy python3-parsedatetime python3-requests python3-requests-toolbelt python3-rfc3339 python3-tz
python3-urllib3 python3-zope.component python3-zope.event python3-zope.hookable
0 upgraded, 17 newly installed, 0 to remove and 202 not upgraded.
Need to get 1,322 kB of archives.
After this operation, 6,211 kB of additional disk space will be used.
Get:1 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-josepy all 1.10.0-1 [22.0 kB]
Get:2 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-certifi all 2020.6.20-1 [150 kB]
Get:3 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 python3-urllib3 all 1.26.5-1~exp1ubuntu0.3 [98.6 kB]
Get:4 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 python3-requests all 2.25.1+dfsg-2ubuntu0.3 [48.8 kB]
Get:5 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-requests-toolbelt all 0.9.1-1 [38.0 kB]
Get:6 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 python3-tz all 2022.1-1ubuntu0.22.04.1 [30.7 kB]
Get:7 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-rfc3339 all 1.1-3 [7,110 B]
Get:8 http://mirrors.tencentyun.com/ubuntu jammy-updates/universe amd64 python3-acme all 1.21.0-1ubuntu0.1 [36.4 kB]
Get:9 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-configargparse all 1.5.3-1 [26.9 kB]
Get:10 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-parsedatetime all 2.6-2 [32.9 kB]
Get:11 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-zope.hookable amd64 5.1.0-1build1 [11.6 kB]
Get:12 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-zope.event all 4.4-3 [8,180 B]
Get:13 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-zope.component all 4.3.0-3 [38.3 kB]
Get:14 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-certbot all 1.21.0-1build1 [175 kB]
Get:15 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 certbot all 1.21.0-1build1 [21.3 kB]
Get:16 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-certbot-nginx all 1.21.0-1 [35.4 kB]
Get:17 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-icu amd64 2.8.1-0ubuntu2 [540 kB]
Fetched 1,322 kB in 2s (759 kB/s)
Preconfiguring packages ...
Selecting previously unselected package python3-josepy.
(Reading database ... 88845 files and directories currently installed.)
Preparing to unpack .../00-python3-josepy_1.10.0-1_all.deb ...
Unpacking python3-josepy (1.10.0-1) ...
Selecting previously unselected package python3-certifi.
Preparing to unpack .../01-python3-certifi_2020.6.20-1_all.deb ...
Unpacking python3-certifi (2020.6.20-1) ...
Selecting previously unselected package python3-urllib3.
Preparing to unpack .../02-python3-urllib3_1.26.5-1~exp1ubuntu0.3_all.deb ...
Unpacking python3-urllib3 (1.26.5-1~exp1ubuntu0.3) ...
Selecting previously unselected package python3-requests.
Preparing to unpack .../03-python3-requests_2.25.1+dfsg-2ubuntu0.3_all.deb ...
Unpacking python3-requests (2.25.1+dfsg-2ubuntu0.3) ...
Selecting previously unselected package python3-requests-toolbelt.
Preparing to unpack .../04-python3-requests-toolbelt_0.9.1-1_all.deb ...
Unpacking python3-requests-toolbelt (0.9.1-1) ...
Selecting previously unselected package python3-tz.
Preparing to unpack .../05-python3-tz_2022.1-1ubuntu0.22.04.1_all.deb ...
Unpacking python3-tz (2022.1-1ubuntu0.22.04.1) ...
Selecting previously unselected package python3-rfc3339.
Preparing to unpack .../06-python3-rfc3339_1.1-3_all.deb ...
Unpacking python3-rfc3339 (1.1-3) ...
Selecting previously unselected package python3-acme.
Preparing to unpack .../07-python3-acme_1.21.0-1ubuntu0.1_all.deb ...
Unpacking python3-acme (1.21.0-1ubuntu0.1) ...
Selecting previously unselected package python3-configargparse.
Preparing to unpack .../08-python3-configargparse_1.5.3-1_all.deb ...
Unpacking python3-configargparse (1.5.3-1) ...
Selecting previously unselected package python3-parsedatetime.
Preparing to unpack .../09-python3-parsedatetime_2.6-2_all.deb ...
Unpacking python3-parsedatetime (2.6-2) ...
Selecting previously unselected package python3-zope.hookable.
Preparing to unpack .../10-python3-zope.hookable_5.1.0-1build1_amd64.deb ...
Unpacking python3-zope.hookable (5.1.0-1build1) ...
Selecting previously unselected package python3-zope.event.
Preparing to unpack .../11-python3-zope.event_4.4-3_all.deb ...
Unpacking python3-zope.event (4.4-3) ...
Selecting previously unselected package python3-zope.component.
Preparing to unpack .../12-python3-zope.component_4.3.0-3_all.deb ...
Unpacking python3-zope.component (4.3.0-3) ...
Selecting previously unselected package python3-certbot.
Preparing to unpack .../13-python3-certbot_1.21.0-1build1_all.deb ...
Unpacking python3-certbot (1.21.0-1build1) ...
Selecting previously unselected package certbot.
Preparing to unpack .../14-certbot_1.21.0-1build1_all.deb ...
Unpacking certbot (1.21.0-1build1) ...
Selecting previously unselected package python3-certbot-nginx.
Preparing to unpack .../15-python3-certbot-nginx_1.21.0-1_all.deb ...
Unpacking python3-certbot-nginx (1.21.0-1) ...
Selecting previously unselected package python3-icu.
Preparing to unpack .../16-python3-icu_2.8.1-0ubuntu2_amd64.deb ...
Unpacking python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-configargparse (1.5.3-1) ...
Setting up python3-parsedatetime (2.6-2) ...
Setting up python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-zope.event (4.4-3) ...
Setting up python3-tz (2022.1-1ubuntu0.22.04.1) ...
