概括
我想使用 Wireguard 允许我的家庭网络上的每个虚拟机都拥有一个来自 /27 池(32 个 IP)的唯一公共 IP,我已将该 IP 路由到托管服务提供商的专用服务器。
我的目标是避免使用 SNAT/DNAT,而是尽可能使用静态路由,以便每个 VM 面向 WAN 的接口都可以声明一个公共 IP。
什么有效
- 我的笔记本电脑 ==> Proxmox 服务器和虚拟机在几个不同的 VLAN 上使用私有 IP(因此,VLAN 间路由运行良好)
- Proxmox 服务器 ==> 通过本地网关的 NAT 访问互联网
- 云托管专用服务器 ==> 互联网
什么不起作用
我面临的问题是我无法通过 Wireguard 隧道(仅从隧道的一端到另一端)发送/接收 ping 或 ssh(或我尝试过的任何流量),这表明我的某些配置有错误。
高级配置
数据中心托管
服务器
- Ubuntu 20.04 LTS x86_64
- 使用 systemd-networkd 245 完成网络配置
- 防火墙是 ufw(目前正在测试)
- 服务器分配有多个公共 IP 子网 - 包括一个专用于管理的 /32 子网,该子网不会暴露给虚拟机
- 一公共子网,以下表示为“44.44.44.0/27”,是我想要向家庭网络上的虚拟机公开的内容。
- Wireguard IP 为 10.10.10.1
家庭网络
网关
- RHEL8 x86_64
- 使用 systemd-networkd v239 完成网络配置
- 防火墙是 Shorewall(目前正在全面开放测试)
- Wireguard 工具和内核模块已安装
- 具有 4 端口 Intel I350-T4 NIC,其中一个端口连接到 ISP,另一个端口连接到管理型交换机
- 将 systemd-networkd 和 Shorewall 配置为 VLAN 1(“未标记”)、VLAN 70(“Proxmox 管理 VLAN”)和 VLAN 80(“VM 私有 VLAN”)上的 NAT
- Wireguard IP 为 10.10.10.2
思科管理交换机 (CMS)
- 思科 RV345 处于交换机模式(不使用 WAN 端口、无 IPv4 路由、无 NAT)
- VLAN 端口映射如下:VLAN 1 => 除要连接的端口外,所有端口均未标记Proxmox (DSP) 的哑开关. VLAN 70 => 除端口外的所有端口均排除网关= 标记,并将端口数字信号处理器= 未标记。VLAN 80 => 除以下端口外,所有端口均被排除网关= 标记,并将端口数字信号处理器= 标记。VLAN 90 => 排除除以下端口之外的所有端口:网关= 标记,并将端口数字信号处理器= 标记。
- 除数字信号处理器和网关在 VLAN 1 上,不需要路由公共 IP;它们只需通过网关的NAT 并使用我的家庭网络的公共 IP。
Proxmox (DSP) 的哑开关
- Netgear GS308v3
- 多个端口被占用Proxmox 主机 (PH)以及一个连接到内容管理系统
- 没有设备上的配置,但它确实保留传递给它的 802.1Q VLAN 标签
Proxmox 主机 (PH)
- 运行 Proxmox VE 6.3 x86_64
- 每个盒子都有一个 GbE NIC 连接到数字信号处理器
- 在私有子网上发送未标记的流量10.0.0.128/25作为Proxmox 管理 VLAN(内容管理系统在将流量发送到时对其进行标记网关)
- 具有
vmbr0将虚拟机连接到网络的(虚拟第 2 层桥接器)。这样做的好处是,我可以在虚拟机上测试我的第 3 层 IP 配置设置,而不会破坏 Proxmox 主机的网络。
Proxmox 虚拟机 (PVM)
- 运行 Ubuntu 20.04 LTS
- 使用 systemd-networkd 245 完成网络配置
- 两个虚拟网卡....
