我正在尝试实现以下目标:
我希望我的个人电脑通过wireguard VPN 上的ARaspberry Pi 连接到互联网。C
关于该主题的大多数指南都假设互联网网关是直接对等的,但这里的情况并非如此。这是因为A和C都在 NAT 后面,并且它们连接到 VPSB以建立 wireguard 连接。因此,我的目标“架构”如下所示:
A -> B -> C -> Internet
另外,我只希望 A 通过 C 访问互联网,而不是 B。我将此称为 wireguard 网络“ bvpn”。
我一直在关注这个答案https://serverfault.com/a/1081164并且确实有一个像我描述的一样的工作连接。但是,它非常慢,当我运行mtr或运行时,数据包丢失率非常高(超过 70%)。此外,当我通过线程执行 ping 时,ping我会遇到高 CPU 负载(100%)。A8.8.8.8kworker/event
为了找到问题的根源,我在、和之间设置了另一个名为“ wg1”的 wireguard 网络,但没有为通过设置互联网访问。在此网络中,连接到或从 时均不会出现任何问题。ABCACBCA
此外,直接在 上执行请求/ping 时,不会出现互联网访问或 ping 问题C。
你知道为什么我在bvpn网络中遇到这些数据包丢失/连接问题吗?
我在下面发布了确切的 wireguard 配置:
bvpn网络:
Wireguard 配置如下B:
# This is host B
[Interface]
Address = 10.0.2.1/24,fd7e:07f3:d15b:ed77::1/64
SaveConfig = false
ListenPort = 51822
PrivateKey = <secret>
Table = bvpn
PreUp = echo 123 bvpn >> /etc/iproute2/rt_tables
PreUp = ip rule add iif %i table bvpn
PreUp = iptables -A FORWARD -i %i -o %i -j ACCEPT
PreUp = ip6tables -A FORWARD -i %i -o %i -j ACCEPT
PostDown = ip6tables -D FORWARD -i %i -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o %i -j ACCEPT
PostDown = ip rule | grep "from all iif %i" | cut -d: -f1 | xargs -L1 ip rule del prio
PostDown = sed -i '/bvpn/d' /etc/iproute2/rt_tables
# Host A
[Peer]
PublicKey = eNa8aK6Y4laktZ0JeaWEs50oUmPXfW+hHorZiIlQ5yA=
AllowedIPs = 10.0.2.2/32,fd7e:07f3:d15b:ed77::2/128
# Host C
[Peer]
PublicKey = nisqd5xrYSmKl07XeocGY/UlM2dzOTYBPP29hBkrW10=
AllowedIPs = 0.0.0.0/0,::0/0
(https://pastebin.com/mgCcwzs4)
Wireguard 配置如下C:
# This is bvpn config on host C
[Interface]
Address = 10.0.2.3/24,fd7e:07f3:d15b:ed77::3/64
SaveConfig = false
PrivateKey = <secret>
PreUp = iptables -A FORWARD -i %i -o %i -j ACCEPT
PreUp = ip6tables -A FORWARD -i %i -o %i -j ACCEPT
PreUp = iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
PreUp = ip6tables -t nat -A POSTROUTING -s fd7e:07f3:d15b:ed77::0/64 -o eth0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -s fd7e:07f3:d15b:ed77::0/64 -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o %i -j ACCEPT
# Host B
[Peer]
PublicKey = /dANIceGpP1nMOTDToVgmX5yLTxLJt6/djxfUFPY9F8=
AllowedIPs = 10.0.2.0/24,fd7e:07f3:d15b:ed77::/64
Endpoint = <secret>:51822
PersistentKeepalive = 25
(https://pastebin.com/jcQLqNqr)
网络管理器配置A:
[connection]
id=BVPN
uuid=64bda4ef-ea45-49a7-b5c0-caa1f8147c7b
type=wireguard
autoconnect=false
interface-name=bvpn
permissions=
timestamp=1646086134
[wireguard]
mtu=1300
private-key=<secret>
[wireguard-peer./dANIceGpP1nMOTDToVgmX5yLTxLJt6/djxfUFPY9F8=]
endpoint=<secret>:51822
persistent-keepalive=25
allowed-ips=0.0.0.0/0;::/0;
[ipv4]
address1=10.0.2.2/32,10.0.2.1
dns=1.1.1.1;
dns-search=
method=manual
[ipv6]
addr-gen-mode=stable-privacy
address1=fd7e:7f3:d15b:ed77::2/128,fd7e:7f3:d15b:ed77::1
dns=2606:4700:4700::64;
dns-search=
method=manual
[proxy]
(https://pastebin.com/c97h0wpe)
wg1网络:
Wireguard 配置如下B:
# This is host B, wg1 network
[Interface]
Address = 10.0.1.1/24
SaveConfig = false
ListenPort = 51821
PrivateKey = <secret>
PostUp = iptables -A FORWARD -i %i -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o %i -j ACCEPT
# Host A
[Peer]
PublicKey = eNa8aK6Y4laktZ0JeaWEs50oUmPXfW+hHorZiIlQ5yA=
AllowedIPs = 10.0.1.2/32
# Host B
[Peer]
PublicKey = nisqd5xrYSmKl07XeocGY/UlM2dzOTYBPP29hBkrW10=
AllowedIPs = 10.0.1.3/32
(https://pastebin.com/M9Db7Yhh)
Wireguard 配置如下C:
# wg1 config on host C
[Interface]
Address = 10.0.1.3/24
SaveConfig = false
PrivateKey = <secret>
# Host B
[Peer]
PublicKey = /dANIceGpP1nMOTDToVgmX5yLTxLJt6/djxfUFPY9F8=
AllowedIPs = 10.0.1.0/24
Endpoint = <secret>:51821
PersistentKeepalive = 25
(https://pastebin.com/tCSi6e5S)
网络管理器配置A:
[connection]
id=WG1
uuid=bcdeb01f-6592-4bf7-98ea-19ea41030ea6
type=wireguard
interface-name=wg1
permissions=
timestamp=1644622378
[wireguard]
mtu=1300
private-key=<secret>
# Host B
[wireguard-peer./dANIceGpP1nMOTDToVgmX5yLTxLJt6/djxfUFPY9F8=]
endpoint=<secret>:51821
persistent-keepalive=25
allowed-ips=10.0.1.0/24;
[ipv4]
address1=10.0.1.2/32,10.0.1.1
dns-search=
method=manual
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore
[proxy]