Setting up python3-zope.hookable (5.1.0-1build1) ...
Setting up python3-certifi (2020.6.20-1) ...
Setting up python3-urllib3 (1.26.5-1~exp1ubuntu0.3) ...
Setting up python3-josepy (1.10.0-1) ...
Setting up python3-rfc3339 (1.1-3) ...
Setting up python3-zope.component (4.3.0-3) ...
Setting up python3-requests (2.25.1+dfsg-2ubuntu0.3) ...
Setting up python3-requests-toolbelt (0.9.1-1) ...
Setting up python3-acme (1.21.0-1ubuntu0.1) ...
Setting up python3-certbot (1.21.0-1build1) ...
Setting up certbot (1.21.0-1build1) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Setting up python3-certbot-nginx (1.21.0-1) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# certbot --nginx -d zhuanfa.axzys.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 7902731@qq.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for zhuanfa.axzys.cn
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/zhuanfa.axzys.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/zhuanfa.axzys.cn/privkey.pem
This certificate expires on 2025-11-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for zhuanfa.axzys.cn to /etc/nginx/sites-enabled/zhuanfa.axzys.cn
Congratulations! You have successfully enabled HTTPS on https://zhuanfa.axzys.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -certbot 会把 Nginx 配置自动改成 80→443 跳转 + SSL 证书挂载。之后再访问:
https://zhuanfa.axzys.cn/
#链路
说明:TLS 在公有云 Nginx 终止,Nginx → Traefik 用 HTTP(wg 隧道里,安全性没问题)。5.2 公有云 Nginx(使用 stream 透传 TCP)
在 /etc/nginx/nginx.conf 里添加 stream {} 段(与 http {} 同级),并把 80/443 都透传到 Traefik 的 NodePort:stream {
upstream traefik_http {
server 10.88.0.2:30080; # Traefik web (HTTP)
}
upstream traefik_https {
server 10.88.0.2:30443; # Traefik websecure (HTTPS)
}
server {
listen 80;
proxy_pass traefik_http;
proxy_timeout 120s;
proxy_connect_timeout 5s;
}
server {
listen 443;
proxy_pass traefik_https;
proxy_timeout 120s;
proxy_connect_timeout 5s;
}
}
#重载
nginx -t && systemctl reload nginx现在访问 http://zhuanfa.axzys.cn 会被 Traefik 处理(你可以在 Traefik 里做 80→443 跳转),https://zhuanfa.axzys.cn 证书也由 Traefik 下发与续期。
注意:Nginx 必须是带 stream 模块的(Ubuntu/Debian 默认包一般已带)。六、常见陷阱 & 排错清单
NodePort 只在内网开放:
若你担心 NodePort 泄露到其他网卡,可以把 kube-proxy 配成只监听 WireGuard 网段:
在 kube-proxy 的 ConfigMap 里设置 nodePortAddresses: ["10.88.0.0/24"],然后滚动重启 kube-proxy。
或临时用 iptables 只允许 -i wg0 的 32150/31948。
请求头:
方案 A 用 HTTP 反代时,务必保留 Host 和 X-Forwarded-* 头(上面 Nginx 配置已加),否则基于 Host 的 Ingress 匹配会失败。
Traefik Dashboard 405:
你之前用 curl -I 访问 /dashboard/ 出现 405,这是正常的(Dashboard 不回应 HEAD)。用 curl -v http://.../dashboard/ 或浏览器 GET 即可。
隧道路由:
你已经能互 ping(10.88.0.1 ↔ 10.88.0.2),说明 AllowedIPs/防火墙没问题;如果 Nginx 回源连不上,优先 curl 10.88.0.2:32150/31948 验证链路。你可以这样快速验证
选 方案 A:
1)应用上面 demo YAML(web 入口)。
2)公有云 Nginx 配好 HTTP 反代。
3)本地打开 http://zhuanfa.axzys.cn/ → 看到 whoami。
4)再跑 certbot → 用 https://zhuanfa.axzys.cn/ 访问。
选 方案 B:
1)Ingress 切到 websecure(或同时配置 web 做 80→443 跳转)。
2)公有云 Nginx 加 stream 透传 80/443 到 32150/31948。
3)浏览器直接 https://zhuanfa.axzys.cn/,证书由 Traefik 管。七、扩展
7.1 想让云主机直接访问 K8s 后面的内网(比如 192.168.173.0/24)怎么办?
#在现在的点对点配置里,只通了 10.88.0.1 ↔ 10.88.0.2。如果还想从云主机访问 K8s 节点所在内网(或 Pod/Service 网段),有两种常见做法:
Last login: Wed Aug 27 13:32:47 2025 from 183.14.30.81
root@VM-12-5-ubuntu:~# apt-get update
Hit:1 http://mirrors.tencentyun.com/ubuntu jammy InRelease
Get:2 http://mirrors.tencentyun.com/ubuntu jammy-updates InRelease [128 kB]
Get:3 http://mirrors.tencentyun.com/ubuntu jammy-security InRelease [129 kB]
Get:4 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 Packages [2,843 kB]
Get:5 http://mirrors.tencentyun.com/ubuntu jammy-updates/main Translation-en [447 kB]
Get:6 http://mirrors.tencentyun.com/ubuntu jammy-updates/restricted amd64 Packages [4,269 kB]
Get:7 http://mirrors.tencentyun.com/ubuntu jammy-updates/restricted Translation-en [778 kB]
Get:8 http://mirrors.tencentyun.com/ubuntu jammy-updates/universe amd64 Packages [1,227 kB]
Get:9 http://mirrors.tencentyun.com/ubuntu jammy-updates/universe Translation-en [304 kB]
Get:10 http://mirrors.tencentyun.com/ubuntu jammy-updates/multiverse amd64 Packages [59.5 kB]
Get:11 http://mirrors.tencentyun.com/ubuntu jammy-updates/multiverse Translation-en [14.2 kB]
Get:12 http://mirrors.tencentyun.com/ubuntu jammy-security/main amd64 Packages [2,595 kB]
Get:13 http://mirrors.tencentyun.com/ubuntu jammy-security/main Translation-en [383 kB]
Get:14 http://mirrors.tencentyun.com/ubuntu jammy-security/restricted amd64 Packages [4,118 kB]
Get:15 http://mirrors.tencentyun.com/ubuntu jammy-security/restricted Translation-en [751 kB]
Get:16 http://mirrors.tencentyun.com/ubuntu jammy-security/universe amd64 Packages [994 kB]
Get:17 http://mirrors.tencentyun.com/ubuntu jammy-security/universe Translation-en [217 kB]
Get:18 http://mirrors.tencentyun.com/ubuntu jammy-security/multiverse amd64 Packages [40.3 kB]
Get:19 http://mirrors.tencentyun.com/ubuntu jammy-security/multiverse Translation-en [8,908 B]
Fetched 19.3 MB in 4s (4,695 kB/s)
Reading package lists... Done
root@VM-12-5-ubuntu:~# apt-get install -y wireguard
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
wireguard-tools
Suggested packages:
openresolv | resolvconf
The following NEW packages will be installed:
wireguard wireguard-tools
0 upgraded, 2 newly installed, 0 to remove and 202 not upgraded.