- 一个位于私有子网的 VLAN 80 上10.0.1.0/24那作品对于出站互联网流量(通过我的本地 ISP),当默认网关设置为 10.0.1.1 时(网关的VLAN 80 IP)。还适用于入站 LAN 流量(包括来自其他 VLAN,例如我的笔记本电脑所在的 VLAN 1)以进行 SSH 访问。
- 一个位于 VLAN 90 上,旨在位于公共子网上44.44.44.0/27;当默认网关设置为网关的VLAN 90 IP,或者Wireguard IP 的网关,或者Wireguard IP 的服务器,该盒子没有正常工作的网络。它无法 ping 任何在 VLAN 90 NIC 上设置了默认网关的盒子。不过,在我解决 Wireguard 的问题之前,我并不认为这会起作用。
配置转储
由于 IPv6 不在图片中,因此打印输出中将其删去。我所做的所有路由等均仅使用 IPv4。
代表性IP
我“匿名化”了这些配置中的某些公共 IP,以隐藏我的真实身份。
- 44.44.44.0/27:代表我希望我的虚拟机能够通过 Wireguard 和智能路由声明的公共 /27。
- 55.55.55.0/24:代表公共“管理接口”服务器。 这是不是被路由到我的本地网络,并且只是习惯于通过 SSH 连接到服务器并用于连接 WG 隧道。
- 71.71.71.0/24:代表我家互联网的公网 IP。我有一个通过 DHCP 从 ISP 网关获取的动态 IP。网关的公网IP在这里用71.71.71.200来表示,ISP的基础设施网关用71.71.71.1来表示。
服务器
╭─root@server /etc/systemd/network
╰─# wg show all
interface: wg0
public key: (public key)
private key: (hidden)
listening port: 12345
peer: (peer)
preshared key: (hidden)
endpoint: 71.71.71.200:35795
allowed ips: 10.10.10.0/24, 44.44.44.0/27
latest handshake: 23 seconds ago
transfer: 143.44 KiB received, 115.30 MiB sent
╭─root@server /etc/systemd/network
╰─# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 12:34:(some MAC) brd 12:34:(some MAC)
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
# VFs used for existing VMs on the server
vf 0 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking off, link-state auto, trust off
vf 1 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking off, link-state auto, trust off
vf 2 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking off, link-state auto, trust off
vf 3 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking on, link-state auto, trust off
vf 4 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking on, link-state auto, trust off
vf 5 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking on, link-state auto, trust off
vf 6 link/ether 12:34:(some MAC) brd 12:34:(some MAC) spoof checking on, link-state auto, trust off
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
4: enp2s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
5: enp2s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
6: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
12: eno1v3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
13: eno1v4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
14: eno1v5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
15: eno1v6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
29: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
30: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
61: tap15ad56cf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master lxdbr0 state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
74: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
╭─root@server /etc/systemd/network
╰─# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 12:34:(some MAC) brd 12:34:(some MAC)
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 55.55.55.1/24 brd 55.55.55.255 scope global eno1
valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
4: enp2s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
5: enp2s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
6: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 10.231.114.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
12: eno1v3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
13: eno1v4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
14: eno1v5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
15: eno1v6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
