我正在尝试通过 wg0 systemd 网络接口路由来自特定 Docker 网络 (10.222.111.0/24) 的所有流量,配置:
/etc/systemd/network/30-wg0.netdev
[NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard
[WireGuard]
PrivateKey = XXXX
[WireGuardPeer]
PublicKey = XXXX
AllowedIPs = 10.222.111.0/24
Endpoint = XXXX:51820
PersistentKeepalive = 25
/etc/systemd/network/30-wg0.network
[Match]
Name=wg0
[Network]
Address = 10.0.3.227/19
DNS = X.X.X.X
[Route]
Gateway = 10.0.3.227
Destination = 10.222.111.0/24
现在我可以看到接口已启动,并且路由表中的正确路由
# ip route show
...
10.222.111.0/24 via 10.0.3.227 dev wg0 proto static
...
界面已启动并正在运行
# networkctl status wg0
● 251: wg0
Link File: /lib/systemd/network/99-default.link
Network File: /etc/systemd/network/30-wg0.network
Type: none
State: routable (configured)
Address: 10.0.3.227
DNS: X.X.X.X
然而,尝试测试这一点失败了:
# curl --interface wg0 https://ifconfig.me
# public ip of remote server
# docker network create vpn --subnet 10.222.111.0/24
# docker run --rm --dns X.X.X.X --network vpn --ip 10.222.111.110 appropriate/curl -s https://ifconfig.me
# no output
运行 docker run 命令时 tcpdump 的输出:
# tcpdump -nn -i wg0 host ifconfig.me
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
08:36:16.127461 IP 10.0.3.227.33182 > 216.239.38.21.443: Flags [S], seq 1530371569, win 27600, options [mss 1380,sackOK,TS val 3454949182 ecr 0,nop,wscale 7], length 0
08:36:17.152770 IP 10.0.3.227.33182 > 216.239.38.21.443: Flags [S], seq 1530371569, win 27600, options [mss 1380,sackOK,TS val 3454950207 ecr 0,nop,wscale 7], length 0
08:36:17.152830 IP 10.0.3.227.33182 > 216.239.38.21.443: Flags [S], seq 1530371569, win 27600, options [mss 1380,sackOK,TS val 3454950207 ecr 0,nop,wscale 7], length 0
08:36:17.153083 IP 10.0.3.227.48686 > 216.239.36.21.443: Flags [S], seq 1139719299, win 27600, options [mss 1380,sackOK,TS val 3564689990 ecr 0,nop,wscale 7], length 0
08:36:18.176752 IP 10.0.3.227.48686 > 216.239.36.21.443: Flags [S], seq 1139719299, win 27600, options [mss 1380,sackOK,TS val 3564691014 ecr 0,nop,wscale 7], length 0
08:36:18.176798 IP 10.0.3.227.48686 > 216.239.36.21.443: Flags [S], seq 1139719299, win 27600, options [mss 1380,sackOK,TS val 3564691014 ecr 0,nop,wscale 7], length 0
08:36:18.176891 IP 10.0.3.227.59316 > 216.239.34.21.443: Flags [S], seq 3848190866, win 27600, options [mss 1380,sackOK,TS val 3672200215 ecr 0,nop,wscale 7], length 0
08:36:19.200840 IP 10.0.3.227.59316 > 216.239.34.21.443: Flags [S], seq 3848190866, win 27600, options [mss 1380,sackOK,TS val 3672201239 ecr 0,nop,wscale 7], length 0
08:36:19.200938 IP 10.0.3.227.59316 > 216.239.34.21.443: Flags [S], seq 3848190866, win 27600, options [mss 1380,sackOK,TS val 3672201239 ecr 0,nop,wscale 7], length 0
08:36:19.201089 IP 10.0.3.227.39842 > 216.239.32.21.443: Flags [S], seq 4281397520, win 27600, options [mss 1380,sackOK,TS val 1995655620 ecr 0,nop,wscale 7], length 0
08:36:20.224781 IP 10.0.3.227.39842 > 216.239.32.21.443: Flags [S], seq 4281397520, win 27600, options [mss 1380,sackOK,TS val 1995656643 ecr 0,nop,wscale 7], length 0
08:36:20.224894 IP 10.0.3.227.39842 > 216.239.32.21.443: Flags [S], seq 4281397520, win 27600, options [mss 1380,sackOK,TS val 1995656643 ecr 0,nop,wscale 7], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
我确信我错过了一些东西,但我看不到是什么。部分基于https://nbsoftsolutions.com/blog/leaning-on-algo-to-route-docker-traffic-through-wireguard
答案1
我遇到了同样的问题,这就是我让它工作的方法:
您的主要错误是您AllowedIPs
在网络设备中的使用方式。AllowedIPs
指定允许的目标IP,并且因为您可能想要隧道流量到所有 IP,您应该指定0.0.0.0/0
.
Destination
该部分中的线路和[Route]
生成的路线 ( 10.222.111.0/24 via 10.0.3.227 dev wg0 proto static
) 也是错误的绕行方式:此路线交通瞄准 10.222.111.0/24
到 WireGuard 接口而不是源自流量从该子网。
过滤依据来源,以便来自 docker 子网的所有流量都通过 VPN,您可以在网络文件中使用[RoutingPolicyRule]
(相当于ip rule
) 和[Route]
(相当于ip route
) 部分,因此您的网络文件如下所示:
etc/systemd/network/30-wg0.netdev
:
[NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard
[WireGuard]
PrivateKey = XXXX
[WireGuardPeer]
PublicKey = XXXX
AllowedIPs = 0.0.0.0/0
Endpoint = XXXX:51820
PersistentKeepalive = 25
/etc/systemd/network/30-wg0.network
:
[Match]
Name=wg0
[Network]
Address = 10.0.3.227/19
DNS = X.X.X.X
[RoutingPolicyRule]
From = 10.222.111.0/24
# Or any other unused table number
Table = 242
[Route]
# The address of the interface, same as in Address line
Gateway = 10.0.3.227
# Same table number as above
Table = 242
通过该配置,curl --interface wg0
并且
# docker network create vpn --subnet 10.222.111.0/24
# docker run --rm --dns X.X.X.X --network vpn appropriate/curl -s https://ifconfig.me
应该可以正常工作(请注意,我删除了该--ip
选项,docker run
因为它不是必需的)。
我实际上写了一篇关于我的解决方案的博客文章,其中包含详细说明,如果您愿意,可以看一下,它可能会有所帮助:https://www.eisfunke.com/article/docker-wireguard-systemd.html。
希望有帮助!