Need to get 90.0 kB of archives.
After this operation, 345 kB of additional disk space will be used.
Get:1 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 wireguard-tools amd64 1.0.20210914-1ubuntu2 [86.9 kB]
Get:2 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 wireguard all 1.0.20210914-1ubuntu2 [3,114 B]
Fetched 90.0 kB in 0s (505 kB/s)
Selecting previously unselected package wireguard-tools.
(Reading database ... 88675 files and directories currently installed.)
Preparing to unpack .../wireguard-tools_1.0.20210914-1ubuntu2_amd64.deb ...
Unpacking wireguard-tools (1.0.20210914-1ubuntu2) ...
Selecting previously unselected package wireguard.
Preparing to unpack .../wireguard_1.0.20210914-1ubuntu2_all.deb ...
Unpacking wireguard (1.0.20210914-1ubuntu2) ...
Setting up wireguard-tools (1.0.20210914-1ubuntu2) ...
wg-quick.target is a disabled or a static unit not running, not starting it.
Setting up wireguard (1.0.20210914-1ubuntu2) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# ls
snap
root@VM-12-5-ubuntu:~# vi /etc/wireguard/wg0.conf
root@VM-12-5-ubuntu:~# wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
root@VM-12-5-ubuntu:~# sudo ufw status
Status: inactive
root@VM-12-5-ubuntu:~# vi /etc/wireguard/wg0.conf
root@VM-12-5-ubuntu:~# systemctl enable --now wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.
root@VM-12-5-ubuntu:~# wg show
interface: wg0
public key: Vl13ICrsWW4tODYv94bNV2Es9FPY4/6MoJ0hO1YXG3I=
private key: (hidden)
listening port: 51820
peer: n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
allowed ips: 10.88.0.2/32
persistent keepalive: every 25 seconds
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
From 10.88.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.88.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.88.0.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2028ms
root@VM-12-5-ubuntu:~# curl -I -H 'Host: zhuanfa.axzys.cn' http://10.88.0.2:30080
curl: (7) Failed to connect to 10.88.0.2 port 30080 after 0 ms: No route to host
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# # 检查是否有任何阻止规则
sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
56282 49M YJ-FIREWALL-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain YJ-FIREWALL-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 94.181.229.254 0.0.0.0/0 reject-with icmp-port-unreachable
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo tcpdump -i any -n port 51820
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:06:35.051827 eth0 In IP 113.108.37.18.2102 > 10.1.12.5.51820: UDP, length 148
14:06:40.683575 eth0 In IP 113.108.37.18.2102 > 10.1.12.5.51820: UDP, length 148
14:06:45.803948 eth0 In IP 113.108.37.18.2102 > 10.1.12.5.51820: UDP, length 148
14:06:51.435594 eth0 In IP 113.108.37.18.2102 > 10.1.12.5.51820: UDP, length 148
14:06:57.067465 eth0 In IP 113.108.37.18.2102 > 10.1.12.5.51820: UDP, length 148
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo iptables -t nat -A POSTROUTING -o eth33 -j MASQUERADE
root@VM-12-5-ubuntu:~# sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@VM-12-5-ubuntu:~# vi /etc/wireguard/wg0.conf
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo ss -lunp | grep 51820
UNCONN 0 0 0.0.0.0:51820 0.0.0.0:*
UNCONN 0 0 [::]:51820 [::]:*
root@VM-12-5-ubuntu:~# sudo wg show
interface: wg0
public key: Vl13ICrsWW4tODYv94bNV2Es9FPY4/6MoJ0hO1YXG3I=
private key: (hidden)
listening port: 51820
peer: n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
allowed ips: 10.88.0.2/32
persistent keepalive: every 25 seconds
root@VM-12-5-ubuntu:~# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.88.0.1/24
ListenPort = 51820
PrivateKey = BgxjDizUdEATpdh0iZ7Y+zQo2iVyqRBgp70CemeZ30A=
# 允许转发
PostUp = sysctl -w net.ipv4.ip_forward=1 ; iptables -A FORWARD -i wg0 -j ACCEPT ; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT ; iptables -D FORWARD -o wg0 -j ACCEPT
[Peer]
PublicKey = n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
AllowedIPs = 10.88.0.2/32
PersistentKeepalive = 25
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# umask 077
wg genkey | tee /etc/wireguard/server.priv | wg pubkey > /etc/wireguard/server.pub
cat /etc/wireguard/server.pub
4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# cat /etc/wireguard/server.priv
qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
root@VM-12-5-ubuntu:~# vi /etc/wireguard/wg0.conf
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# systemctl restart wg-quick@wg0
root@VM-12-5-ubuntu:~# wg show
interface: wg0
public key: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
private key: (hidden)
listening port: 51820
peer: n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
allowed ips: 10.88.0.2/32
persistent keepalive: every 25 seconds
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
From 10.88.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.88.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.88.0.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2042ms
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
From 10.88.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.88.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.88.0.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2038ms
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# ip -c a show dev wg0
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.88.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo ufw allow 51820/udp
Rules updated
Rules updated (v6)
root@VM-12-5-ubuntu:~# sudo ufw status
Status: inactive
root@VM-12-5-ubuntu:~# sudo tcpdump -ni any udp port 51820
