原生WireGuard 没有Web UI界面，添加帐号不方便
https://github.com/wg-easy/wg-easy

环境

• 内网网段：192.168.1.0/24
• 内网IP: 192.168.77.3
• 公网IP: 120.22.192.42

cat /etc/netplan/00-installer-config.yaml 
network:
  ethernets:
    ens160:
      dhcp4: false
      addresses: 
        - 192.168.1.3/24
        - 192.168.2.3/24
        - 192.168.77.3/24
        - 120.22.192.42/25
      nameservers:
        addresses: 
          - 223.5.5.5
      routes:
        - to: default
          via: 120.22.192.1
  version: 2

root@wireguard:~# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         120.22.192.1    0.0.0.0         UG    0      0        0 ens160
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens160
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 ens160
192.168.77.0    0.0.0.0         255.255.255.0   U     0      0        0 ens160

wg-easy配置

docker-compose.yml

# source: https://github.com/wg-easy/wg-easy/blob/master/docker-compose.yml
version: "3.8"
services:
  wg-easy:
    environment:
      # ⚠️ Required:
      # Change this to your host's public address
      - WG_HOST=120.22.192.42

      # Optional:
      - PASSWORD=Sundayhk.com
      - WG_PORT=51820
      - WG_DEFAULT_ADDRESS=10.77.0.x
      - WG_DEFAULT_DNS=223.5.5.5
      # - WG_MTU=1420
      - WG_ALLOWED_IPS=192.168.1.0/24, 192.168.2.0/24, 192.168.77.0/24
        #- WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
        #- WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
        #- WG_POST_UP=iptables -A FORWARD -i %i -j ACCEPT && iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
        #- WG_POST_DOWN=iptables -t nat -D POSTROUTING -o eth0-j MASQUERADE && iptables -D FORWARD %i eth0 -j ACCEPT
        #- WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
        #- WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt

    image: ghcr.io/wg-easy/wg-easy:13
    container_name: wg-easy
    networks:
      wg:
        ipv4_address: 10.77.42.42
    volumes:
      - .:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

networks:
  wg:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 10.77.42.0/24

注意: WG_DEFAULT_ADDRESS=10.8.0.x 中的x是任意，不要设置成数字
WG_HOST=xxx 需要修改为服务器的公网IP，云服务器可curl ip.sb 查询
PASSWORD=xxx 设置dashboard管理密码
WG_ALLOWED_IPS=xxx 修改需要连通的网段，如192.168.1.0/24

docker compose up -d

root@wireguard:~# route -nv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         120.22.192.1    0.0.0.0         UG    0      0        0 ens160
10.77.42.0      0.0.0.0         255.255.255.0   U     0      0        0 br-9082351437f1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens160
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 ens160
192.168.77.0    0.0.0.0         255.255.255.0   U     0      0        0 ens160

防火墙配置

wireguard连接上后，会发现无法连接ssh 192.168.77.3，这里需要额外放行wg-easy docker网段到192.168.77.3

ufw allow 51820/udp
ufw allow in from 10.77.42.0/24 to 192.168.77.3

root@wireguard:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       192.168.77.0/24
Anywhere                   ALLOW       192.168.1.0/24          
51820/udp                  ALLOW       Anywhere           
192.168.77.3               ALLOW       10.77.42.0/24

访问dashboard http://192.168.77.3:51821 (该IP为wg-easy服务器IP)

升级

docker comopose pull
docker compose up -d