29: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
30: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
61: tap15ad56cf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master lxdbr0 state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
74: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.1/32 scope global wg0
valid_lft forever preferred_lft forever
╭─root@server /etc/systemd/network
╰─# ip route
default via 55.55.55.254 dev eno1 proto static
10.231.114.0/24 dev lxdbr0 proto kernel scope link src 10.231.114.1
44.44.44.0/27 via 10.10.10.1 dev wg0 proto static
55.55.55.0/24 dev eno1 proto kernel scope link src 55.55.55.1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
╭─root@server /etc/systemd/network
╰─# for i in $(ls *.net*); do echo '----'"${i}"'----'; cat "${i}"; done
----50-default.network----
[Match]
MACAddress=12:34:(some MAC)
[Network]
Description=network interface on public network, with default route
DHCP=no
Address=55.55.55.1/24
Gateway=55.55.55.254
IPv6AcceptRA=no
NTP=pool.ntp.org
DNS=127.0.0.1
DNS=1.1.1.1
----wg0.netdev----
[NetDev]
Name = wg0
Kind = wireguard
Description = wg server to expose 44.44.44.0/27
[WireGuard]
# For systemd >= 242
PrivateKeyFile = /etc/systemd/network/wg-private.key
ListenPort = 12345
[WireGuardPeer]
PublicKey = (public key)
AllowedIPs = 44.44.44.0/27,10.10.10.0/24
# For systemd >= 242
PresharedKeyFile = /etc/systemd/network/wg-preshared.key
----wg0.network----
[Match]
Name = wg0
[Network]
Address = 10.10.10.1/32
[Route]
Gateway = 10.10.10.1
Destination = 44.44.44.0/27
网关
[root@gateway network]# wg show all
interface: wg0
public key: (public key)
private key: (hidden)
listening port: 35795
peer: (public key)
preshared key: (hidden)
endpoint: 55.55.55.1:12345
allowed ips: 10.10.10.0/24, 44.44.44.0/27
latest handshake: 2 minutes, 1 second ago
transfer: 3.18 MiB received, 2.17 KiB sent
persistent keepalive: every 25 seconds
[root@gateway network]# systemctl --version
systemd 239 (239-41.el8_3.2)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy
[root@gateway network]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 12:34:(some MAC) brd 12:34:(some MAC)
2: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
3: eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
4: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
5: enp2s0f2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
6: enp2s0f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
8: lan0.70@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
9: lan0.80@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
10: lan0.90@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
[root@gateway network]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 12:34:(some MAC) brd 12:34:(some MAC)
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 71.71.71.200/24 brd 71.71.71.255 scope global dynamic wan0
valid_lft 4925sec preferred_lft 4925sec
3: eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
4: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 10.0.0.1/25 brd 10.0.0.127 scope global lan0
valid_lft forever preferred_lft forever
5: enp2s0f2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
6: enp2s0f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.2/32 scope global wg0
valid_lft forever preferred_lft forever
8: lan0.70@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 10.0.0.129/25 brd 10.0.0.255 scope global lan0.70
valid_lft forever preferred_lft forever