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:41:19.914736 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:25.547105 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:31.178873 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:36.811278 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:41.931850 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:47.563886 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:52.682762 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:41:58.314897 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
14:42:03.947282 eth0 In IP 113.108.37.18.2103 > 10.1.12.5.51820:
^C
9 packets captured
10 packets received by filter
0 packets dropped by kernel
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# watch -n1 wg show
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo wg showconf wg0
[Interface]
ListenPort = 51820
PrivateKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
[Peer]
PublicKey = n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
AllowedIPs = 10.88.0.2/32
PersistentKeepalive = 25
root@VM-12-5-ubuntu:~# sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.88.0.1/24
ListenPort = 51820
PrivateKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
PostUp = sysctl -w net.ipv4.ip_forward=1 ; iptables -A FORWARD -i wg0 -j ACCEPT ; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT ; iptables -D FORWARD -o wg0 -j ACCEPT
[Peer]
PublicKey = n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
AllowedIPs = 10.88.0.2/32
PersistentKeepalive = 25
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo sed -i 's|^PublicKey = .*|PublicKey = dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=|' /etc/wireguard/wg0.conf
root@VM-12-5-ubuntu:~# sudo systemctl restart wg-quick@wg0
root@VM-12-5-ubuntu:~# wg show
interface: wg0
public key: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
private key: (hidden)
listening port: 51820
peer: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
allowed ips: 10.88.0.2/32
persistent keepalive: every 25 seconds
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# wg show
interface: wg0
public key: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
private key: (hidden)
listening port: 51820
peer: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
endpoint: 113.108.37.18:2103
allowed ips: 10.88.0.2/32
latest handshake: 19 seconds ago
transfer: 180 B received, 124 B sent
persistent keepalive: every 25 seconds
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
64 bytes from 10.88.0.2: icmp_seq=1 ttl=64 time=6.01 ms
64 bytes from 10.88.0.2: icmp_seq=2 ttl=64 time=5.91 ms
64 bytes from 10.88.0.2: icmp_seq=3 ttl=64 time=5.88 ms
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.879/5.932/6.006/0.053 ms
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# S_PRIV=$(sudo wg showconf wg0 | awk '/^PrivateKey/ {print $3; exit}')
sudo sed -i "s|^PrivateKey = .*|PrivateKey = $S_PRIV|" /etc/wireguard/wg0.conf
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
64 bytes from 10.88.0.2: icmp_seq=1 ttl=64 time=6.23 ms
64 bytes from 10.88.0.2: icmp_seq=2 ttl=64 time=6.17 ms
64 bytes from 10.88.0.2: icmp_seq=3 ttl=64 time=5.91 ms
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.906/6.101/6.229/0.140 ms
root@VM-12-5-ubuntu:~# sudo tcpdump -ni any udp port 51820
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
^C
0 packets captured
1 packet received by filter
0 packets dropped by kernel
root@VM-12-5-ubuntu:~# ^C
root@VM-12-5-ubuntu:~# ping -c 3 10.88.0.2
PING 10.88.0.2 (10.88.0.2) 56(84) bytes of data.
64 bytes from 10.88.0.2: icmp_seq=1 ttl=64 time=6.36 ms
64 bytes from 10.88.0.2: icmp_seq=2 ttl=64 time=5.91 ms
64 bytes from 10.88.0.2: icmp_seq=3 ttl=64 time=5.89 ms
--- 10.88.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.886/6.053/6.362/0.218 ms
root@VM-12-5-ubuntu:~# sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.88.0.1/24
ListenPort = 51820
PrivateKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
PostUp = sysctl -w net.ipv4.ip_forward=1 ; iptables -A FORWARD -i wg0 -j ACCEPT ; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT ; iptables -D FORWARD -o wg0 -j ACCEPT
[Peer]
PublicKey = dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
AllowedIPs = 10.88.0.2/32
PersistentKeepalive = 25
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.88.0.1/24
ListenPort = 51820
PrivateKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
PostUp = sysctl -w net.ipv4.ip_forward=1 ; iptables -A FORWARD -i wg0 -j ACCEPT ; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT ; iptables -D FORWARD -o wg0 -j ACCEPT
[Peer]
PublicKey = dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
AllowedIPs = 10.88.0.2/32
PersistentKeepalive = 25
root@VM-12-5-ubuntu:~# curl -H 'Host: zhuanfa.axzys.cn' http://10.88.0.2:32150/
Hostname: whoami-678b958ccd-5x2gj
IP: 127.0.0.1
IP: ::1
IP: 10.244.2.60
IP: fe80::6498:49ff:fe98:6d1
RemoteAddr: 10.244.2.47:48502
GET / HTTP/1.1
Host: zhuanfa.axzys.cn
User-Agent: curl/7.81.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.244.0.0
X-Forwarded-Host: zhuanfa.axzys.cn
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: traefik-release-589c7ff647-r2txc
X-Real-Ip: 10.244.0.0
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# curl -H 'Host: zhuanfa.axzys.cn' http://10.88.0.2:32150/
^C
root@VM-12-5-ubuntu:~# yum install nginx -y
Command 'yum' not found, did you mean:
command 'gum' from snap gum (0.13.0)
command 'uum' from deb freewnn-jserver (1.1.1~a021+cvs20130302-7build1)
command 'sum' from deb coreutils (8.32-4.1ubuntu1.2)
command 'zum' from deb perforate (1.2-5.1)
command 'yum4' from deb nextgen-yum4 (4.5.2-6)
command 'num' from deb quickcal (2.4-1)
See 'snap info <snapname>' for additional versions.
