curl我在 LXC 容器中安装了 WireGuard,虽然客户端可以正常连接(我可以看到端口和信息),但是当我尝试访问localhost[ 127.0.0.1] 或其 IP [ 192.168.1.180]时却无法连接:
# 10.7.0.2:6060 ⟷ 192.168.1.180:6060
# Host IP: 192.168.1.180
# IP: 10.7.0.2
# Resolves okay:
curl -I 10.7.0.2:6060
# Response unreachable:
curl -I 127.0.1:6060
curl -I 192.168.1.180:6060
尽管该路线应允许以下内容,但我收到了来自 的回复10.7.0.2:6060,192.168.1.180但没有收到来自127.0.0.1:6060[无法访问] 的回复:
192.168.1.170→ (192.168.1.180:6060[LXC] →10.7.0.2:6060[网络])192.168.1.170:网络PC(网关:192.168.1.1)192.168.1.180:LXC 容器虚拟机10.7.0.2:WireGuard 客户端电脑
ip route list:default via 192.168.1.1 dev eth0 proto static 10.7.0.0/24 dev wg0 proto kernel scope link src 10.7.0.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.180
- IPv4 转发处于活动状态:
#sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
- WireGuard 配置:
/etc/wireguard/wg0.conf- 服务器: [
wiretest]# ENDPOINT asd.demo.net [Interface] Address = 10.7.0.1/24 PrivateKey = CI0heA/1InAo........ ListenPort = 51820 # BEGIN_PEER nodotest [Peer] PublicKey = y1t+k9cR06F7/y6ANJtEx....... PresharedKey = +Tya8VsxbB3i9hkIRf...... AllowedIPs = 10.7.0.2/32 # END_PEER nodotest - 客户: [
wiredocker][Interface] Address = 10.0.0.2/24 DNS = 8.8.8.8 PrivateKey = +GLTuJnydedy2QMvTj5SGdr...... [Peer] PublicKey = qlNPgT7Fwbjmexq09EVF........ PresharedKey = +Tya8VsxbB3i9hkIR...... AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = asd.demo.net:51820 PersistentKeepalive = 25
- 服务器: [
- IP 表:
iptables -A FORWARD -i eth0 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 6060:6060 -j DNAT --to-destination 10.7.0.2 iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADEiptables -L: (服务器)Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:51823 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.7.0.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destinationiptables-save:# Generated by iptables-save v1.8.7 on Sat Jul 17 12:19:27 2021 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp --dport 51823 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.7.0.0/24 -j ACCEPT COMMIT # Completed on Sat Jul 17 12:19:27 2021 # Generated by iptables-save v1.8.7 on Sat Jul 17 12:19:27 2021 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 6060 -j DNAT --to-destination 10.7.0.2:6060 -A PREROUTING -i eth0 -p tcp -m tcp --dport 1010 -j DNAT --to-destination 10.7.0.2:6060 -A PREROUTING -i eth0 -p tcp -m tcp --dport 1010 -j DNAT --to-destination 10.7.0.2:6060 -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to-source 192.168.1.183 COMMIT # Completed on Sat Jul 17 12:19:27 2021