9: lan0.80@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 10.0.1.1/24 brd 10.0.1.255 scope global lan0.80
valid_lft forever preferred_lft forever
10: lan0.90@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 12:34:(some MAC) brd 12:34:(some MAC)
inet 44.44.44.3/27 brd 44.44.44.254 scope global lan0.90
valid_lft forever preferred_lft forever
[root@gateway network]# ip route show table all
default via 44.44.44.1 dev lan0.90 table 47 proto static onlink
10.0.0.0/25 dev lan0.90 table 47 proto static scope link
10.0.1.0/24 dev lan0.90 table 47 proto static scope link
10.0.2.0/24 dev lan0.90 table 47 proto static scope link
default via 71.71.71.1 dev wan0 proto dhcp src 71.71.71.200 metric 1024
10.0.0.0/25 dev lan0 proto kernel scope link src 10.0.0.1
10.0.0.128/25 dev lan0.70 proto kernel scope link src 10.0.0.129
10.0.1.0/24 dev lan0.80 proto kernel scope link src 10.0.1.1
44.44.44.0/27 via 10.10.10.1 dev wg0 proto static onlink
71.71.71.0/24 dev wan0 proto kernel scope link src 71.71.71.200
71.71.71.1 dev wan0 proto dhcp scope link src 71.71.71.200 metric 1024
broadcast 10.0.0.0 dev lan0 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev lan0 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.127 dev lan0 table local proto kernel scope link src 10.0.0.1
broadcast 10.0.0.128 dev lan0.70 table local proto kernel scope link src 10.0.0.129
local 10.0.0.129 dev lan0.70 table local proto kernel scope host src 10.0.0.129
broadcast 10.0.0.255 dev lan0.70 table local proto kernel scope link src 10.0.0.129
broadcast 10.0.1.0 dev lan0.80 table local proto kernel scope link src 10.0.1.1
local 10.0.1.1 dev lan0.80 table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.255 dev lan0.80 table local proto kernel scope link src 10.0.1.1
local 10.10.10.2 dev wg0 table local proto kernel scope host src 10.10.10.2
broadcast 44.44.44.0 dev lan0.90 table local proto kernel scope link src 44.44.44.3
local 44.44.44.3 dev lan0.90 table local proto kernel scope host src 44.44.44.3
broadcast 44.44.44.254 dev lan0.90 table local proto kernel scope link src 44.44.44.3
broadcast 71.71.71.0 dev wan0 table local proto kernel scope link src 71.71.71.200
local 71.71.71.200 dev wan0 table local proto kernel scope host src 71.71.71.200
broadcast 71.71.71.255 dev wan0 table local proto kernel scope link src 71.71.71.200
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
::1 dev lo proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
[root@gateway network]# for i in $(ls *.net*); do echo '----'"${i}"'----'; cat "${i}"; done
----lan0.70.netdev----
[NetDev]
Name=lan0.70
Kind=vlan
[VLAN]
Id=70
----lan0.70.network----
[Match]
Name=lan0.70
[Network]
DHCP=no
Address=10.0.0.129/25
DHCPServer=yes
IPMasquerade=ipv4
[DHCPServer]
PoolOffset=100
PoolSize=20
EmitDNS=yes
DNS=1.1.1.1
DNS=8.8.8.8
----lan0.80.netdev----
[NetDev]
Name=lan0.80
Kind=vlan
[VLAN]
Id=80
----lan0.80.network----
[Match]
Name=lan0.80
[Network]
DHCP=no
Address=10.0.1.1/24
DHCPServer=yes
IPMasquerade=ipv4
[DHCPServer]
PoolOffset=100
PoolSize=20
EmitDNS=yes
DNS=1.1.1.1
DNS=8.8.8.8
----lan0.90.netdev----
[NetDev]
Name=lan0.90
Kind=vlan
[VLAN]
Id=90
----lan0.90.network----
[Match]
Name=lan0.90
[Network]
DHCP=no
Address=44.44.44.3/27
DHCPServer=no
[RoutingPolicyRule]
Table=47
From=44.44.44.0/27
#Not sure if needed - tried with and without
#[Route]
#Table=47
#Scope=link
#Type=unicast
#Destination=44.44.44.0/27
#Also not sure if needed - tried with and without
[Route]
Table=47
GatewayOnLink=true
Gateway=44.44.44.1
Destination=0.0.0.0/0