root@VM-12-5-ubuntu:~# atp install nginx -y
Command 'atp' not found, but there are 18 similar ones.
root@VM-12-5-ubuntu:~# apt install nginx
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libnginx-mod-http-geoip2 libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-stream-geoip2 nginx-common nginx-core
Suggested packages:
fcgiwrap nginx-doc ssl-cert
The following NEW packages will be installed:
libnginx-mod-http-geoip2 libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-stream-geoip2 nginx nginx-common nginx-core
0 upgraded, 9 newly installed, 0 to remove and 202 not upgraded.
Need to get 698 kB of archives.
After this operation, 2,391 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 nginx-common all 1.18.0-6ubuntu14.7 [40.1 kB]
Get:2 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 libnginx-mod-http-geoip2 amd64 1.18.0-6ubuntu14.7 [12.0 kB]
Get:3 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 libnginx-mod-http-image-filter amd64 1.18.0-6ubuntu14.7 [15.5 kB]
Get:4 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 libnginx-mod-http-xslt-filter amd64 1.18.0-6ubuntu14.7 [13.8 kB]
Get:5 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 libnginx-mod-mail amd64 1.18.0-6ubuntu14.7 [45.8 kB]
Get:6 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 libnginx-mod-stream amd64 1.18.0-6ubuntu14.7 [73.0 kB]
Get:7 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 libnginx-mod-stream-geoip2 amd64 1.18.0-6ubuntu14.7 [10.1 kB]
Get:8 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 nginx-core amd64 1.18.0-6ubuntu14.7 [483 kB]
Get:9 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 nginx amd64 1.18.0-6ubuntu14.7 [3,878 B]
Fetched 698 kB in 1s (745 kB/s)
Preconfiguring packages ...
Selecting previously unselected package nginx-common.
(Reading database ... 88755 files and directories currently installed.)
Preparing to unpack .../0-nginx-common_1.18.0-6ubuntu14.7_all.deb ...
Unpacking nginx-common (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package libnginx-mod-http-geoip2.
Preparing to unpack .../1-libnginx-mod-http-geoip2_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking libnginx-mod-http-geoip2 (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package libnginx-mod-http-image-filter.
Preparing to unpack .../2-libnginx-mod-http-image-filter_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking libnginx-mod-http-image-filter (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package libnginx-mod-http-xslt-filter.
Preparing to unpack .../3-libnginx-mod-http-xslt-filter_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking libnginx-mod-http-xslt-filter (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package libnginx-mod-mail.
Preparing to unpack .../4-libnginx-mod-mail_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking libnginx-mod-mail (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package libnginx-mod-stream.
Preparing to unpack .../5-libnginx-mod-stream_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking libnginx-mod-stream (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package libnginx-mod-stream-geoip2.
Preparing to unpack .../6-libnginx-mod-stream-geoip2_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking libnginx-mod-stream-geoip2 (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package nginx-core.
Preparing to unpack .../7-nginx-core_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking nginx-core (1.18.0-6ubuntu14.7) ...
Selecting previously unselected package nginx.
Preparing to unpack .../8-nginx_1.18.0-6ubuntu14.7_amd64.deb ...
Unpacking nginx (1.18.0-6ubuntu14.7) ...
Setting up nginx-common (1.18.0-6ubuntu14.7) ...
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /lib/systemd/system/nginx.service.
Setting up libnginx-mod-http-xslt-filter (1.18.0-6ubuntu14.7) ...
Setting up libnginx-mod-http-geoip2 (1.18.0-6ubuntu14.7) ...
Setting up libnginx-mod-mail (1.18.0-6ubuntu14.7) ...
Setting up libnginx-mod-http-image-filter (1.18.0-6ubuntu14.7) ...
Setting up libnginx-mod-stream (1.18.0-6ubuntu14.7) ...
Setting up libnginx-mod-stream-geoip2 (1.18.0-6ubuntu14.7) ...
Setting up nginx-core (1.18.0-6ubuntu14.7) ...
* Upgrading binary nginx [ OK ]
Setting up nginx (1.18.0-6ubuntu14.7) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for ufw (0.36.1-4build1) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@VM-12-5-ubuntu:~# vi /etc/nginx/sites-available/zhuanfa.axzys.cn
root@VM-12-5-ubuntu:~# ln -s /etc/nginx/sites-available/zhuanfa.axzys.cn /etc/nginx/sites-enabled/
root@VM-12-5-ubuntu:~# nginx -t && systemctl reload nginx
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# apt-get install -y certbot python3-certbot-nginx
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
python3-acme python3-certbot python3-certifi python3-configargparse python3-icu python3-josepy python3-parsedatetime python3-requests python3-requests-toolbelt python3-rfc3339 python3-tz python3-urllib3 python3-zope.component
python3-zope.event python3-zope.hookable
Suggested packages:
python-certbot-doc python3-certbot-apache python-acme-doc python-certbot-nginx-doc python3-socks python-requests-doc
The following NEW packages will be installed:
certbot python3-acme python3-certbot python3-certbot-nginx python3-certifi python3-configargparse python3-icu python3-josepy python3-parsedatetime python3-requests python3-requests-toolbelt python3-rfc3339 python3-tz
python3-urllib3 python3-zope.component python3-zope.event python3-zope.hookable
0 upgraded, 17 newly installed, 0 to remove and 202 not upgraded.
