该图片显示了我正在构建的完整图片。但现在我想用一台家庭服务器和远程服务器上的 2 个 LXC、2 个 ipv4 来实现一小部分。我想为 2 个 LXC 容器使用 2 个不同的 Wireguard 隧道。当我只有一个 Wireguard 隧道时,很容易解决 - 只需“AllowedIPs = 0.0.0.0/0”,所有(主机和来宾)流量都会通过 Wireguard 隧道。但是如果有许多不同的Wireguard隧道,该如何解决呢?
家庭服务器1
WireGuard 配置:
[Interface]
PrivateKey = my_private_key
Address = 192.168.7.2/24
[Peer]
PublicKey = my_public_key
AllowedIPs = 0.0.0.0/0 <- ok for 1 LXC, but how to do it for 2?
Endpoint = 11.11.11.1:51194
PersistentKeepalive = 15
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp2s0
10.7.56.0 0.0.0.0 255.255.255.0 U 0 0 0 lxdbr0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp2s0
192.168.1.1 0.0.0.0 255.255.255.255 UH 100 0 0 enp2s0
192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 wg1
远程服务器
/etc/wireguard/helper/add-nat-routing.sh
#!/bin/bash
IPT="/sbin/iptables"
IN_FACE="eth0"
WG_FACE="wg1"
SUB_NET="192.168.7.0/24"
WG_PORT="51194"
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -d 11.11.11.1 --jump DNAT --to-destination 192.168.7.2
/etc/wireguard/wg1.conf
[Interface]
Address = 192.168.7.1/24
ListenPort = 51194
PrivateKey = private_key
PostUp = /etc/wireguard/helper/add-nat-routing.sh
[Peer]
PublicKey = public_key
AllowedIPs = 192.168.7.2/32