通过 Systemd Wireguard 接口路由特定的 Docker 网络

tag-icon tag-icon networking systemd docker vpn route
通过 Systemd Wireguard 接口路由特定的 Docker 网络

我正在尝试通过 wg0 systemd 网络接口路由来自特定 Docker 网络 (10.222.111.0/24) 的所有流量,配置:

/etc/systemd/network/30-wg0.netdev

[NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard

[WireGuard]
PrivateKey = XXXX

[WireGuardPeer]
PublicKey = XXXX
AllowedIPs = 10.222.111.0/24
Endpoint = XXXX:51820
PersistentKeepalive = 25

/etc/systemd/network/30-wg0.network

[Match]
Name=wg0

[Network]
Address = 10.0.3.227/19
DNS = X.X.X.X

[Route]
Gateway = 10.0.3.227
Destination = 10.222.111.0/24

现在我可以看到接口已启动,并且路由表中的正确路由

# ip route show
...
10.222.111.0/24 via 10.0.3.227 dev wg0 proto static
...

界面已启动并正在运行

# networkctl status wg0
● 251: wg0
       Link File: /lib/systemd/network/99-default.link
    Network File: /etc/systemd/network/30-wg0.network
            Type: none
           State: routable (configured)
         Address: 10.0.3.227
         DNS: X.X.X.X

然而,尝试测试这一点失败了:

# curl --interface wg0 https://ifconfig.me 
# public ip of remote server

# docker network create vpn --subnet 10.222.111.0/24
# docker run --rm --dns X.X.X.X --network vpn --ip 10.222.111.110 appropriate/curl -s https://ifconfig.me
# no output

运行 docker run 命令时 tcpdump 的输出:

# tcpdump -nn -i wg0 host ifconfig.me
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
08:36:16.127461 IP 10.0.3.227.33182 > 216.239.38.21.443: Flags [S], seq 1530371569, win 27600, options [mss 1380,sackOK,TS val 3454949182 ecr 0,nop,wscale 7], length 0
08:36:17.152770 IP 10.0.3.227.33182 > 216.239.38.21.443: Flags [S], seq 1530371569, win 27600, options [mss 1380,sackOK,TS val 3454950207 ecr 0,nop,wscale 7], length 0
08:36:17.152830 IP 10.0.3.227.33182 > 216.239.38.21.443: Flags [S], seq 1530371569, win 27600, options [mss 1380,sackOK,TS val 3454950207 ecr 0,nop,wscale 7], length 0
08:36:17.153083 IP 10.0.3.227.48686 > 216.239.36.21.443: Flags [S], seq 1139719299, win 27600, options [mss 1380,sackOK,TS val 3564689990 ecr 0,nop,wscale 7], length 0
08:36:18.176752 IP 10.0.3.227.48686 > 216.239.36.21.443: Flags [S], seq 1139719299, win 27600, options [mss 1380,sackOK,TS val 3564691014 ecr 0,nop,wscale 7], length 0
08:36:18.176798 IP 10.0.3.227.48686 > 216.239.36.21.443: Flags [S], seq 1139719299, win 27600, options [mss 1380,sackOK,TS val 3564691014 ecr 0,nop,wscale 7], length 0
08:36:18.176891 IP 10.0.3.227.59316 > 216.239.34.21.443: Flags [S], seq 3848190866, win 27600, options [mss 1380,sackOK,TS val 3672200215 ecr 0,nop,wscale 7], length 0
08:36:19.200840 IP 10.0.3.227.59316 > 216.239.34.21.443: Flags [S], seq 3848190866, win 27600, options [mss 1380,sackOK,TS val 3672201239 ecr 0,nop,wscale 7], length 0
08:36:19.200938 IP 10.0.3.227.59316 > 216.239.34.21.443: Flags [S], seq 3848190866, win 27600, options [mss 1380,sackOK,TS val 3672201239 ecr 0,nop,wscale 7], length 0
08:36:19.201089 IP 10.0.3.227.39842 > 216.239.32.21.443: Flags [S], seq 4281397520, win 27600, options [mss 1380,sackOK,TS val 1995655620 ecr 0,nop,wscale 7], length 0
08:36:20.224781 IP 10.0.3.227.39842 > 216.239.32.21.443: Flags [S], seq 4281397520, win 27600, options [mss 1380,sackOK,TS val 1995656643 ecr 0,nop,wscale 7], length 0
08:36:20.224894 IP 10.0.3.227.39842 > 216.239.32.21.443: Flags [S], seq 4281397520, win 27600, options [mss 1380,sackOK,TS val 1995656643 ecr 0,nop,wscale 7], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

我确信我错过了一些东西,但我看不到是什么。部分基于https://nbsoftsolutions.com/blog/leaning-on-algo-to-route-docker-traffic-through-wireguard

答案1

我遇到了同样的问题,这就是我让它工作的方法:

您的主要错误是您AllowedIPs在网络设备中的使用方式。AllowedIPs指定允许的目标IP,并且因为您可能想要隧道流量所有 IP,您应该指定0.0.0.0/0.

Destination该部分中的线路和[Route]生成的路线 ( 10.222.111.0/24 via 10.0.3.227 dev wg0 proto static) 也是错误的绕行方式:此路线交通瞄准 10.222.111.0/24到 WireGuard 接口而不是源自流量该子网。

过滤依据来源,以便来自 docker 子网的所有流量都通过 VPN,您可以在网络文件中使用[RoutingPolicyRule](相当于ip rule) 和[Route](相当于ip route) 部分,因此您的网络文件如下所示:

etc/systemd/network/30-wg0.netdev:

[NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard

[WireGuard]
PrivateKey = XXXX

[WireGuardPeer]
PublicKey = XXXX
AllowedIPs = 0.0.0.0/0
Endpoint = XXXX:51820
PersistentKeepalive = 25

/etc/systemd/network/30-wg0.network:

[Match]
Name=wg0

[Network]
Address = 10.0.3.227/19
DNS = X.X.X.X

[RoutingPolicyRule]
From = 10.222.111.0/24
# Or any other unused table number
Table = 242

[Route]
# The address of the interface, same as in Address line
Gateway = 10.0.3.227
# Same table number as above
Table = 242

通过该配置,curl --interface wg0并且

# docker network create vpn --subnet 10.222.111.0/24
# docker run --rm --dns X.X.X.X --network vpn appropriate/curl -s https://ifconfig.me

应该可以正常工作(请注意,我删除了该--ip选项,docker run因为它不是必需的)。

我实际上写了一篇关于我的解决方案的博客文章,其中包含详细说明,如果您愿意,可以看一下,它可能会有所帮助:https://www.eisfunke.com/article/docker-wireguard-systemd.html

希望有帮助!

相关内容