Need to get 1,322 kB of archives.
After this operation, 6,211 kB of additional disk space will be used.
Get:1 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-josepy all 1.10.0-1 [22.0 kB]
Get:2 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-certifi all 2020.6.20-1 [150 kB]
Get:3 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 python3-urllib3 all 1.26.5-1~exp1ubuntu0.3 [98.6 kB]
Get:4 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 python3-requests all 2.25.1+dfsg-2ubuntu0.3 [48.8 kB]
Get:5 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-requests-toolbelt all 0.9.1-1 [38.0 kB]
Get:6 http://mirrors.tencentyun.com/ubuntu jammy-updates/main amd64 python3-tz all 2022.1-1ubuntu0.22.04.1 [30.7 kB]
Get:7 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-rfc3339 all 1.1-3 [7,110 B]
Get:8 http://mirrors.tencentyun.com/ubuntu jammy-updates/universe amd64 python3-acme all 1.21.0-1ubuntu0.1 [36.4 kB]
Get:9 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-configargparse all 1.5.3-1 [26.9 kB]
Get:10 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-parsedatetime all 2.6-2 [32.9 kB]
Get:11 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-zope.hookable amd64 5.1.0-1build1 [11.6 kB]
Get:12 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-zope.event all 4.4-3 [8,180 B]
Get:13 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-zope.component all 4.3.0-3 [38.3 kB]
Get:14 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-certbot all 1.21.0-1build1 [175 kB]
Get:15 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 certbot all 1.21.0-1build1 [21.3 kB]
Get:16 http://mirrors.tencentyun.com/ubuntu jammy/universe amd64 python3-certbot-nginx all 1.21.0-1 [35.4 kB]
Get:17 http://mirrors.tencentyun.com/ubuntu jammy/main amd64 python3-icu amd64 2.8.1-0ubuntu2 [540 kB]
Fetched 1,322 kB in 2s (759 kB/s)
Preconfiguring packages ...
Selecting previously unselected package python3-josepy.
(Reading database ... 88845 files and directories currently installed.)
Preparing to unpack .../00-python3-josepy_1.10.0-1_all.deb ...
Unpacking python3-josepy (1.10.0-1) ...
Selecting previously unselected package python3-certifi.
Preparing to unpack .../01-python3-certifi_2020.6.20-1_all.deb ...
Unpacking python3-certifi (2020.6.20-1) ...
Selecting previously unselected package python3-urllib3.
Preparing to unpack .../02-python3-urllib3_1.26.5-1~exp1ubuntu0.3_all.deb ...
Unpacking python3-urllib3 (1.26.5-1~exp1ubuntu0.3) ...
Selecting previously unselected package python3-requests.
Preparing to unpack .../03-python3-requests_2.25.1+dfsg-2ubuntu0.3_all.deb ...
Unpacking python3-requests (2.25.1+dfsg-2ubuntu0.3) ...
Selecting previously unselected package python3-requests-toolbelt.
Preparing to unpack .../04-python3-requests-toolbelt_0.9.1-1_all.deb ...
Unpacking python3-requests-toolbelt (0.9.1-1) ...
Selecting previously unselected package python3-tz.
Preparing to unpack .../05-python3-tz_2022.1-1ubuntu0.22.04.1_all.deb ...
Unpacking python3-tz (2022.1-1ubuntu0.22.04.1) ...
Selecting previously unselected package python3-rfc3339.
Preparing to unpack .../06-python3-rfc3339_1.1-3_all.deb ...
Unpacking python3-rfc3339 (1.1-3) ...
Selecting previously unselected package python3-acme.
Preparing to unpack .../07-python3-acme_1.21.0-1ubuntu0.1_all.deb ...
Unpacking python3-acme (1.21.0-1ubuntu0.1) ...
Selecting previously unselected package python3-configargparse.
Preparing to unpack .../08-python3-configargparse_1.5.3-1_all.deb ...
Unpacking python3-configargparse (1.5.3-1) ...
Selecting previously unselected package python3-parsedatetime.
Preparing to unpack .../09-python3-parsedatetime_2.6-2_all.deb ...
Unpacking python3-parsedatetime (2.6-2) ...
Selecting previously unselected package python3-zope.hookable.
Preparing to unpack .../10-python3-zope.hookable_5.1.0-1build1_amd64.deb ...
Unpacking python3-zope.hookable (5.1.0-1build1) ...
Selecting previously unselected package python3-zope.event.
Preparing to unpack .../11-python3-zope.event_4.4-3_all.deb ...
Unpacking python3-zope.event (4.4-3) ...
Selecting previously unselected package python3-zope.component.
Preparing to unpack .../12-python3-zope.component_4.3.0-3_all.deb ...
Unpacking python3-zope.component (4.3.0-3) ...
Selecting previously unselected package python3-certbot.
Preparing to unpack .../13-python3-certbot_1.21.0-1build1_all.deb ...
Unpacking python3-certbot (1.21.0-1build1) ...
Selecting previously unselected package certbot.
Preparing to unpack .../14-certbot_1.21.0-1build1_all.deb ...
Unpacking certbot (1.21.0-1build1) ...
Selecting previously unselected package python3-certbot-nginx.
Preparing to unpack .../15-python3-certbot-nginx_1.21.0-1_all.deb ...
Unpacking python3-certbot-nginx (1.21.0-1) ...
Selecting previously unselected package python3-icu.
Preparing to unpack .../16-python3-icu_2.8.1-0ubuntu2_amd64.deb ...
Unpacking python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-configargparse (1.5.3-1) ...
Setting up python3-parsedatetime (2.6-2) ...
