WireGuard on macOS
在 macOS 上部署 WireGuard 服务器
配置说明
我的 WireGuard 网段选择了 10.0.0.0/24,局域网的网段为 192.168.0.0/24。
我会将 WireGuard 的配置写在 /etc/wireguard/ 文件中。这个文件夹可以自定义更改,但最好选择一个需要 root 权限的文件夹
开始配置 WireGuard
-
安装 WireGuard
brew install wireguard-tools # 如果需要转发 macOS 局域网内其他设备,请不要选择 App Store 的 WireGuard 客户端。 -
配置 WireGuard
# vim /etc/wireguard/wg0.conf [Interface] PrivateKey = <YOUR_PRIVATE_KEY> ListenPort = 51820 Address = 10.0.1.2/32 DNS = 10.0.1.1 [Peer] PublicKey = <YOUR_PUBLIC_KEY> AllowedIPs = 192.168.0.0/24 Endpoint = <YOUR_SERVER_IP>:<YOUR_SERVER_PORT> PersistentKeepalive = 25 -
配置启动脚本
# vim /etc/wireguard/postup.sh #!/bin/sh /usr/sbin/sysctl -w net.inet.ip.forwarding=1 mkdir -p /usr/local/var/run/wireguard chmod 700 /usr/local/var/run/wireguard # 这里需要根据实际情况修改,比如我的网卡是 en1,如果你是 en0,请将 en1 改为 en0 echo 'nat on en1 from 10.0.1.1/24 to any -> (en1)' | \ pfctl -a com.apple/wireguard_ipv4 -Ef - 2>&1 | \ grep 'Token' | \ sed 's%Token : \(.*\)%\1%' > /usr/local/var/run/wireguard/pf_wireguard_ipv4_token.txt IPV4_TOKEN=`sudo cat /usr/local/var/run/wireguard/pf_wireguard_ipv4_token.txt` echo "Added PF IPv4 NAT traffic routing rule with token: ${IPV4_TOKEN}"# vim /etc/wireguard/postdown.sh #!/bin/sh /usr/sbin/sysctl -w net.inet.ip.forwarding=0 ANCHOR="com.apple/wireguard_ipv4" pfctl -a ${ANCHOR} -F all || exit 1 echo "Removed IPv4 rule with anchor: ${ANCHOR}" IPV4_TOKEN=`sudo cat /usr/local/var/run/wireguard/pf_wireguard_ipv4_token.txt` pfctl -X ${IPV4_TOKEN} || exit 1 echo "Removed reference for token: ${IPV4_TOKEN}" rm -rf /usr/local/var/run/wireguard/pf_wireguard_ipv4_token.txt echo "Deleted IPv4 token file" -
启动 WireGuard
sudo chmod +x /etc/wireguard/postup.sh sudo chmod +x /etc/wireguard/postdown.sh sudo wg-quick up wg0