我希望能从更有经验的用户那里获得一些有关我计划的网络设置的指导,因为我想在“上线”之前降低出现错误的概率。
设置与设备:
ServerSite: AWSCloud
- Server, net.ipv4.ip_forward=1, AWS Firewall set to allow Wireguard Port 51820:
eth: 174.0.0.1
wg0: 10.8.0.1: Wireguard tunnel
ClientSite A:
LAN: 192.168.188.0/24
- 192.168.188.1: RouterGatewayA, no static routes possible
- RaspiA, DHCP server with Pihole and WireguardClient, net.ipv4.ip_forward=1
eth: 192.168.188.2
wg0: 10.8.0.2
- 192.168.188.10: WinA, no wireguard client running, Standardgateway 192.168.188.1
ClientSite B:
LAN: 192.168.2.0/24
- 192.168.2.1: RouterGatewayB, no static routes possible
- RaspiB, DHCP server with Pihole and WireguardClient, net.ipv4.ip_forward=1
eth: 192.168.2.2
wg0: 10.8.0.3
- 192.168.2.10: WinB, no wireguard client running, Standardgateway 192.168.2.1
RoadWarrior:
LTE via Wireguard Tunnel
目标:
- RaspiA 和 RaspiB 始终通过 Wireguard 连接到 AWScloud,仅用于内部网络流量。所有其他流量(即 HTTP)仍通过本地网关路由
- Raspi 后面的所有 LAN 设备都可以相互访问,即 WinA 无需成为 Wireguard 网络本身的客户端即可访问 WinB
- RoadWarrior 还能够连接到每个 LAN 成员,即 RoadWarrior 能够访问 WinA
Wireguard 配置:
AWSCloud: Server
[Interface]
PrivateKey = <key>
Address = 10.8.0.1/32
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
#RaspiA
PublicKey = <key>
AllowedIPs = 10.8.0.2/32, 192.168.188.0/24 (LAN.A traffic),
#RaspiB
PublicKey = <key>
AllowedIPs = 10.8.0.3/32, 192.168.2.0/24 (LAN.B traffic)
#RoadWarrior
PublicKey = <key>
AllowedIPs = 10.8.0.4/32
ClientSite A: RaspiA
[Interface]
PrivateKey = <key>
Address = 10.8.0.2/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <key>
Endpoint = my.ddns.example.com:51820
AllowedIPs = 10.8.0.0/24 (Tunnel traffic), 192.168.2.0/24 (LAN.B traffic)
PersistentKeepalive = 25
ClientSite B: RaspiB
[Interface]
PrivateKey = <key>
Address = 10.8.0.3/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <key>
Endpoint = my.ddns.example.com:51820
AllowedIPs = 10.8.0.0/24 (Tunnel traffic), 192.168.188.0/24 (LAN.A traffic)
PersistentKeepalive = 25
Client RoadWarrior
[Interface]
PrivateKey = <key>
Address = 10.8.0.4/24
[Peer]
PublicKey = <key>
Endpoint = my.ddns.example.com:51820
AllowedIPs = 0.0.0.0/0 (All traffic)
PersistentKeepalive = 25
由于我无法在客户端 A/B LAN 路由器上设置静态路由,因此无法将默认网关设置为 Raspi A/B。 - 因此在 WinA 上设置静态路由以访问 LAN B:
route ADD 192.168.2.0 MASK 255.255.255.0 192.168.188.2 //on WinA and every other client in the LAN
route ADD 192.168.188.0 MASK 255.255.255.0 192.168.2.2 //on WinB and every other client in the LAN
(使用 -p 使它们在重启后继续存在/使它们持久存在)
由于我远非网络专家,任何帮助都将不胜感激!也许你可以发现一些错误或低效之处。
答案1
我进行了上述测试,一切正常。如果有人能发现一些路由效率低下甚至安全漏洞,我会很高兴收到您的反馈!