[wgcf] connect CF warp to add IPv4 / IPv6 network for server
WARP is a WireGuard-based network traffic Security and Acceleration Service provided by CloudFlare. It allows you to protect privacy and optimize links by connecting to edge nodes of CloudFlare.
The connection entry is dual-stack (both IPv4 and IPv6), and after the connection, the IPv4 and IPv6 addresses based on NAT provided by CF can be obtained, therefore, our single-stack server can try to connect to WARP to obtain additional network connectivity support. In this way, only IPv6 servers can access IPv4, and also IPv4 servers can access IPv6.
Topic Map source Weibo @Ratto , this site is for reference only, please pay attention to the painter's wife if you like it!
0. Preface
Before that, I wrote an article about saving traffic overhead by using WARP to pay for the network traffic. Later, I heard that it could be installed on the server to increase the connectivity support for the server. After thinking about it, this is indeed the case. After all, dual-stack optional entry can provide dual-stack network after connection, and CF itself is connected to the mainstream upstream, no matter from the perspective of getting through v4 or v6, its stability in all aspects is incomparable to other schemes.
As a test, this time, the lightweight application server in the Tencent Cloud Hong Kong region is selected for connecting the IPv4 instance to the IPv6 network. The lightweight application server is selected for connecting the IPv4 network to the IPv6 server to the Scaleway Stardust
Instance.
1. WGCF configuration
First, we need to use WGCF ( Click to go ) register a WARP account and extract it as a WG configuration file. Before that, I wrote an article about the education network using its IPv6 connection to reduce the traffic overhead.
[WGCF] extracts the WARP configuration to provide IPv6 traffic forwarding for CERNET
IPv4 charges on campus network are more expensive in many colleges and universities, while IPv6 is unlimited. After the route change of the education network on September 10, 2020, CERNET and HE were interconnected in the form of Peer via IX in HKIX. Because... https://luotianyi.vc/4500.html
Section [1] and [2] In this article are the detailed operations of this step, and the final goal is to obtain wgcf-profile.conf
. Recently, I don't know why 429 errors often occur, in wgcf register
After the execution, the directory is generated. wgcf-account.toml
OK, and then run multiple times wgcf generate
Until it is generated.
2. Process configuration files
WG is a kernel-level software that establishes its own virtual network card, and the WARP client is an intranet NAT address, after the two-stack traffic is taken over by WG, we can no longer connect to the server from the original IP address. Therefore, we must make a trade-off between IPv4 and IPv6 to prevent this from happening. Therefore, this application scenario is restricted to providing connectivity support for another protocol based on the original one, which will be explained in the following figure.
You can modify a configuration file in either of the following scenarios:
① in the preceding figure
11
Change the row Endpoint162.159.192.1:2408
, delete9
Configure local IPv4 routes② in the preceding figure
11
Change the row Endpoint[2606:4700:d0::a29f:c001]:2408
, delete10
Configure local IPv6 routes
Add IPv6 for IPv4-only servers
Principle figure, because AllowedIPs = ::/0
So that IPv6 traffic is taken over by the WARP Nic, enabling IPv6 traffic to access the external network through WARP. For more information, see Case 1. Modify the configuration file.
Add IPv4 for IPv6-only servers
Principle figure, because AllowedIPs = 0.0.0.0/0
So that IPv4 traffic is taken over by the WARP Nic, enabling IPv4 traffic to access the external network through WARP. For more information, see Case 2. Modify the configuration file.
Dual-Stack server replacement network
Sometimes our servers are dual-stack, but we may not want to use one of the networks for various reasons, you can also use WARP to take over some of the network connections to hide your own IP addresses. As for the purpose of doing so, the greatest significance is to reduce the probability of verification codes in some data centers that are seriously abused. At the same time, some content providers treat the landing IP addresses of WARP as the native IP addresses of real users, can remove some IP-based blocking.
3. Install the client
WireGuard is a kernel-level tool. Official packages need to load kernel modules. Therefore, make sure that your server is a fully virtualized server such as KVM, HyperV, and XEN HVM before installation.
OpenVZ and LXC do not have kernel permissions. If you need to install WireGuard-Go as a replacement for kernel modules, the documents provided by OpenVZ and LXC require you to configure the go environment for compilation, no ready-made binary precompiled package is available. Of course, the configuration operations after installation are almost the same, and it is better to supplement it at the end because it is not recommended.
