首页 / 技能 / WireGuard — 技能工具

🔐 WireGuard — 技能工具

v1.0.0

[自动翻译] Configure WireGuard VPN tunnels with secure routing and key management.

3· 1.1k·6 当前·6 累计
by @ivangdavila (Iván)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/25
0
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is an instruction-only WireGuard configuration guide that only requires the wg binary and does not request credentials or perform unexpected actions; its requirements and instructions are coherent with its stated purpose.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/10

Initial release

无害

安装命令

点击复制
官方npx clawhub@latest install wireguard
🇨🇳 镜像加速npx clawhub@latest install wireguard --registry https://cn.longxiaskill.com

技能文档

AllowedIPs Traps (Most Common Mistakes)

  • AllowedIPs means different things on each side — server: what peer CAN send; client: what to ROUTE through tunnel
  • 0.0.0.0/0 routes ALL traffic including tunnel endpoint — breaks connectivity, must exclude server's public IP first
  • Overlapping AllowedIPs between peers = undefined routing — each IP range must belong to exactly one peer
  • Wrong mask silently breaks routing — /32 for single host, /24 for subnet, verify carefully

Connection Failures

  • No handshake = wrong public key, firewall blocking UDP, or wrong endpoint — check all three, not just one
  • One-way traffic = AllowedIPs misconfigured — packets go out but replies don't route back
  • Missing PersistentKeepalive = 25 breaks NAT traversal — peer behind NAT unreachable after ~2 minutes
  • Config file permissions must be 600 — wg-quick silently refuses to start with loose permissions

DNS Leaks

  • Without DNS = in client config, DNS queries bypass tunnel — leaks real IP to DNS provider
  • Full tunnel (0.0.0.0/0) without DNS config = false sense of security — traffic tunneled but DNS exposed

Routing Setup

  • IP forwarding disabled by default on Linux — tunnel works but packets don't route between interfaces
  • NAT required for internet access through tunnel — without masquerade, return packets don't find their way
  • Firewall must allow UDP on ListenPort — WireGuard is UDP only, no TCP fallback exists

Key Security

  • Private key file permissions matter — world-readable key is compromised, set 600 immediately after generation
  • Never transmit private keys — generate on each machine, exchange only public keys
  • Config files contain private keys — treat wg0.conf as secret, not just privatekey file

Live Changes

  • Adding peers requires interface reload on most setups — or use wg set for live changes without dropping connections
  • wg syncconf applies changes without restart — but config file format differs from wg.conf (use wg-quick strip)

Debugging

  • wg show displays handshake timestamps — stale handshake (>2 min) means connection dead despite interface up
  • Handshake happens on first packet — no traffic = no handshake attempt, ping to test
数据来源:ClawHub ↗ · 中文优化:龙虾技能库