Setting up python3-icu (2.8.1-0ubuntu2) ...
Setting up python3-zope.event (4.4-3) ...
Setting up python3-tz (2022.1-1ubuntu0.22.04.1) ...
Setting up python3-zope.hookable (5.1.0-1build1) ...
Setting up python3-certifi (2020.6.20-1) ...
Setting up python3-urllib3 (1.26.5-1~exp1ubuntu0.3) ...
Setting up python3-josepy (1.10.0-1) ...
Setting up python3-rfc3339 (1.1-3) ...
Setting up python3-zope.component (4.3.0-3) ...
Setting up python3-requests (2.25.1+dfsg-2ubuntu0.3) ...
Setting up python3-requests-toolbelt (0.9.1-1) ...
Setting up python3-acme (1.21.0-1ubuntu0.1) ...
Setting up python3-certbot (1.21.0-1build1) ...
Setting up certbot (1.21.0-1build1) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Setting up python3-certbot-nginx (1.21.0-1) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~# certbot --nginx -d zhuanfa.axzys.cn
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): 7902731@qq.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for zhuanfa.axzys.cn
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/zhuanfa.axzys.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/zhuanfa.axzys.cn/privkey.pem
This certificate expires on 2025-11-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for zhuanfa.axzys.cn to /etc/nginx/sites-enabled/zhuanfa.axzys.cn
Congratulations! You have successfully enabled HTTPS on https://zhuanfa.axzys.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@VM-12-5-ubuntu:~#
root@VM-12-5-ubuntu:~#
[root@k8s-01 ~]# sudo dnf install -y wireguard-tools
Last metadata expiration check: 0:00:43 ago on Wed Aug 27 13:52:47 2025.
Dependencies resolved.
=====================================================================================================================================================================================================================================
Package Architecture Version Repository Size
=====================================================================================================================================================================================================================================
Installing:
wireguard-tools x86_64 1.0.20210914-3.el9 appstream 114 k
Installing dependencies:
systemd-resolved x86_64 252-51.el9_6.1 baseos 380 k
Transaction Summary
=====================================================================================================================================================================================================================================
Install 2 Packages
Total download size: 494 k
Installed size: 1.0 M
Downloading Packages:
(1/2): wireguard-tools-1.0.20210914-3.el9.x86_64.rpm 598 kB/s | 114 kB 00:00
(2/2): systemd-resolved-252-51.el9_6.1.x86_64.rpm 1.5 MB/s | 380 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 293 kB/s | 494 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: systemd-resolved-252-51.el9_6.1.x86_64 1/2
Installing : systemd-resolved-252-51.el9_6.1.x86_64 1/2
Running scriptlet: systemd-resolved-252-51.el9_6.1.x86_64 1/2
Installing : wireguard-tools-1.0.20210914-3.el9.x86_64 2/2
Running scriptlet: wireguard-tools-1.0.20210914-3.el9.x86_64 2/2
Verifying : systemd-resolved-252-51.el9_6.1.x86_64 1/2
Verifying : wireguard-tools-1.0.20210914-3.el9.x86_64 2/2
Installed:
systemd-resolved-252-51.el9_6.1.x86_64 wireguard-tools-1.0.20210914-3.el9.x86_64
Complete!
[root@k8s-01 ~]# wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
[root@k8s-01 ~]# vi cat /etc/wireguard/publickey
2 files to edit
[root@k8s-01 ~]# cat /etc/wireguard/publickey
n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
[root@k8s-01 ~]# sudo systemctl stop firewalld
[root@k8s-01 ~]# vi /etc/wireguard/wg0.conf
[root@k8s-01 ~]# systemctl enable --now wg-quick@wg0
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /usr/lib/systemd/system/wg-quick@.service.
[root@k8s-01 ~]# wg show
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 42179
peer: BgxjDizUdEATpdh0iZ7Y+zQo2iVyqRBgp70CemeZ30A=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
transfer: 0 B received, 148 B sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:d4:4f:e7 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.173.101/24 brd 192.168.173.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed4:4fe7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether b6:ee:bd:b4:cf:87 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether c2:cd:7c:86:14:bd brd ff:ff:ff:ff:ff:ff
inet 10.106.48.170/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.100.101.161/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.96.0.10/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.98.232.237/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.100.223.32/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.96.0.1/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.100.147.23/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.101.189.236/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.97.132.101/32 scope global kube-ipvs0
valid_lft forever preferred_lft forever
5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 5e:9d:fa:96:af:2b brd ff:ff:ff:ff:ff:ff
inet 10.244.0.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::5c9d:faff:fe96:af2b/64 scope link
valid_lft forever preferred_lft forever
6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether 72:66:f6:85:8e:aa brd ff:ff:ff:ff:ff:ff
inet 10.244.0.1/24 brd 10.244.0.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::7066:f6ff:fe85:8eaa/64 scope link
valid_lft forever preferred_lft forever
160: veth26c6ffcc@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
link/ether de:52:a9:34:79:f6 brd ff:ff:ff:ff:ff:ff link-netns cni-b0039ff2-418f-6ff2-d3dd-b65dd3d8bee4
inet6 fe80::dc52:a9ff:fe34:79f6/64 scope link