Bloggers use Debian system on these "toy" machines, so as a record, I only consider Ubuntu and Debian system ~
Confirm before installation kernel-header
Installed and checked resolv
Correct installation: install the dependent Shell
1 | apt-get install sudo net-tools openresolv -y |
To install the main program, Debian needs to add unstable sources, and Ubuntu only needs to add libraries:
123456789101112 | # Debian add the unstable source echo "deb" http://deb.debian.org/debian/ unstable main> /etc/apt/sources.list.d/unstable-wireguard.listprintf 'Package: *nPin: release a = unstablenPin-Priority: 150 #> /etc/apt/preferences.d/limit-unstable# update the source and install apt-get updateapt-get install wireguard-dkms wireguard-tools #Ubuntu add-apt-repository ppa:wireguard/wireguard# update the source and install apt-get updateapt-get install wireguard |
Added by group friends, CentOS 7 cannot be supported because its kernel is relatively old, and needs to be installed and added elrepo
Source and change kernel-ml
The kernel. I do not recommend using CentOS for installation. The kernel of 7 has to be changed, and 8 has become an abandoned child, which is a little troublesome. Shell
123456789101112131415161718192021222324 | # Install the elrepo Source rpm -import https://www.elrepo.org/RPM-GPG-KEY-elrepo.orgrpm -Uvh https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm# install the additional package component yum install -y epel-release elrepo-release yum-plugin-elrepo# install the kernel yum -enablerepo = elrepo-kernel -y install kernel-ml kernel-ml-headers kernel-ml-devel# view the startup sequence cat /boot/grub2/grub.cfg | grep menuentry# set the startup sequence grub2-set- Default 0# view the list grub2-editenv successful settings# Update grubgrub2-mkconfig -o /boot/grub2/grub.cfg# restart reboot# Check the installed kernel rpm -qa | grep kernel# Uninstall the useless yum remove or rpm -e# install the WireGuard component yum install kmod-wireguard wireguard-tools |
DKMS compiles and loads the WG kernel module DKMS: install completed.
And no error is required. If the kernel module is not loaded successfully, try reinstall
. wireguard-dkms
, run the following command to check:
1234 | # Load the kernel module modprobe wireguard# check whether the WG module is loaded properly lsmod | grep wireguard |
After confirming that the module has returned, you can take out the configuration file you need in [2] above, and put the configuration file directory in /etc/wireguard
Next. For example, I choose to name it wgcf.conf
, The enable and disable commands correspond to the configuration file:
1234 | # Enable the tunnel sudo wg-quick up wgcf# close the tunnel sudo wg-quick down wgcf |
You can use ifconfig
When you see the WARP virtual Nic whose name is your configuration file, you can access it externally through WARP.
Install the Go module
OpenVZ and LXC do not have kernel permissions. If you need to install WireGuard-Go to replace the kernel module, the WG main program will fallback to the go module to start the program when the kernel module cannot be detected; at the same time, this can also solve the problem that some people do not want to load modules to the kernel, but the efficiency is slightly lower.
Before this, we need to check whether TUN support is enabled on your server. If not, we need to contact your service provider to enable TUN: check the TUN module Shell.
1234 | # Try to load the kernel module modprobe tun# check whether the TUN module is loaded properly lsmod | grep tun |
Since it is written in the go language, it can be compiled by yourself or by others. If you compile it by yourself, the go language version must be higher 1.13
Yes. Compile and install Shell
123456789101112 | # Download the git clone code https://git.zx2c4.com/wireguard-go# Go to the source directory cd wireguard-go# compile make# Move the compiled file to the execution directory mv ./wireguard-go /usr/bin/wireguard-go# add the execution permission chmod + x /usr/bin/wireguard-go# check whether the operation returns wireguard-go |
It is also OK to directly use the package compiled by others, on loc @52mfzy
Provides a precompiled 64-bit Project address. Precompiled package installation Shell
123456 | # Download the binary file (64-bit Linux)wget -O /usr/bin https://github.com/bernardkkt/wg-go-builder/releases/latest/download/wireguard-go# Add the execution permission chmod + x /usr/bin/wireguard-go# check whether the execution is normal wireguard-go |
I found an older one for other architectures 20181222
Version, if necessary, you can choose according to your needs ( Click to go ), tar.xz
Bag tar -xf
Decompress the command. Note that because the old software package provided here is a test version, you need to add system variables to confirm the running (the new version is no problem); You can run it once before starting the tunnel, or you can add it /etc/profile
This parameter takes effect permanently. System variables
12 | # Run or add to/etc/profileexport... = 1 after each boot |
After the go module is installed correctly, add the source and install the main program as described above. Debian only installs wireguard-tools
You can install Ubuntu wireguard
, CentOS installation only wireguard-tools
, the kernel module does not need to be installed. The rest of the write configuration files and usage are also consistent with the previous article.
Boot
I do not recommend that you set WARP to start after startup, but there is no problem. Official documents are managed through systemctl, so older systems do not need to be considered. Boot Shell
123456 | # enable systemctl enable wg-quick@wg0.service when the configuration file is wg0# Reload deamon configuration systemctl daemon-reload# start the process of wg0 configuration file systemctl start wg-quick @ wg0 |
IV. Conclusion
The original purpose of this article is to buy Scaleway's Stardust IPv6 instance, and the actual measurement results are very good. Compared with DNS64 and other solutions, CloudFlare provides excellent networks.
Tencent Cloud lightweight, the server to CF Endpoint is only 0.4ms, after adding IPv6 to the local Google CDN node only 3ms, basically can be used as a local IPv6. The server of goose factory is also very comfortable to use recently. Even the student machine can participate in the unique upgrade activity. If necessary, you can also consider it ~
After actual tests, the tunnel established with WARP did not show obvious fluctuation in 5 days, and its connectivity and stability were compared with HE.NET's TunnelBroker is much better. As a commercial application, its speed is well guaranteed.
As for AllowIPs mentioned above, it is very simple. Only one of IPv4 and IPv6 is retained. In fact, this is not necessary. It takes over traffic in the form of Lu Youbiao, you can specify the content of the Lu Youbiao by modifying the parameters. I will not talk about it here. I will attach an IP library ( Click Download ).
The last sentence, use and cherish, don't abuse public resources arbitrarily ~