如何使用 Wireguard 将所有流量路由到 NAT 后面的对等点

tag-icon tag-icon networking vpn routing mikrotik-routeros wireguard
如何使用 Wireguard 将所有流量路由到 NAT 后面的对等点

我一直在尝试创建一个 VPN 隧道,拓扑如下:

Device A (Windows computer, behind NAT)
Device B (Debian 11 VPS with a public IP address)
Device C (MikroTik router that supports Wireguard, behind NAT)

我想要将设备 A 上的所有流量通过设备 C 进行隧道传输,并使用设备 B 作为“反弹服务器”。以下是可视化的拓扑: 拓扑

到目前为止,我已经能够配置 VPN,使我的所有设备可以相互 ping 通,但我无法路由流量。有人能解释一下如何设置设备 B(VPS,“反弹服务器”)以路由从设备 A(Windows PC)到设备 C(MikroTik 路由器)的所有流量吗?

我想连接到设备 A(Windows PC)上的 VPN,通过设备 C(MikroTik)路由所有流量,并在外部互联网上显示设备 C(MikroTik)的 IP 地址 - 完整隧道。

配置文件如下(PUBLIC-IP 是设备B,即反弹服务器的公网IP):

设备 A(Windows PC):

[Interface]
Address = 10.10.5.3/32
DNS = 1.1.1.1
PrivateKey = gO.....

[Peer]
# Name = bounce server
PublicKey = mLdpo....
AllowedIPs = 0.0.0.0/0
Endpoint = PUBLIC-IP:54321
PersistentKeepalive = 25

设备B(VPS云,“反弹服务器”):

[Interface]
  # Name = bounce server
  Address = 10.10.5.1
  ListenPort = 54321
  PrivateKey = GD...
  Table = off

  [Peer]
  # Name = Device C, MikroTik router
  AllowedIPs = 0.0.0.0/0
  PublicKey = J7...
  # PersistentKeepalive = 300

  [Peer]
  # Name = Device A - Windows PC
  AllowedIPs = 10.10.5.3/24
  PublicKey = W7..
  # PersistentKeepalive = 300

设备 C(MikroTik 路由器):从 MikroTik 导出配置:

/interface wireguard
add listen-port=54321 name=wireguard1
/interface wireguard peers
add allowed-address=10.10.5.0/24 endpoint-address=PUBLIC-IP endpoint-port=54321 interface=wireguard1 \
    persistent-keepalive=25s public-key="mLd..."

重写成经典的配置样子:

[Interface]
      # Name = MikroTik
      Address = 10.10.5.2
      ListenPort = 54321
      PrivateKey = ...
    
      [Peer]
      # Name = Device B, VPS "bounce server"
      AllowedIPs = 10.10.5.0/24
      PublicKey = mLd...
      Endpoint = PUBLIC-IP:54321
      PersistentKeepalive = 25

感谢帮助!

答案1

如果你需要互联网,例如通过某些 VPN 服务

/interface wireguard add listen-port=51820 name=wireguard-inet private-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25m \
    preshared-key="xxx" public-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface list member add interface=wireguard-inet list=WAN comment="Internet through WireGuard commercial VPN provider"
###
/ip address add address=xxx.xxx.xxx.xxx/32 interface=wireguard-inet comment="Internet through WireGuard commercial VPN provider"
/routing table add name=wireguard-wan fib comment="Internet through WireGuard commercial VPN provider"
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# xxx.xxx.xxx.xxx/24 replace to your local network
/routing rule add action=lookup src-address=192.168.xxx.0/24 table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# Add DNS from VPN service
/ip/dhcp-server/network/set dns-server=10.xxx.0.1 0
# Need to reconnect your device(PC, PHONE) for receive new DNS server from router

相关内容