valid_lft forever preferred_lft forever
161: vetha4607aaa@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
link/ether de:5a:9b:4e:6f:04 brd ff:ff:ff:ff:ff:ff link-netns cni-1f503360-9a27-073a-b8c7-5ee8286a56d2
inet6 fe80::dc5a:9bff:fe4e:6f04/64 scope link
valid_lft forever preferred_lft forever
162: veth4615fa64@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
link/ether 1a:cc:41:1c:f2:9d brd ff:ff:ff:ff:ff:ff link-netns cni-532a4e09-6e09-1113-3044-1d864ac3acf5
inet6 fe80::18cc:41ff:fe1c:f29d/64 scope link
valid_lft forever preferred_lft forever
163: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.88.0.2/24 scope global wg0
valid_lft forever preferred_lft forever
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# sudo wg show
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 42179
peer: BgxjDizUdEATpdh0iZ7Y+zQo2iVyqRBgp70CemeZ30A=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
transfer: 0 B received, 27.46 KiB sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.88.0.2/24
PrivateKey = n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
[Peer]
PublicKey = BgxjDizUdEATpdh0iZ7Y+zQo2iVyqRBgp70CemeZ30A=
Endpoint = 43.138.186.171:51820
AllowedIPs = 10.88.0.1/32
PersistentKeepalive = 25
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# cat /etc/wireguard/k8s.pub
cat: /etc/wireguard/k8s.pub: No such file or directory
[root@k8s-01 ~]# cat cat /etc/wireguard/publickey
cat: cat: No such file or directory
n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
[root@k8s-01 ~]# vi /etc/wireguard/wg0.conf
[root@k8s-01 ~]# systemctl restart wg-quick@wg0
[root@k8s-01 ~]# wg show
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 46509
peer: qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
transfer: 0 B received, 592 B sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# sysctl -w net.ipv4.conf.all.rp_filter=2
sysctl -w net.ipv4.conf.wg0.rp_filter=2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.wg0.rp_filter = 2
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# ip -c a show dev wg0
167: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.88.0.2/24 scope global wg0
valid_lft forever preferred_lft forever
[root@k8s-01 ~]# watch -n1 wg show
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# sudo wg showconf wg0
[Interface]
ListenPort = 46509
PrivateKey = mL/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuFU=
[Peer]
PublicKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
AllowedIPs = 10.88.0.1/32
Endpoint = 43.138.186.171:51820
PersistentKeepalive = 25
[root@k8s-01 ~]# sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.88.0.2/24
PrivateKey = n7/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuBU=
[Peer]
PublicKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
Endpoint = 43.138.186.171:51820
AllowedIPs = 10.88.0.1/32
PersistentKeepalive = 25
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# sudo sed -i 's|^PrivateKey = .*|PrivateKey = mL/...FU=|' /etc/wireguard/wg0.conf
[root@k8s-01 ~]# sudo sed -i '/^\[Interface\]/a ListenPort = 46509' /etc/wireguard/wg0.conf
[root@k8s-01 ~]# echo 'mL/...FU=' | sudo wg pubkey
wg: Key is not the correct length or format
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# CLIENT_PRIV=$(sudo wg showconf wg0 | awk '/^PrivateKey/ {print $3; exit}')
[root@k8s-01 ~]# CLIENT_PUB=$(echo "$CLIENT_PRIV" | wg pubkey)
[root@k8s-01 ~]# echo "CLIENT_PUB = $CLIENT_PUB"
CLIENT_PUB = dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
[root@k8s-01 ~]# sudo sed -i "s|^PrivateKey = .*|PrivateKey = $CLIENT_PRIV|" /etc/wireguard/wg0.conf
[root@k8s-01 ~]# grep -n '^ListenPort' /etc/wireguard/wg0.conf
2:ListenPort = 46509
[root@k8s-01 ~]# vi /etc/wireguard/wg0.conf
[root@k8s-01 ~]# cat /etc/wireguard/wg0.conf
[Interface]
ListenPort = 46509
Address = 10.88.0.2/24
PrivateKey = mL/nzuiBYLFm+ijhBR8d0G/JcNPu+eKg1V//vX5yuFU=
[Peer]
PublicKey = qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
Endpoint = 43.138.186.171:51820
AllowedIPs = 10.88.0.1/32
PersistentKeepalive = 25
[root@k8s-01 ~]# sudo systemctl restart wg-quick@wg0
[root@k8s-01 ~]# wg show
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 46509
peer: qFvMNYv27vwcIfJuu6fXLcxYNscOTvlDxmd9JzN8fV8=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
transfer: 0 B received, 148 B sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# sudo sed -i 's|^PublicKey = .*|PublicKey = 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=|' /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0
wg show
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 46509
peer: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
latest handshake: Now
transfer: 124 B received, 180 B sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]#
[root@k8s-01 ~]# wg show
interface: wg0
public key: dF92nKBqKgDRGxNuDvm3gCKgaBwfyuBXqBecLbLs7ik=
private key: (hidden)
listening port: 46509
peer: 4GSWTJJq5zv6yd0pa4apypDSxxE+J7HckZ0OJOdfNlg=
endpoint: 43.138.186.171:51820
allowed ips: 10.88.0.1/32
latest handshake: 16 seconds ago
transfer: 124 B received, 180 B sent
persistent keepalive: every 25 seconds
[root@k8s-01 ~]# ping -c 3 10.88.0.1
PING 10.88.0.1 (10.88.0.1) 56(84) bytes of data.
64 bytes from 10.88.0.1: icmp_seq=1 ttl=64 time=6.22 ms
64 bytes from 10.88.0.1: icmp_seq=2 ttl=64 time=5.92 ms
64 bytes from 10.88.0.1: icmp_seq=3 ttl=64 time=63.9 ms
--- 10.88.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.921/25.348/63.904/27.263 ms
[root@k8s-01 ~]# ping -c 3 10.88.0.1
PING 10.88.0.1 (10.88.0.1) 56(84) bytes of data.
64 bytes from 10.88.0.1: icmp_seq=1 ttl=64 time=6.08 ms
64 bytes from 10.88.0.1: icmp_seq=2 ttl=64 time=6.24 ms
64 bytes from 10.88.0.1: icmp_seq=3 ttl=64 time=6.00 ms
--- 10.88.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 5.998/6.105/6.242/0.101 ms
评论 (0)