Scope=global
[Route]
Table=47
Scope=link
Type=unicast
Destination=10.0.0.0/25
[Route]
Table=47
Scope=link
Type=unicast
Destination=10.0.1.0/24
[Route]
Table=47
Scope=link
Type=unicast
Destination=10.0.2.0/24
----lan0.network----
[Match]
Name=lan0
[Network]
Address=10.0.0.1/25
VLAN=lan0.70
VLAN=lan0.80
VLAN=lan0.90
DHCPServer=yes
IPMasquerade=ipv4
[DHCPServer]
PoolOffset=2
PoolSize=100
EmitDNS=yes
DNS=1.1.1.1
DNS=8.8.8.8
----wan0.network----
[Match]
Name=wan0
[Network]
DHCP=yes
DNS=1.1.1.1 8.8.8.8
----wg0.netdev----
[NetDev]
Name = wg0
Kind = wireguard
Description = wg client for 44.44.44.0/27
[WireGuard]
# For systemd < 242
PrivateKey = (private key)
[WireGuardPeer]
PublicKey = (public key)
AllowedIPs = 44.44.44.1/27,10.10.10.0/24
Endpoint = 55.55.55.1:12345
# If running systemd >= 242
#PresharedKeyFile = /etc/systemd/network/wg-preshared.key
# If running systemd < 242
PresharedKey = (preshared key)
PersistentKeepalive = 25
----wg0.network----
[Match]
Name = wg0
[Network]
Address = 10.10.10.2/32
[Route]
Gateway = 10.10.10.1
Destination = 44.44.44.0/27
GatewayOnlink = true
[root@gateway network]# for i in $(ls *.link); do echo '----'"${i}"'----'; cat "${i}"; done
----10-lan0.link----
[Match]
MACAddress=12:34:(some MAC)
[Link]
Name=lan0
----10-wan0.link----
[Match]
MACAddress=12:34:(some MAC)
[Link]
Name=wan0
# Shorewall config
[root@gateway shorewall]# for i in zones interfaces policy rules snat; do echo '----'"${i}"'----'; cat "${i}"; done
----zones----
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
lan ip
wan ip
lan80 ip
wan90 ip
wg ip
----interfaces----
?FORMAT 2
#ZONE INTERFACE OPTIONS
lan lan0 dhcp
wan wan0
lan lan0.70 dhcp
lan80 lan0.80
wan90 lan0.90
wg wg0
----policy----
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
wan all REJECT info
wg all ACCEPT
all wg ACCEPT
all wan ACCEPT
all lan80 ACCEPT
lan80 all ACCEPT
all wan90 ACCEPT
wan90 all ACCEPT
all all REJECT info
----rules----
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Ping(ACCEPT) all all
ACCEPT lan $FW tcp ssh
----snat----
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
MASQUERADE lan0 wan0
MASQUERADE lan0.70 wan0
MASQUERADE lan0.80 wan0
肺动脉高压和个人虚拟资产管理省略了配置,因为我甚至无法让 WG 隧道的两端进行通信。
答案1
我面临的问题是我无法通过 Wireguard 隧道(仅从隧道的一端到另一端)发送/接收 ping 或 ssh(或我尝试过的任何流量),这表明我的某些配置有错误。
您正在遵循的教程为 WireGuard 网络指定了一个 /24。它为每个端点的 wg0 接口配置一个 /32 前缀,然后手动为剩余的 /24 定义路由,这相当于将实际地址配置为 /24 前缀(不必要的)。
无论如何,本教程的配置都会导致每个对等点都具有到其他对等点地址的直接路由 - 客户端知道 10.213.213.2(服务器)可以通过 wg0 访问,因为它与 10.213.213.0/24 路由匹配。换句话说,它的工作方式与普通的 /24 子网非常相似。
但是,当您根据自己的配置调整本教程时,您只保留了 /32 地址分配,但是没有保留剩余 WireGuard 范围的 /24 路由。因此,每当您的客户端尝试 ping 10.10.10.1(服务器)时,仅有的它所匹配的路由(在主表中)是“默认通过 71.71.71.1 dev wan0”——没有通向任何有用的地方。
您的服务器和客户端都应该具有:
[网络] 地址 = 10.10.10.2/32 [路线] # 为自己的子网指定网关通常是没有意义的,而且 # 通过“第 3 层隧道”接口路由时指定网关毫无意义 # 例如 tun0 或 wg0。#网关 = 10.10.10.1目的地 = 10.10.10.0/24#GatewayOnlink = true
或者:
[网络] 地址 = 10.10.10.2/24
配置完一切后,ip route get 10.10.10.2服务器上应该选择 wg0 作为下一跳接口,客户端也是如此。
您不应该在那里指定 44.44.44.0/27 网络——它与 WireGuard 子网是分开的。因为您想通过客户端进行路由,所以它只需要在您的服务器上进行自定义路由(除了上述内容之外):
[路线] # 从技术上来说,你可以指定客户端作为网关,但这毫无意义 # 因为 wg0 是“第 3 层”接口,网关字段仅影响 # 第 2 层寻址。相反,WireGuard 使用“AllowedIPs”参数来 # 选择将数据包发送到哪个对等体。 #网关 = 10.10.10.2 目的地 = 44.44.44.0/27
在客户端上,44.44.44.0/27 应该通过您的 VM 桥接接口进行路由,而不是通过 WireGuard。
在服务器上,根据数据中心网关的配置方式,44.44.44.0/27 前缀可能会通过服务器的其他 IP 地址之一进行路由(在这种情况下一切正常),或者可能配置为“on-link”前缀(在这种情况下,您需要在服务器上设置代理 ARP)。
ip route get 10.10.10.2ip route show match 10.10.10.2echo "module wireguard +p" > /sys/kernel/debug/dynamic_debug/control