1. Create wireguard folder
# mkdir -p /usr/local/etc/wireguard/clients # cd /usr/local/etc/wireguard/2. Create Server Certs private & public
# wg genkey | tee server_private.key | wg pubkey > server_public.key3. Create wireguard server config
[Interface] Address = 10.10.10.1/24 #wrieguard service ip/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o ovs_eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -o ovs_eth0 -j ACCEPT; iptables -A FORWARD -i ovs_eth0 -o wg0 -j ACCEPT PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o ovs_eth0 -j MASQUERADE; iptables -D FORWARD -i wg0 -o ovs_eth0 -j ACCEPT; iptables -D FORWARD -i ovs_eth0 -o wg0 -j ACCEPT ListenPort = 51820 PrivateKey = <server_private.key> SaveConfig = true MTU = 14004. Using script to Create Client config
# vim add_user.sh
#!/bin/bash
WG_DIR="/usr/local/etc/wireguard"
CLIENT_DIR="$WG_DIR/clients"
SERVER_CONF="$WG_DIR/wg0.conf"
SERVER_PUBLIC_KEY=$(cat $WG_DIR/server_public.key)
SERVER_ENDPOINT="your-ddns-domain-or-ipaddress:51820"
DNS_SERVER="8.8.8.8, 1.1.1.1"
USERNAME=$1
CLIENT_IP=$2
if [ -z "$USERNAME" ] || [ -z "$CLIENT_IP" ]; then
echo "Usage: $0 username client_ip"
echo "Example: $0 alice 10.10.10.11"
exit 1
fi
USER_DIR="$CLIENT_DIR/$USERNAME"
if [ -d "$USER_DIR" ]; then
echo "User already exists."
exit 1
fi
mkdir -p "$USER_DIR"
echo "[*] Generating keys for $USERNAME ..."
# Generate client private/public key
wg genkey | tee "$USER_DIR/private.key" | wg pubkey > "$USER_DIR/public.key"
CLIENT_PRIVATE=$(cat "$USER_DIR/private.key")
CLIENT_PUBLIC=$(cat "$USER_DIR/public.key")
# Generate client config
CLIENT_CONF="$USER_DIR/$USERNAME.conf"
cat > "$CLIENT_CONF" <<EOF
[Interface]
PrivateKey = $CLIENT_PRIVATE
Address = $CLIENT_IP/24
DNS = $DNS_SERVER
[Peer]
PublicKey = $SERVER_PUBLIC_KEY
Endpoint = $SERVER_ENDPOINT
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF
# Append to server config
cat >> "$SERVER_CONF" <<EOF
[Peer]
# $USERNAME
PublicKey = $CLIENT_PUBLIC
AllowedIPs = $CLIENT_IP/32
EOF
echo "[*] Reloading WireGuard ..."
wg syncconf wg0 <(wg-quick strip wg0)
# QRCode generation if qrencode installed
if command -v qrencode >/dev/null 2>&1; then
qrencode -t ansiutf8 < "$CLIENT_CONF" > "$USER_DIR/$USERNAME.qr.txt"
qrencode -o "$USER_DIR/$USERNAME.png" < "$CLIENT_CONF"
echo "[*] QR Code generated:"
echo " Terminal QR: $USER_DIR/$USERNAME.qr.txt"
echo " PNG QR: $USER_DIR/$USERNAME.png"
fi
echo ""
echo "========================================="
echo "User Created Successfully"
echo "========================================="
echo "Username: $USERNAME"
echo "VPN IP: $CLIENT_IP"
echo "Config File: $CLIENT_CONF"
echo ""
echo "You can send this file directly to user:"
echo "$CLIENT_CONF"
echo ""
echo "For mobile import:"
echo "cat $USER_DIR/$USERNAME.qr.txt"
echo "========================================="
# chmod +x add_user.sh # ./add_user user1 10.10.10.115. Show Client config or qrcode to user
# cat ./clients/user1/user1.conf [Interface] PrivateKey = hidden Address = 10.10.10.11/24 DNS = 8.8.8.8, 1.1.1.1 [Peer] PublicKey = hidden Endpoint = your-ddns-domain-or-ipaddress:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 # cat ./clients/user1/user1.qr.txt6. create softlink to /etc/wiregurad and start service
# mkdir -p /etc/wireguard # ln -s /usr/local/etc/wireguard/wg0.conf /etc/wireguard/wg0.conf # wg-quick up wg0 # wg-autostart enable wg07. add synology firewall policy
Add new rule: Connection port: Select "Custom" > UDP > 51820. Source IP: All. Action: Allow. Please also place this rule at the top.
0 留言