首页龙虾技能列表 › WireGuard — 技能工具

🔐 WireGuard — 技能工具

v1.0.0

[自动翻译] Configure WireGuard VPN tunnels with secure routing and key management.

3· 1,054·6 当前·6 累计
by @ivangdavila (Iván)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/26
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is an instruction-only WireGuard configuration guide that only requires the wg binary and does not request credentials or perform unexpected actions; its requirements and instructions are coherent with its stated purpose.
评估建议
This is a coherent, instruction-only WireGuard guide. Before using it: ensure the 'wg' (and likely 'wg-quick', iptables/nft, and sysctl) tools are installed on your system; never paste or share private keys (generate them locally); be prepared that following the guidance may require running privileged commands (changing file perms, enabling IP forwarding, firewall/NAT changes) — run those yourself or only allow the agent to perform them if you trust it. The skill itself does not ask for credenti...
详细分析 ▾
用途与能力
Name/description match the contents: the SKILL.md is a WireGuard troubleshooting and configuration guide. The declared required binary is 'wg', which is appropriate. Minor inconsistency: the instructions also reference 'wg-quick' and other tools (iptables/NAT, sysctl for IP forwarding) but the metadata only lists 'wg' — not a security problem but worth noting because some guidance assumes presence of additional binaries/utilities.
指令范围
SKILL.md is high-level operational guidance (AllowedIPs, routing, DNS leaks, key security, debugging tips) and does not instruct the agent to read unrelated files, exfiltrate data, or access environment variables. It references config files and permissions but does not direct the agent to transmit secrets. Advice to keep private keys secret is explicit.
安装机制
No install spec (instruction-only). Nothing is downloaded or written to disk by the skill itself; lowest-risk install profile.
凭证需求
The skill requires no environment variables or credentials. That matches its purpose: configuring WireGuard locally does not need external API keys. No unrelated secrets requested.
持久化与权限
always:false and default model invocation settings are appropriate. The skill does not request persistent system-wide privileges or modify other skills' configs.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

🖥️ OSLinux · macOS · Windows

版本

latestv1.0.02026/2/11

Initial release

● 无害

安装命令 点击复制

官方npx clawhub@latest install wireguard
镜像加速npx clawhub@latest install wireguard --registry https://cn.clawhub-mirror.com

技能文档

AllowedIPs Traps (Most Common Mistakes)

  • AllowedIPs means different things on each side — server: what peer CAN send; client: what to ROUTE through tunnel
  • 0.0.0.0/0 routes ALL traffic including tunnel endpoint — breaks connectivity, must exclude server's public IP first
  • Overlapping AllowedIPs between peers = undefined routing — each IP range must belong to exactly one peer
  • Wrong mask silently breaks routing — /32 for single host, /24 for subnet, verify carefully

Connection Failures

  • No handshake = wrong public key, firewall blocking UDP, or wrong endpoint — check all three, not just one
  • One-way traffic = AllowedIPs misconfigured — packets go out but replies don't route back
  • Missing PersistentKeepalive = 25 breaks NAT traversal — peer behind NAT unreachable after ~2 minutes
  • Config file permissions must be 600 — wg-quick silently refuses to start with loose permissions

DNS Leaks

  • Without DNS = in client config, DNS queries bypass tunnel — leaks real IP to DNS provider
  • Full tunnel (0.0.0.0/0) without DNS config = false sense of security — traffic tunneled but DNS exposed

Routing Setup

  • IP forwarding disabled by default on Linux — tunnel works but packets don't route between interfaces
  • NAT required for internet access through tunnel — without masquerade, return packets don't find their way
  • Firewall must allow UDP on ListenPort — WireGuard is UDP only, no TCP fallback exists

Key Security

  • Private key file permissions matter — world-readable key is compromised, set 600 immediately after generation
  • Never transmit private keys — generate on each machine, exchange only public keys
  • Config files contain private keys — treat wg0.conf as secret, not just privatekey file

Live Changes

  • Adding peers requires interface reload on most setups — or use wg set for live changes without dropping connections
  • wg syncconf applies changes without restart — but config file format differs from wg.conf (use wg-quick strip)

Debugging

  • wg show displays handshake timestamps — stale handshake (>2 min) means connection dead despite interface up
  • Handshake happens on first packet — no traffic = no handshake attempt, ping to test
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务